Пример #1
0
        public byte GetFieldByte(string name)
        {
            if (this.Parser == null)
            {
                return(0);
            }

            if (!this.Parser.HasField(name))
            {
                return(0);
            }

            uint offset, bsize;
            uint fieldId = this.Parser.Field(name);

            if (0 == NetmonAPI.NmGetFieldOffsetAndSize(ParsedFrame, fieldId, out offset, out bsize))
            {
                if (bsize == 8)
                {
                    byte uRet;
                    if (0 == NetmonAPI.NmGetFieldValueNumber8Bit(ParsedFrame, fieldId, out uRet))
                    {
                        return(uRet);
                    }
                }
            }
            return(0);
        }
        /// <summary>
        /// http://blogs.technet.com/b/netmon/archive/2009/10/07/using-nmapi-to-access-tcp-payload.aspx
        /// use property: property.tcppayloadlength, fields: tcp.srcport, tcp.dataoffset.dataoffset to calculate the payload length, and the offset in the raw frame.
        /// use NmGetPartialRawFrame to get the payload.
        /// </summary>
        private void GetTcpPayLoad()
        {
            unsafe
            {
                uint ret;
                byte tcpHeaderSize;            //
                uint tcpSrcOffset, tcpSrcSize; // offset: bits
                var  tcpPayloadLength = PropertyValueDict[NetmonPropertyName.TcpPayloadLength];
                int  payloadlen;
                bool result = Int32.TryParse(tcpPayloadLength.ToString(), out payloadlen);

                // Allocate a buffer for payload data. The maximum length=1460 bytes
                IntPtr buff = Marshal.AllocHGlobal(1500);
                if (payloadlen > 0)
                {
                    // Get the Data Offset, used to determine the TCP header size
                    ret = NetmonAPI.NmGetFieldValueNumber8Bit(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpDataSet], out tcpHeaderSize);
                    //Get the Offset of TCP.SrcPort which is the first field in TCP.
                    ret = NetmonAPI.NmGetFieldOffsetAndSize(_FrameInfoUnit.ParsedFrame, _FrameInfoUnit.FieldIdDict[NetmonFieldName.TcpSrcPort], out tcpSrcOffset, out tcpSrcSize);
                    // Read in the partial frame.  The Offset is in bits.  TCPHeaderSize is off by a factor of 4.
                    uint retlen;
                    uint offset = (uint)(tcpSrcOffset / 8 + tcpHeaderSize * 4);
                    ret = NetmonAPI.NmGetPartialRawFrame(_FrameInfoUnit.RawFrame, offset, (uint)payloadlen, (byte *)buff, out retlen);
                    // cast the intptr to the byte.
                    byte[] _payload = new byte[payloadlen];
                    Marshal.Copy(buff, _payload, 0, payloadlen);

                    //var str = Encoding.Default.GetString(_payload);
                    frameUnit.fieldUnit.PayLoad = _payload;

                    /*
                     * if (protocolname == "TCP")
                     * {
                     * frameUnit.fieldUnit.tcpPayLoad = _payload;
                     * }
                     * else
                     * {
                     * frameUnit.fieldUnit.httpPayLoad = _payload;
                     * // Console.WriteLine("http payload:");
                     * //Console.WriteLine(str);
                     * }*/
                }
                Marshal.Release(buff);
            }
        }
Пример #3
0
        /// <summary>
        /// Prints out a field's value if the display string couldn't be found.
        /// </summary>
        /// <param name="hParsedFrame">Parsed Frame</param>
        /// <param name="fieldId">Field Number to Display</param>
        private static void PrintParsedFrameFieldValue(IntPtr hParsedFrame, uint fieldId)
        {
            NmParsedFieldInfo parsedField = new NmParsedFieldInfo();

            parsedField.Size = (ushort)System.Runtime.InteropServices.Marshal.SizeOf(parsedField);

            uint errno = NetmonAPI.NmGetParsedFieldInfo(hParsedFrame, fieldId, parsedField.Size, ref parsedField);

            if (errno == ERROR_SUCCESS)
            {
                if (parsedField.NplDataTypeNameLength != 0)
                {
                    char[] name = new char[BUFFER_SIZE];
                    unsafe
                    {
                        fixed(char *pstr = name)
                        {
                            errno = NetmonAPI.NmGetFieldName(hParsedFrame, fieldId, NmParsedFieldNames.DataTypeName, BUFFER_SIZE, pstr);
                        }
                    }

                    Console.Write("(" + new string(name).Replace("\0", string.Empty) + ") ");
                }

                if (parsedField.FieldBitLength > 0)
                {
                    byte   number8Bit  = 0;
                    ushort number16Bit = 0;
                    uint   number32Bit = 0;
                    ulong  number64Bit = 0;
                    ulong  rl          = parsedField.ValueBufferLength;

                    switch (parsedField.ValueType)
                    {
                    case FieldType.VT_UI1:
                        errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine(number8Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_I1:
                        errno = NetmonAPI.NmGetFieldValueNumber8Bit(hParsedFrame, fieldId, out number8Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine((sbyte)number8Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_UI2:
                        errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine(number16Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_I2:
                        errno = NetmonAPI.NmGetFieldValueNumber16Bit(hParsedFrame, fieldId, out number16Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine((short)number16Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_UI4:
                        errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine(number32Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_I4:
                        errno = NetmonAPI.NmGetFieldValueNumber32Bit(hParsedFrame, fieldId, out number32Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine((int)number32Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_UI8:
                        errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine(number64Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_I8:
                        errno = NetmonAPI.NmGetFieldValueNumber64Bit(hParsedFrame, fieldId, out number64Bit);
                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine((long)number64Bit);
                        }
                        else
                        {
                            Console.WriteLine("Error " + errno);
                        }

                        break;

                    case FieldType.VT_ARRAY | FieldType.VT_UI1:
                        byte[] byteArray = new byte[BUFFER_SIZE];
                        unsafe
                        {
                            fixed(byte *barr = byteArray)
                            {
                                errno = NetmonAPI.NmGetFieldValueByteArray(hParsedFrame, fieldId, BUFFER_SIZE, barr, out number32Bit);
                            }
                        }

                        if (errno == ERROR_SUCCESS)
                        {
                            for (uint i = 0; i < number32Bit; i++)
                            {
                                Console.Write(byteArray[i].ToString("X2") + " ");
                            }

                            if ((parsedField.FieldBitLength >> 3) > number32Bit)
                            {
                                Console.Write(" ... " + ((parsedField.FieldBitLength >> 3) - number32Bit) + " more bytes not displayed");
                            }

                            Console.WriteLine();
                        }
                        else if (errno == ERROR_RESOURCE_NOT_AVAILABLE)
                        {
                            Console.WriteLine("The field is a container");
                        }

                        break;

                    case FieldType.VT_LPWSTR:
                        char[] name = new char[BUFFER_SIZE];
                        unsafe
                        {
                            fixed(char *pstr = name)
                            {
                                errno = NetmonAPI.NmGetFieldValueString(hParsedFrame, fieldId, BUFFER_SIZE, pstr);
                            }
                        }

                        if (errno == ERROR_SUCCESS)
                        {
                            Console.WriteLine(new string(name).Replace("\0", string.Empty));
                        }
                        else
                        {
                            Console.WriteLine("String is too long to display");
                        }

                        break;

                    case FieldType.VT_LPSTR:
                        Console.WriteLine("Should not occur");
                        break;

                    case FieldType.VT_EMPTY:
                        Console.WriteLine("Struct or Array types expect description");
                        break;

                    default:
                        Console.WriteLine("Unknown Type " + parsedField.ValueType);
                        break;
                    }
                }
                else
                {
                    Console.WriteLine("Empty");
                }
            }
            else
            {
                Console.WriteLine("Could Not Retrieve Parsed Field Info " + errno);
            }
        }