网络包捕获 SharpPcap 2.2.0

<H2>SharpPcap tutorial: a step by step guide to using SharpPcap</H2> <P>The text of this tutorial is taken directly from WinPcap's <A href="http://www.winpcap.org/docs/docs31/html/group__wpcap__tut.html"> official tutorial </A>but is modified to show the C# use of the SharpPcap library. All examples can be downloaded together with SharpPcap source code from <A href="http://sharppcap.sourceforge.net">SharpPcap</A> 's homepage.</P> <P>For use on windows the WinPcap library must be installed before attempting to run any of these examples, so please download and install the latest version from <A href="http://www.winpcap.org/install/default.htm"> WinPcap's download page</A>.</P> <P> For use on Linux the pcap library must be installed.</P> <P>SharpPcap was written and tested using .NET v1.1 and Windows 2000/XP and Mono 1.9.1 on Ubuntu 8.10. If you try it on another platform and have difficulties please submit a bug on the project webpage. <P>The following topics are covered in this tutorial:</P> <ol> <li> <a href="#ifList">Obtaining the device list</a> <li> <a href="#basicCap">Opening an adapter and capturing packets</a> <li> <a href="#basicCapNoCallback">Capturing packets without the event handler</a> <li> <a href="#filter">Filtering the traffic</a> <li> <a href="#dumpTCP">Interpreting the packets</a> <li> <a href="#offline">Handling offline dump files</a> <li> <a href="#sendPackets">Sending Packets</a> <li> <a href="#statistics">Gathering Statistics on the network traffic</a></li> </ol> <H3 id="ifList">1. Obtaining the device list </H3> <P>Typically, the first thing that a Pcap-based application does is get a list of attached network adapters. SharpPcap provide the <CODE>GetAllDevices()</CODE> function for this purpose: this function returns a list of <CODE>PcapDevice</CODE> objects, each of which contains comprehensive information about an attached adapter. In particular, the fields <CODE>PcapName</CODE> and <CODE>PcapDescription</CODE> contain the name and a human readable description, respectively, of the corresponding device. The following C# sample shows how to retrieve a list of adapters and print it on the screen, printing an error if no adapters are found. </P> <PRE>/* Retrieve the device list */ List<PcapDevice> devices = SharpPcap.Pcap.GetAllDevices(); /*If no device exists, print error */ if(devices.Count&lt;1) { Console.WriteLine("No device found on this machine"); return; } int i=0; /* Scan the list printing every entry */ foreach(PcapDevice dev in devices) { Console.Writeline("{0}", dev.ToString()); Console.WriteLine(); i++; }</PRE> <P>The output of the above application will be as something like:</P> <PRE>SharpPcap 1.0.2.0, Example4.IfList.cs The following devices are available on this machine: ---------------------------------------------------- 0) Generic dialup adapter Name: \Device\NPF_GenericDialupAdapter IP Address: 0.0.0.0 Loopback: False 1) Intel(R) PRO/1000 MT Mobile Connection (Microsoft's Packet Scheduler) Name: \Device\NPF_{355BF264-B768-454A-84BC-096A44F0ADA9} IP Address: 10.10.10.100 Loopback: False Hit 'Enter' to exit...</PRE> <H3 id="basicCap">2. Opening an adapter and capturing packets</H3> <P>Now that we've seen how to obtain an adapter to play with, let's start the real job, opening an adapter and capturing some traffic. In this section we'll write a program that prints some information about each packet flowing through the adapter. </P> <P>The function that opens a device for capture is <CODE>PcapOpen()</CODE> which is overloaded with some arguments as follows: </P> <UL> <LI> <CODE>PcapOpen()</CODE> <LI> <CODE>PcapOpen(bool promiscuous_mode)</CODE> <LI> <CODE>PcapOpen(bool promiscuous_mode, int read_timeout)</CODE> </LI> </UL> <P>The above two arguments deserve some further explanation:</P> <P><CODE><I>promiscuous_mode</I>:</CODE> In normal operation, an adapter only captures packets from the network that are destined to it; the packets exchanged by other hosts are therefore ignored. Instead, when the adapter is in promiscuous mode it captures all packets whether they are destined to it or not. This means that on shared media (like non-switched Ethernet), WinPcap will be able to capture the packets of other hosts. Promiscuous mode is the default for most capture applications, so we enable it in the following example. </P> <P><CODE><I>read_timeout</I>: </CODE>specifies the read timeout, in milliseconds. A read on the adapter (for example, using the <CODE>PcapGetNextPacket()</CODE> function) will always return after <CODE>read_timeout</CODE> milliseconds, even if no packets are available from the network. <CODE>read_timeout</CODE> also defines the interval between statistical reports if the adapter is in statistical mode (see the <I>Gathering Statistics on the network traffic</I> section). Setting <CODE> read_timeout</CODE> to 0 means no timeout, a read on the adapter never returns if no packets arrive. A -1 timeout on the other side causes a read on the adapter to always return immediately.</P> <P>The following example shows the use of the <CODE>PcapOnPacketArrival</CODE> event for receiving packets. We create an event handler that is being called whenever a new packet is going through the <CODE>PcapDevice</CODE>:</P> <PRE>//Extract a device from the list PcapDevice device = devices[i]; //Register our handler function to the 'packet arrival' event device.PcapOnPacketArrival += new SharpPcap.PacketArrivalEvent( device_PcapOnPacketArrival ); //Open the device for capturing //true -- means promiscuous mode //1000 -- means a read wait of 1000ms device.PcapOpen(true, 1000); Console.WriteLine("-- Listenning on {0}, hit 'Enter' to stop...", device.PcapDescription); //Start the capturing process device.PcapStartCapture(); //Wait for 'Enter' from the user. Console.ReadLine(); //Stop the capturing process device.PcapStopCapture(); //Close the pcap device device.PcapClose();</PRE> <P>And here is our packet handler implementation: </P> <PRE>/// &lt;SUMMARY&gt; /// Prints the time and length of each received packet /// &lt;/SUMMARY&gt; private static void device_PcapOnPacketArrival(object sender, Packet packet) { DateTime time = packet.PcapHeader.Date; int len = packet.PcapHeader.PacketLength; Console.WriteLine("{0}:{1}:{2},{3} Len={4}", time.Hour, time.Minute, time.Second, time.Millisecond, len); }</PRE> <P>Once the adapter is opened, the capture can be started with the <CODE>PcapStartCapture()</CODE> or <CODE>PcapCapture(int packetCount)</CODE> functions. These two functions are very similar, the difference is that <CODE>PcapStartCapture()</CODE> is a non-blocking function that starts the capturing process on a new thread, while <CODE> PcapCapture(int packetCount) </CODE>blocks until <CODE>packetCount </CODE>packets have been captured. When using <CODE>PcapStartCapture()</CODE> we should later call <CODE>PcapStopCapture()</CODE> to terminate the capture process. When using <CODE>PcapCapture(int packetCount)</CODE> it is possible to pass a <CODE>SharpPcap.INFINITE</CODE> value to keep capturing forever. </P> <P>Both of these functions require that an event handler for processing packets is registered prior to calling them. This event handler is invoked by <CODE>PcapDevice</CODE> for every new packet coming from the network and receives the sender object that invoked this handler (i.e. the <CODE>PcapDevice</CODE> object) and the actual received <CODE>Packet</CODE>, including all the protocol headers. Note that the frame CRC is normally not present in the packet, because it is