public PacketDetials(Packet packet)
{
this.packet = packet;
ethernetPacket = EthernetPacket.GetEncapsulated(packet);
if (ethernetPacket != null)
{
typeName = "Ethernet";
}
ipPacket = IpPacket.GetEncapsulated(packet);
if (ipPacket != null)
{
typeName = "Ip";
}
arpPacket = ARPPacket.GetEncapsulated(packet);
if (arpPacket != null)
{
typeName = "ARP";
}
icmpv4Packet = ICMPv4Packet.GetEncapsulated(packet);
if (icmpv4Packet != null)
{
typeName = "ICMPv4";
}
icmpv6Packet = ICMPv6Packet.GetEncapsulated(packet);
if (icmpv6Packet != null)
{
typeName = "ICMPv6";
}
igmpv2Packet = IGMPv2Packet.GetEncapsulated(packet);
if (igmpv2Packet != null)
{
typeName = "IGMPv2";
}
pppoePacket = PPPoEPacket.GetEncapsulated(packet);
if (pppoePacket != null)
{
typeName = "PPPoE";
}
pppPacket = PPPPacket.GetEncapsulated(packet);
if (pppPacket != null)
{
typeName = "PPP";
}
tcpPacket = TcpPacket.GetEncapsulated(packet);
if (tcpPacket != null)
{
typeName = "TCP";
}
udpPacket = UdpPacket.GetEncapsulated(packet);
if (udpPacket != null)
{
typeName = "UDP";
}
}
/// <summary>
/// 以太网
/// </summary>
/// <param name="packet"></param>
private void Ethernet(Packet packet)
{
EthernetPacket e = EthernetPacket.GetEncapsulated(packet);
if (EthernetNode == null)
{
EthernetNode = new TreeNode("EthernetII");
EthernetNode.Name = "Ethernet";
EthernetNode.ImageIndex = 0;
EthernetNode.SelectedImageIndex = 0;
}
EthernetNode.Nodes.Clear();
EthernetNode.Nodes.Add("Destination: " + Format.MacFormat(e.DestinationHwAddress.ToString()));
EthernetNode.Nodes.Add("Source: " + Format.MacFormat(e.SourceHwAddress.ToString()));
EthernetNode.Nodes.Add("Type: " + e.Type.ToString() + " [0x" + e.Type.ToString("X") + "]");
Tree.Nodes.Add(EthernetNode);
switch (e.Type)
{
case EthernetPacketType.Arp: //ARP协议
ARPPacket arp = ARPPacket.GetEncapsulated(packet);
Arp(arp);
break;
case EthernetPacketType.IpV4: //IP协议
case EthernetPacketType.IpV6:
IpPacket ip = IpPacket.GetEncapsulated(packet);
IP(ip);
break;
case EthernetPacketType.WakeOnLan: //网络唤醒协议
WakeOnLanPacket wake = WakeOnLanPacket.GetEncapsulated(packet);
Wake_on_Lan(wake);
break;
case EthernetPacketType.LLDP: //链路层发现协议
LLDPPacket ll = LLDPPacket.GetEncapsulated(packet);
LLDPProtocol(ll);
break;
case EthernetPacketType.PointToPointProtocolOverEthernetDiscoveryStage:
case EthernetPacketType.PPPoE:
PPPoEPacket pppoe = PPPoEPacket.GetEncapsulated(packet);
PPPOE(pppoe);
break;
case EthernetPacketType.None: //无可用协议
default:
PayLoadData = e.PayloadData;
break;
}
}
private void device_OnPacketArrival(object sender, CaptureEventArgs packet)
{
Packet packetOuter = Packet.ParsePacket(packet.Packet.LinkLayerType, packet.Packet.Data);
ARPPacket arpPacket = ARPPacket.GetEncapsulated(packetOuter);
if (CaptureDeviceHelpers.CheckIfArpReplyIsForUs(arpPacket, _ipsInSubnet, _onlineClients))
{
_onlineClients.Add(new Target
{
Ip = arpPacket.SenderProtocolAddress.ToString(),
Mac = arpPacket.SenderHardwareAddress.ToString()
});
}
}
/// <summary>
/// GRE封装的下层协议
/// </summary>
/// <param name="data"></param>
/// <param name="e"></param>
private void NextGRE(byte[] data, EthernetProtocolType e)
{
if (data.Length <= 0)
{
return;
}
switch (e)
{
case EthernetProtocolType.PPP:
var ppp = new TwzyProtocol.PPPPacket(data);
if (ppp != null)
{
PPP(ppp);
}
break;
case EthernetProtocolType.Arp: //ARP协议
ARPPacket arp = ARPPacket.GetEncapsulated(packet);
Arp(arp);
break;
case EthernetProtocolType.IpV4: //IP协议
case EthernetProtocolType.IpV6:
IpPacket ip = IpPacket.GetEncapsulated(packet);
IP(ip);
break;
case EthernetProtocolType.WakeOnLan: //网络唤醒协议
WakeOnLanPacket wake = WakeOnLanPacket.GetEncapsulated(packet);
Wake_on_Lan(wake);
break;
case EthernetProtocolType.LLDP: //链路层发现协议
LLDPPacket ll = LLDPPacket.GetEncapsulated(packet);
LLDPProtocol(ll);
break;
case EthernetProtocolType.PointToPointProtocolOverEthernetDiscoveryStage:
case EthernetProtocolType.PPPoE:
PPPoEPacket pppoe = PPPoEPacket.GetEncapsulated(packet);
PPPOE(pppoe);
break;
case EthernetProtocolType.None: //无可用协议
break;
}
}
/// <summary>
/// Processes the specified packet capture.
/// </summary>
/// <param name='capture'>
/// The raw data captured from the interface.
/// </param>
public DataPacket Process(RawCapture capture)
{
var dpacket = new DataPacket();
//Convert the raw data from the interface to a packet.
var spacket = Packet.ParsePacket(capture.LinkLayerType, capture.Data);
var ip = IpPacket.GetEncapsulated(spacket);
/*
* Determine if the packet is a TCP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var tcp = TcpPacket.GetEncapsulated(spacket);
if (tcp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.PortSource = tcp.SourcePort;
dpacket.PortDestination = tcp.DestinationPort;
dpacket.Payload = tcp.PayloadData;
dpacket.Protocol = NetworkProtocol.tcp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an UDP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var udp = UdpPacket.GetEncapsulated(spacket);
if (udp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.PortSource = udp.SourcePort;
dpacket.PortDestination = udp.DestinationPort;
dpacket.Payload = udp.PayloadData;
dpacket.Protocol = NetworkProtocol.udp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an ICMP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var icmp = ICMPv4Packet.GetEncapsulated(spacket);
if (icmp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.Type = icmp.TypeCode.ToString();
dpacket.Payload = icmp.PayloadData;
dpacket.Protocol = NetworkProtocol.icmp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an ARP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var arp = ARPPacket.GetEncapsulated(spacket);
if (arp != null)
{
dpacket.Timestamp = DateTime.Now;
dpacket.HardwareAddressSource = arp.SenderHardwareAddress.ToString();
dpacket.HardwareAddressTarget = arp.TargetHardwareAddress.ToString();
dpacket.Protocol = NetworkProtocol.arp;
dpacket.Payload = spacket.PayloadData;
return(dpacket);
}
//Console.WriteLine(" UNKNOWN TYPE: " + ((EthernetPacket)spacket).Type.ToString());
return(null);
}
/// <summary>
/// 获取网关IP
/// </summary>
/// <param name="destIP"></param>
/// <returns></returns>
public PhysicalAddress Resolve(IPAddress destIP)
{
//构造ARP请求包
//var request = getSenderPacket(IPTOBYTE(LocalIP.ToString()), IPTOBYTE(destIP.ToString()),MACTOBYTE( LocalMAC.ToString()));
var request = BuildRequest(destIP, LocalMAC, LocalIP);
//创建一个只允许读取ARP回复的“TCPDUMP”过滤器
String arpFilter = "arp and ether dst " + LocalMAC.ToString();
//打开设备设置20ms的超时
_device.Open(DeviceMode.Promiscuous, 20);
//设置过滤器
_device.Filter = arpFilter;
// set a last request time that will trigger sending the
// arp request immediately
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = new TimeSpan(0, 0, 1);
PacketDotNet.ARPPacket arpPacket = null;
// 尝试用当前超时解析地址
var timeoutDateTime = DateTime.Now + timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
// inject the packet to the wire
_device.SendPacket(request);
lastRequestTime = DateTime.Now;
}
//read the next packet from the network
var reply = _device.GetNextPacket();
if (reply == null)
{
continue;
}
// parse the packet
var packet = Packet.ParsePacket(reply.LinkLayerType, reply.Data);
// is this an arp packet?
arpPacket = ARPPacket.GetEncapsulated(packet);
if (arpPacket == null)
{
continue;
}
//if this is the reply we're looking for, stop
if (arpPacket.SenderProtocolAddress.Equals(destIP))
{
break;
}
}
// free the device
_device.Close();
// the timeout happened
if (DateTime.Now >= timeoutDateTime)
{
return(null);
}
else
{
//return the resolved MAC address
return(arpPacket.SenderHardwareAddress);
}
}
//标记当前数据是否有效
#region 构建数据行
/// <summary>
/// DataGridRow
/// </summary>
/// <returns>返回字符串数据</returns>
public string[] Row(RawCapture rawPacket, uint packetID)
{
string[] rows = new string[7];
rows[0] = string.Format("{0:D7}", packetID); //编号
rows[1] = "Unknown";
rows[2] = rawPacket.Data.Length.ToString(); //数据长度bytes
rows[3] = "--";
rows[4] = "--";
rows[5] = "--";
//rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss:fff");
rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
Packet packet = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data);
EthernetPacket ep = EthernetPacket.GetEncapsulated(packet);
if (ep != null)
{
rows[1] = "Ethernet(v2)";
rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString());
rows[4] = Format.MacFormat(ep.DestinationHwAddress.ToString());
rows[5] = "[" + ep.Type.ToString() + "]";
#region IP
IpPacket ip = IpPacket.GetEncapsulated(packet);
if (ip != null)
{
if (ip.Version == IpVersion.IPv4)
{
rows[1] = "IPv4";
}
else
{
rows[1] = "IPv6";
}
rows[3] = ip.SourceAddress.ToString();
rows[4] = ip.DestinationAddress.ToString();
rows[5] = "[下层协议:" + ip.NextHeader.ToString() + "] [版本:" + ip.Version.ToString() + "]";
TcpPacket tcp = TcpPacket.GetEncapsulated(packet);
if (tcp != null)
{
rows[1] = "TCP";
rows[3] += " [" + tcp.SourcePort.ToString() + "]";
rows[4] += " [" + tcp.DestinationPort.ToString() + "]";
#region 25:smtp协议;80, 8080, 3128: Http; 21: FTP;
if (tcp.DestinationPort.ToString() == "25" || tcp.SourcePort.ToString() == "25")
{
rows[1] = "SMTP";
}
else if (tcp.DestinationPort.ToString() == "80" || tcp.DestinationPort.ToString() == "8080" || tcp.DestinationPort.ToString() == "3128")
{
rows[1] = "HTTP";
}
else if (tcp.DestinationPort.ToString() == "21")
{
rows[1] = "FTP";
}
else if (tcp.DestinationPort.ToString() == "143")
{
rows[1] = "POP3";
}
#endregion
return(rows);
}
UdpPacket udp = UdpPacket.GetEncapsulated(packet);
if (udp != null)
{
if (rawPacket.Data[42] == ((byte)02))
{
rows[1] = "OICQ";
}
else
{
rows[1] = "UDP";
}
rows[3] += " [" + udp.SourcePort.ToString() + "]";
rows[4] += " [" + udp.DestinationPort.ToString() + "]";
return(rows);
}
ICMPv4Packet icmpv4 = ICMPv4Packet.GetEncapsulated(packet);
if (icmpv4 != null)
{
rows[1] = "ICMPv4";
rows[5] = "[校验:" + icmpv4.Checksum.ToString() + "] [类型:" + icmpv4.TypeCode.ToString() + "] [序列号:" + icmpv4.Sequence.ToString() + "]";
return(rows);
}
ICMPv6Packet icmpv6 = ICMPv6Packet.GetEncapsulated(packet);
if (icmpv6 != null)
{
rows[1] = "ICMPv6";
rows[5] = "[Code:" + icmpv6.Code.ToString() + "] [Type" + icmpv6.Type.ToString() + "]";
return(rows);
}
IGMPv2Packet igmp = IGMPv2Packet.GetEncapsulated(packet);
if (igmp != null)
{
rows[1] = "IGMP";
rows[5] = "[只适用于IGMPv2] [组地址:" + igmp.GroupAddress.ToString() + "] [类型:" + igmp.Type.ToString() + "]";
return(rows);
}
return(rows);
}
#endregion
ARPPacket arp = ARPPacket.GetEncapsulated(packet);
if (arp != null)
{
rows[1] = "ARP";
rows[3] = Format.MacFormat(arp.SenderHardwareAddress.ToString());
rows[4] = Format.MacFormat(arp.TargetHardwareAddress.ToString());
rows[5] = "[Arp操作方式:" + arp.Operation.ToString() + "] [发送者:" + arp.SenderProtocolAddress.ToString() + "] [目标:" + arp.TargetProtocolAddress.ToString() + "]";
return(rows);
}
WakeOnLanPacket wp = WakeOnLanPacket.GetEncapsulated(packet);
if (wp != null)
{
rows[1] = "Wake On Lan";
rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString());
rows[4] = Format.MacFormat(wp.DestinationMAC.ToString());
rows[5] = "[唤醒网络地址:" + wp.DestinationMAC.ToString() + "] [有效性:" + wp.IsValid().ToString() + "]";
return(rows);
}
PPPoEPacket poe = PPPoEPacket.GetEncapsulated(packet);
if (poe != null)
{
rows[1] = "PPPoE";
rows[5] = poe.Type.ToString() + " " + poe.Version.ToString();
return(rows);
}
LLDPPacket llp = LLDPPacket.GetEncapsulated(packet);
if (llp != null)
{
rows[1] = "LLDP";
rows[5] = llp.ToString();
return(rows);
}
return(rows);
}
//链路层
PPPPacket ppp = PPPPacket.GetEncapsulated(packet);
if (ppp != null)
{
rows[1] = "PPP";
rows[3] = "--";
rows[4] = "--";
rows[5] = "协议类型:" + ppp.Protocol.ToString();
return(rows);
}
//PPPSerial
PppSerialPacket ppps = PppSerialPacket.GetEncapsulated(packet);
if (ppps != null)
{
rows[1] = "PPP";
rows[3] = "--";
rows[4] = "0x" + ppps.Address.ToString("X2");
rows[5] = "地址:" + ppps.Address.ToString("X2") + " 控制:" + ppps.Control.ToString() + " 协议类型:" + ppps.Protocol.ToString();
return(rows);
}
//Cisco HDLC
CiscoHDLCPacket hdlc = CiscoHDLCPacket.GetEncapsulated(packet);
if (hdlc != null)
{
rows[1] = "Cisco HDLC";
rows[3] = "--";
rows[4] = "0x" + hdlc.Address.ToString("X2");
rows[5] = "地址:" + hdlc.Address.ToString("X2") + " 控制:" + hdlc.Control.ToString() + " 协议类型:" + hdlc.Protocol.ToString();
return(rows);
}
#region
//SmtpPacket smtp = SmtpPacket.
#endregion
PacketDotNet.Ieee80211.MacFrame ieee = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.MacFrame;
if (ieee != null)
{
rows[1] = "IEEE802.11 MacFrame";
rows[3] = "--";
rows[4] = "--";
rows[5] = "帧校验序列:" + ieee.FrameCheckSequence.ToString() + " 封装帧:" + ieee.FrameControl.ToString();
return(rows);
}
PacketDotNet.Ieee80211.RadioPacket ieeePacket = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.RadioPacket;
if (ieeePacket != null)
{
rows[1] = "IEEE Radio";
rows[5] = "Version=" + ieeePacket.Version.ToString();
}
LinuxSLLPacket linux = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as LinuxSLLPacket;
if (linux != null)
{
rows[1] = "LinuxSLL";
rows[5] = "Tyep=" + linux.Type.ToString() + " Protocol=" + linux.EthernetProtocolType.ToString();
}
return(rows);
}
/// <summary>
/// Receives all packets and processes them
/// </summary>
private static void OnPacketArrival(object sender, CaptureEventArgs e)
{
try
{
// Parse the packet
var RawIp = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
var Ip = IpPacket.GetEncapsulated(RawIp);
var RawEthernet = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
var Ethernet = EthernetPacket.GetEncapsulated(RawEthernet);
string SourceIpAddress = Ip.SourceAddress.ToString();
string SourceMacAddress = BitConverter.ToString(Ethernet.SourceHwAddress.GetAddressBytes()).ToLower().Replace("-", ":");
string TargetMacAddress = BitConverter.ToString(Ethernet.DestinationHwAddress.GetAddressBytes()).ToLower().Replace("-", ":");
string TargetIpAddress = Ip.DestinationAddress.ToString();
try
{
CheckMacAndIp(SourceMacAddress, SourceIpAddress, "Eth");
CheckMacAndIp(TargetMacAddress, TargetIpAddress, "Eth");
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
catch (Exception)
{
// If the packet isn't an IP packet, move on
}
try
{
// Parse the packet
var RawArpPacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
var ArpPacket = ARPPacket.GetEncapsulated(RawArpPacket);
// Source information
string SourceIpAddress = ArpPacket.SenderProtocolAddress.ToString();
string SourceMacAddress = BitConverter.ToString(ArpPacket.SenderHardwareAddress.GetAddressBytes()).ToLower().Replace("-", ":");
// Target information
string TargetIpAddress = ArpPacket.TargetProtocolAddress.ToString();
string TargetMacAddress = BitConverter.ToString(ArpPacket.TargetHardwareAddress.GetAddressBytes()).ToLower().Replace("-", ":");
try
{
CheckMacAndIp(SourceMacAddress, SourceIpAddress, "ARP");
CheckMacAndIp(TargetMacAddress, TargetIpAddress, "ARP");
} catch (Exception ex) {
Console.WriteLine(ex.ToString());
}
}
catch (Exception)
{
// If the packet isn't an ARP packet, move on
}
// Save the log file
if (LogType == FILE)
{
SaveLog();
}
}
// packet arrival event
private void device_OnPacketArrival(object sender, CaptureEventArgs e)
{
Packet packet;
try
{
packet = Packet.ParsePacket(LinkLayers.Ethernet, e.Packet.Data);
}
catch
{
return;
}
if (packet is EthernetPacket)
{
var tcp = TcpPacket.GetEncapsulated(packet);
var arp = ARPPacket.GetEncapsulated(packet);
var ip = IpPacket.GetEncapsulated(packet);
var icmpv6 = ICMPv6Packet.GetEncapsulated(packet);
// ARP packet
if (arp != null)
{
if (Scanner.Started)
{
lock (Scanner.PacketQueueARP)
{
Scanner.PacketQueueARP.Add(arp);
}
}
}
// ICMPv6 packet
if (icmpv6 != null)
{
if (Scanner.Started)
{
lock (Scanner.PacketQueueNDP)
{
icmpv6.ParentPacket = ip;
icmpv6.ParentPacket.ParentPacket = packet;
Scanner.PacketQueueNDP.Add(icmpv6);
}
}
}
// TCP packet
if (tcp != null)
{
// HTTP, FTP, IMAP, POP3, SMTP packets (client -> server)
if (tcp.DestinationPort == 80 || tcp.DestinationPort == 21 || tcp.DestinationPort == 143 || tcp.DestinationPort == 110 || tcp.DestinationPort == 25)
{
if (Sniffer.Started)
{
lock (Sniffer.PacketQueue)
{
Sniffer.PacketQueue.Add(tcp);
}
}
}
// SSL stripping needs HTTP in & out
if (tcp.DestinationPort == 80 || tcp.SourcePort == 80)
{
if (SSLStrip.Started)
{
if (!SSLStrip.ProcessPacket(packet, tcp))
{
return;
}
}
}
}
// IP packet
if (ip != null)
{
// route IPv4
if (ARPTools.SpoofingStarted && ip.SourceAddress.AddressFamily == AddressFamily.InterNetwork)
{
lock (ARPTools.PacketQueueRouting)
{
ARPTools.PacketQueueRouting.Add(packet);
}
}
// route IPv6
if (NDTools.SpoofingStarted && ip.SourceAddress.AddressFamily == AddressFamily.InterNetworkV6)
{
lock (NDTools.PacketQueueRouting)
{
NDTools.PacketQueueRouting.Add(packet);
}
}
}
}
}
