5,696,038 members and growing! (17,785 online)
Email Password   helpLost your password?
General Programming » Internet / Network » Utilities     Intermediate License: The Code Project Open License (CPOL)

A Network Sniffer in C#

By Hitesh Sharma

A simple network sniffer which can parse IP, TCP, UDP, and DNS packets.
C#, Windows, Visual Studio, Dev

Posted: 5 Jan 2007
Updated: 11 Feb 2008
Views: 77,236
Bookmarked: 127 times
Announcements
Loading...



Search    
Advanced Search
Sitemap
25 votes for this Article.
Popularity: 6.39 Rating: 4.57 out of 5
1 vote, 4.0%
1
0 votes, 0.0%
2
0 votes, 0.0%
3
2 votes, 8.0%
4
22 votes, 88.0%
5
Sample Image - CSNetworkSniffer.jpg

Introduction

In this article, I will discuss the working of a simple network sniffer which can parse IP, TCP, UDP, and DNS packets.

Capturing the Packets

// For sniffing the socket to capture the packets 
// has to be a raw socket, with the address family
// being of type internetwork, and protocol being IP
mainSocket = newSocket(AddressFamily.InterNetwork, SocketType.Raw,
                       ProtocolType.IP);

// Bind the socket to the selected IP address
mainSocket.Bind(newIPEndPoint(IPAddress.Parse(cmbInterfaces.Text),0));

// Set the socket options
mainSocket.SetSocketOption(SocketOptionLevel.IP,  //Applies only to IP packets
                           SocketOptionName.HeaderIncluded, //Set the include header
                           true);                           //option to true

byte[] byTrue = newbyte[4]{1, 0, 0, 0};
byte[] byOut = newbyte[4];

//Socket.IOControl is analogous to the WSAIoctl method of Winsock 2
mainSocket.IOControl(IOControlCode.ReceiveAll,  //SIO_RCVALL of Winsock
                     byTrue, byOut);

//Start receiving the packets asynchronously
mainSocket.BeginReceive(byteData, 0, byteData.Length, SocketFlags.None,
                        newAsyncCallback(OnReceive), null);

For capturing the packets, we use a raw socket and bind it to the IP address. After setting the proper options for the socket, we then call the IOControl method on it. Notice that IOControl is analogous to the Winsock2WSAIoctl method. The IOControlCode.ReceiveAll implies that all incoming and outgoing packets on the particular interface be captured.

The second parameter passed to IOControl with IOControlCode.ReceiveAll should be TRUE so an array byTrue is created and passed to it (thanks to Leonid Molochniy for this). Next we start receiving all packets asynchronously.

Analysing the Packets

The IP datagram encapsulates the TCP and UDP packets. This further contains the data sent by the application layer protocols such as DNS, HTTP, FTP, SMTP, SIP, etc. Thus a TCP packet is received inside the IP datagram, like this:

                       
+-----------+------------+--------------------+
| IP header | TCP header |        Data        |  
+-----------+------------+--------------------+

So the first thing that we need to do is to parse the IP header. The stripped version of the IP header class is shown below, the comments describe the things as they happen.

public classIPHeader 
{ 
  //IP Header fields 
  private byte byVersionAndHeaderLength; // Eight bits for version and header 
                                         // length 
  private byte byDifferentiatedServices; // Eight bits for differentiated 
                                         // services
  private ushort usTotalLength;          // Sixteen bits for total length 
  private ushort usIdentification;       // Sixteen bits for identification
  private ushort usFlagsAndOffset;       // Eight bits for flags and frag. 
                                         // offset 
  private byte byTTL;                    // Eight bits for TTL (Time To Live) 
  private byte byProtocol;               // Eight bits for the underlying 
                                         // protocol 
  private short sChecksum;               // Sixteen bits for checksum of the 
                                         //  header 
  private uint uiSourceIPAddress;        // Thirty two bit source IP Address 
  private uint uiDestinationIPAddress;   // Thirty two bit destination IP Address 

  //End IP Header fields   
  private byte byHeaderLength;             //Header length 
  private byte[] byIPData = new byte[4096]; //Data carried by the datagram
  public IPHeader(byte[] byBuffer, int nReceived)
  {
    try
    {
    //Create MemoryStream out of the received bytes
    MemoryStream memoryStream = newMemoryStream(byBuffer, 0, nReceived);
    
    //Next we create a BinaryReader out of the MemoryStream
    BinaryReader binaryReader = newBinaryReader(memoryStream);

    //The first eight bits of the IP header contain the version and
    //header length so we read them
    byVersionAndHeaderLength = binaryReader.ReadByte();

    //The next eight bits contain the Differentiated services
    byDifferentiatedServices = binaryReader.ReadByte();
    
    //Next eight bits hold the total length of the datagram
    usTotalLength = 
             (ushort) IPAddress.NetworkToHostOrder(binaryReader.ReadInt16());

    //Next sixteen have the identification bytes
    usIdentification = 
              (ushort)IPAddress.NetworkToHostOrder(binaryReader.ReadInt16());

    //Next sixteen bits contain the flags and fragmentation offset
    usFlagsAndOffset = 
              (ushort)IPAddress.NetworkToHostOrder(binaryReader.ReadInt16());

    //Next eight bits have the TTL value
    byTTL = binaryReader.ReadByte();

    //Next eight represent the protocol encapsulated in the datagram
    byProtocol = binaryReader.ReadByte();

    //Next sixteen bits contain the checksum of the header
    sChecksum = IPAddress.NetworkToHostOrder(binaryReader.ReadInt16());

    //Next thirty two bits have the source IP address
    uiSourceIPAddress = (uint)(binaryReader.ReadInt32());

    //Next thirty two hold the destination IP address
    uiDestinationIPAddress = (uint)(binaryReader.ReadInt32());

    //Now we calculate the header length
    byHeaderLength = byVersionAndHeaderLength;

    //The last four bits of the version and header length field contain the
    //header length, we perform some simple binary arithmetic operations to
    //extract them
    byHeaderLength <<= 4;
    byHeaderLength >>= 4;

    //Multiply by four to get the exact header length
    byHeaderLength *= 4;

    //Copy the data carried by the datagram into another array so that
    //according to the protocol being carried in the IP datagram
    Array.Copy(byBuffer, 
               byHeaderLength, //start copying from the end of the header
               byIPData, 0, usTotalLength - byHeaderLength);
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message, "MJsniff", MessageBoxButtons.OK, 
                        MessageBoxIcon.Error);
    }
 }
//Please see the attached codes for the properties…
}

Firstly, the class contains the data members corresponding to the fields of the IP header. Kindly see RFC 791 for a detailed explanation of the IP header and its fields. The constructor of the class takes the bytes received and creates a MemoryStream on the received bytes and then creates a BinaryReader to read the data from the MemoryStream byte-by-byte. Also note that the data received from the network is in big-endian form so we use the IPAddress.NetworkToHostOrder to correct the byte ordering. This has to be done for all non-byte data members.

The TCP, UDP headers are also parsed in an identical fashion, the only difference is that they are read from the point where the IP header ends. As an example of parsing the application layer protocols, the attached project can detect DNS packets as well.

References

Updates

  • 9th February, 2008: Fixed the code to capture both incoming and outgoing packets. Thanks to Darren_vms for pointing this in the comments.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Hitesh Sharma



Location: India India

Other popular Internet / Network articles:

Article Top
Sign Up to vote for this article
You must Sign In to use this message board.
FAQ FAQ Noise ToleranceSearch Search Messages 
 Layout  Per page   
 Msgs 1 to 25 of 70 (Total in Forum: 70) (Refresh)FirstPrevNext
GeneralHow to Sniff outgoing packets?memberMember 18683266:43 19 Nov '08  
GeneralLosing a lot of packetsmemberMax.Brin7:52 13 Nov '08  
Generaloutgoing packets through VPNmemberPeople3136:04 12 Nov '08  
Jokeimplementmemberbeck1720:21 15 Oct '08  
Generalplease help determine the packet size..membereladvini16:01 16 Aug '08  
GeneralThis is no good....memberthe pink jedi5:10 13 May '08  
GeneralRe: This is no good....memberHitesh Sharma6:37 15 May '08  
QuestionRe: This is no good....membervolch4:10 18 Jul '08  
GeneralRe: This is no good....memberMember 281805812:44 21 Oct '08  
QuestionTo Alawi Alkaff and others (How can i read data from printer port before printing in C#)memberKrishna Prasad RVS5:39 6 May '08  
QuestionHow can i read data from printer port before printing in C#memberKrishna Prasad RVS3:36 6 May '08  
QuestionA few questions...membergazda5:35 31 Mar '08  
GeneralRe: A few questions...memberHitesh Sharma8:24 1 Apr '08  
GeneralRe: A few questions...membergazda7:33 2 Apr '08  
AnswerRe: A few questions...memberMax.Brin7:50 13 Nov '08  
QuestionError : Invalid argument was suppliedmemberrgesnot8:05 21 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberHitesh Sharma11:51 21 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberrgesnot1:18 22 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberrgesnot1:24 22 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberakbas17:44 22 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberrgesnot0:48 23 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberrgesnot3:32 23 Mar '08  
GeneralRe: Error : Invalid argument was suppliedmemberHitesh Sharma7:20 23 Mar '08  
GeneralInstallable Client?memberDemoniac18:58 17 Mar '08  
Questionvoip recrordingmemberramymabrouk5:18 26 Feb '08  

General General    News News    Question Question    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

PermaLink | Privacy | Terms of Use
Last Updated: 11 Feb 2008
Editor: Deeksha Shenoy
Copyright 2007 by Hitesh Sharma
Everything else Copyright © CodeProject, 1999-2008
FileMail | Advertise on the Code Project