Packet Capture and Analayzer

• Download source files - 364 Kb

Introduction

The first idea of writing a packet sniffer program came from a reply to my comments on one of the projects named "NetSend ( Sending popup messenger messages between computers )" by Marc Clifton. Marc asked me "What about receiving message". To say the truth, I didn't know how I could do that. I knew a program which I had downloaded and tested years ago. But I didn't know the way of it. So I made a search on net about programs that can receive messages created by NetSend. And I noticed that many of them were using packet sniffer libraries. And then decided to learn how it is done. My search attempts gave a result and I found a free library named WinPCap.

After previewing the WinPCap source code , my first trial was to write a wrapper class for it. But what I did was not what I expected. And I had no control over the code. So I decided to port the base library of WinPCap named PacketNt.dll to C#. After many weeks and debug trials, I finished it. And then I wrote a new class to make capture process easy. And all these happen, a new class was created, Function. Yes, now I could catch packets from the network card but I wasn't able to display them. Because I had no idea what they meant. My next search was to find a program with free source code that can display packets. Yes, yes, as you guess, I found it. Its name is Etheral. It is really a great program and free.

First I traced the packets captured by Etheral and built some protocols and was able to display them in my test program. And then (after getting the source code of it ), I used the source code to learn the protocol structures. Now my program supports over 15 protocols. My aim is to add all protocols supported by Etheral to my program and to make it available to all of you. At this point, I will be very happy if some of you are interested in this kind of projects, to finish it. I am alone, and to port all protocols to C# is absolutely time consuming and tiring.

Project contents

Pacanal name comes from PACket ANALyzer. It is the main project file which enables to communicate with other classes and to display captured packets. Other classes are shown below:

• ColumnSorter

  This class enables to sort list view items. The class has the following members:

  • public int CurrentColumn = 0; // Column index to be sorted

  • public int Direction = 0; // 0 : Ascending, 1 : Descending

  • public int ColumnType = 0; 
    // 0 : Integer , 1 : Double , 2 : String

  • public bool CaseSensitivity = true;

  • public bool Enabled = true;

  CurrentColumn defines which column will be used to sort the ListView. Direction enables to sort data from lower to higher or higher to lower. ColumnType defines what format the desired column is. CaseSenitivity enables to sort string data in case order and Enabled helps enabling or disabling the sort method to run.

• Const

  This class contains protocol related constants and function.

• DeviceIoCtlh

  This class contains device specific constants and structures.

• Function

  This class contains all utility functions. It contains variable reading functions, bit decode function, node display function, Win32 API functions, format functions, etc.

• NtddNDish

  This class contains device specific constants.

• Packet32

  Wrapper class for Packet32h class. It contains functions for starting and stopping a capture session, loading and saving functions of captured packets, reading and writing function of capture parameters, etc.

• Packet32h

  This class contains all ported functions of PacketNt.dll of WinPCap library. I also added some functions both to add support for different OS and to extend the use of ported functions.

• PacketAARP

  This class contains Apple Talk Address Resolution Protocol parser functions

• PacketARP

  This class contains Address Resolution Protocol parser functions

• PacketCDP

  This class contains Cisco Discovery Protocol parser functions

• PacketDCERPC

  This class contains DCE/RPC Protocol parser functions. This class isn't over yet.

• PacketDLSW

  This class contains Data Link Switching Protocol parser functions

• PacketDNS

  This class contains Domain Name Service Protocol parser functions

• PacketEIGRP

  This class contains Extended Interior Gateway Routing Protocol parser functions

• PacketETHERNET

  This class contains Ethernet Protocol parser functions

• PacketHTTP

  This class contains Hyper Text Transfer Protocol parser functions

• PacketICMP

  This class contains Internet Control Message Protocol parser functions

• PacketINTERNET

  This class contains Internet Protocol parser functions

• PacketIPX

  This class contains Internet Packet Exchange Protocol parser functions

• PacketLLC

  This class contains Logical Link Control Protocol parser functions

• PacketLOOPBACK

  This class contains Loopback Protocol parser functions

• PacketMSWBROWSER

  This class contains Microsoft Windows Browser Protocol parser functions. This class isn't over yet.

• PacketMSWLOGON

  This class contains Microsoft Windows Logon Protocol parser functions. This class isn't over yet.

• PacketNBDS

  This class contains NetBIOS Datagram Service Protocol parser functions

• PacketNBNS

  This class contains NetBIOS Name Service Protocol parser functions

• PacketNBSS

  This class contains NetBIOS Session Service Protocol parser functions

• PacketNETBIOS

  This class contains NetBIOS Protocol parser functions

• PacketParser

  This class contains main parser functions

• PacketSMB

  This class contains Server Message Block Protocol parser functions. This class hasn't finished yet

• PacketSMBMAILSLOT

  This class contains SMB Mail Slot Protocol parser functions

• PacketSTP

  This class contains Spanning Tree Protocol parser functions

• PacketTB

  This class contains Trans Bridging Protocol parser functions. This class hasn't finished yet

• PacketTCP

  This class contains Transmission Control Protocol parser functions

• PacketTFTP

  This class contains Trivial File Transfer Protocol parser functions

• PacketUDP

  This class contains Unary Datagram Protocol parser functions

• WinService

  This class contains Windows service related functions and Win32 APIs.

• PacketSQL by Keith Westley

  This class contains SQL Server/Sybase TDS packet parser functions

  I tried to make my program like Etheral. So many features are like Etheral's features. Those are as follows:

  • You can limit captured packet to a specified size
  • You can stop capturing when a specified count of packets is reached
  • You can stop capturing when a specified time is reached
  • You can stop capturing when specified bytes is reached
  • You can stop capturing regardless those above
  • You can capture packets in real time mode
  • You can scroll packets list in real time mode
  • You can resolve MAC names
  • You can see the statistic of the captured packets , their percentages in all packets, the running time of the capture process and the total bytes captured
  • You can change the hardware filter as your needs
  • You can change the capture mode
  • You can highlight the protocol data by clicking protocol node in TreeView node
  • You can highlight the protocol data by clicking Hex data display area and then the protocol node will be highlighted
  • You can save all or a selected or all selected packets in the format that Etheral understands
  • You can load a packet file for reviewing
  • You can sort the captured packets as your will
  • You can highlight a node and its corresponding value in the hex data display by clicking the hex data display control
  • You can copy data from hex data. There are two ways to do this
    • Select the node of which its data is being copied and then click the "Copy" item into the "Edit" menu or click the Copy button on the toolbar
    • Click the right button of the mouse when it is over the hex-data display and then click "Select start point" or "Select end point". do this both for the start and stop points. And then later click "Lock the region" and then click "Copy" in the "Edit" menu or on the toolbar

      With those two ways, the selected data as being string will be copied to clipboard into hex format.

  • You can delete a packet by selecting it in the ListView control and then clicking the "Delete selected packet" button on the toolbar
  • You can capture messages sent by NetSend. Use Capture->Capture Net Send
  • You can manually install or remove the npf.sys driver by using "Driver" menu items. Use Driver->Install driver, Driver->Uninstall driver
  • You can enable or disable displaying list view columns. Use Options->Columns options
  • You can change the view of the program by adding transparency to it. Use Options->Transparency options
  • You can view capture statistics whenever you want. Use View->Show statistics, View->Hide statistics

Requirements

To run the code you need to have those below:

• Windows NT / 2K / XP
• A PC with an Ethernet card (LOL)
• NDIS packet capture driver (npf.sys) installed

npf.sys can be downloaded from the site http://winpcap.polito.it/ which is the one I used. But the project zip file contains necessary npf.sys files for both Win NT and Win 2K/XP. If npf.sys hasn't been installed yet, the program will install it for you.

Warning

After downloading the project files. First create a solution. Then add Pacanal and MyClassess projects into the solution. Don't forget giving a reference to the MyClasses in the project Pacanal.

Conclusion

I tested my program on a PC running Windows 2000 OS and Win NT. For XP, I haven't tried it, but probably it should work. There may be bugs that I couldn't catch or see yet. Please inform me about any bug you find.

I hope you like and find useful this source code and program.

Update - 16/09/2003

SQL Server/Sybase TDS packet parser class and a display form which enables to analyze the byte counts between IP/MAC addresses were added by Keith Westley. So much thanks to Keith for using and supporting Pacanal and sharing her stuff with us.