Raw Socket Capturing Using C#

• Download source, demo project, and WinPcapNET - 31 Kb
• Download WinPcap at www.winpcap.org

Introduction

The project's purpose is to capture Ethernet packets using the WinPcap engine and to take the first step toward making a packet analyzer like Ethereal or Analyzer.

As far as I saw on the 'Net there was no code or method to capture an Ethernet packet using C# and the .NET Framework, so I made a library (WinPcapNET) as a wrapper library to WinPcap, which is the base of most packet analyzers on the Win32 and other platforms.

Project Content

• WinPcapNET1.0 : a C library to capture a number of packets - given as an argument - to a file capture.cap using the original WinPcap engine. It will capture packets using the network card or the PPP driver
• WinPcapNET : a C# wrapper class to operate WinPcapNET1.0 and to deal with packets in the .NET runtime. To take all the packets or ask for them individually, it gives RawPacket class which contain HEADER (The Packet Seq Number: PacSize) and PACKET itself, which will be returned from the WinPcapNET class.
• ShowWinPcapNET : A GUI program using the WinPcapNET class to show its interaction in C# code.

References

WinPcap : The engine was copy-righted to Politecnico di Torino at http://winpcap.polito.it/ and some other mirrors; however, for some reason the site was stopped and most of the mirrors as well. You can still find it on http://www.wireshark.org/

The Engine used here is WinPcap Alpha3.0, which is the same engine used by Ethereal, Analyzer and windump.

Project Components

WinPcapNET1.0

WinPcapNET1.0 is the DLL that will communicate with the WinPcap engine. It is written in C. The key file in this DLL project is WinPcapNET1.0.cpp. It has one method to carry out the DLL's job, which is:

void CapturePacket(int driver_number1, int packet_number1)

• driver_number1is the driver number installed in the machine. It can be a WAN, LAN, PPP or the NDSI driver that provides the packet passing the network interface.
• packet_number1 is the number of packets the method will capture before the information is available.

Explanation of the Method:

1. It detects all the drivers available on that system.
2. It chooses the one supplied on by the driver_number1 parameter and asks the WinPcap engine to capture and serialize the packets .
3. It places itself in a loop of sizepacket_number1 to capture the packets.
4. For every packet it reads its seq-number and size and put it in the file capture.cap. Then it reads character by character from that packet and put it in the file by its 2 * hexadecimal form.
5. When it finishes capturing the number of packets requested it exits.

WinPcapNET

WinPcapNET is the core of the project which will handle the capturing and interaction with the C WinPcapNET1.0.dll and retrieve the packets to the C# application. It consists of two classes:

1. The RawPacket class is the packet data-carrier which is used to hold the packet data and its seq-number.
2. The WinPcap class is actually a wrapper class that will initiate the capturing and retrieve a specific packet or all packets.

RawPacket

1. RawPacket(string header, string packet) as the constructor.
2. string Header
3. string Packet which is the 2 * hexadecimal form of the packet. I made this to make it easier to handle it in the text form rather than putting it as binary in the file.

WinPcap

It gives all public and static methods to access the capture file indirectly.

void Capture(int I, int j): It starts the method CapturePacket in the WinPcapNET1.0.dll. I is for the driver number (networkcard or ndis) and j for the number of packets wanted. bool CanRead(): returns false if the engine is still capturing. And true if it's ready to begin reading the packets from the capturing file. RawPacket[] GetAllPackets(): returns an array of RawPacket after filling them from the capturing file. RawPacket GetPacket(int i): the method returns a RawPacket object filled with the data of the packet number I captured in the file. int PacketCount(): returns the number of packets captured. void WaitToFinish(): This method will block until the engine stops reading packets, and be ready to retrieve them.

ShowWinPcapNET

This is a sample that will show how to use the two pervious packages. It's a GUI implementation and is not threaded to keep the sample as simple as possible.

• The first two text boxes take the parameter for Capture() method and the Capture button calls the method. The program blocks until it captures the 20 packets specified in the "Number of Packets to be captured" and then list them in the ListBox
• Seq-Number: (packetSize), From: Ethernet-number, To: Ethernet-number.
• When an item of the list is clicked the packet's data appears in the bottom TextBox, filling them in 16 rows.

Using the Code

These are the key pieces of code to operate the WinPcapNET. It will handle the rest.

WinPcap.Capture(int.Parse(this.txt_device_number.Text),
                int.Parse(this.txt_packet_number.Text));
WinPcap.WaitToFinish();

RawPacket[] packet = WinPcap.GetAllPackets();
// this part is discussed above in the classes and method explanation.  

The code of both WinPcapNET and WinPcapNet1.0 will be submitted later after I update the code and put some final touches on it.

Work in Progress

I'll submit WinPcapNETv2 later, God willing, and it will be completely in C# and will support real-time CHAR capturing. I'm working on it now and it will be only one library containing the structures of WinPcap itself to simplify its use.