Click here to Skip to main content
13,357,973 members (59,092 online)
Click here to Skip to main content
Add your own
alternative version


431 bookmarked
Posted 22 May 2003

Packet Capture and Analayzer

, 23 Sep 2003
Rate this:
Please Sign up or sign in to vote.
Packet capture and analyzer program. With this program you can capture, display, analyze, save packets or load a saved packet file. It works like Etheral does.


The first idea of writing a packet sniffer program came from a reply to my comments on one of the projects named "NetSend ( Sending popup messenger messages between computers )" by Marc Clifton. Marc asked me "What about receiving message". To say the truth, I didn't know how I could do that. I knew a program which I had downloaded and tested years ago. But I didn't know the way of it. So I made a search on net about programs that can receive messages created by NetSend. And I noticed that many of them were using packet sniffer libraries. And then decided to learn how it is done. My search attempts gave a result and I found a free library named WinPCap.

After previewing the WinPCap source code , my first trial was to write a wrapper class for it. But what I did was not what I expected. And I had no control over the code. So I decided to port the base library of WinPCap named PacketNt.dll to C#. After many weeks and debug trials, I finished it. And then I wrote a new class to make capture process easy. And all these happen, a new class was created, Function. Yes, now I could catch packets from the network card but I wasn't able to display them. Because I had no idea what they meant. My next search was to find a program with free source code that can display packets. Yes, yes, as you guess, I found it. Its name is Etheral. It is really a great program and free.

First I traced the packets captured by Etheral and built some protocols and was able to display them in my test program. And then (after getting the source code of it ), I used the source code to learn the protocol structures. Now my program supports over 15 protocols. My aim is to add all protocols supported by Etheral to my program and to make it available to all of you. At this point, I will be very happy if some of you are interested in this kind of projects, to finish it. I am alone, and to port all protocols to C# is absolutely time consuming and tiring.

Sample screenshot

Project contents

Pacanal name comes from PACket ANALyzer. It is the main project file which enables to communicate with other classes and to display captured packets. Other classes are shown below:

  • ColumnSorter

    This class enables to sort list view items. The class has the following members:

    • public int CurrentColumn = 0; // Column index to be sorted
    • public int Direction = 0; // 0 : Ascending, 1 : Descending
    • public int ColumnType = 0; 
      // 0 : Integer , 1 : Double , 2 : String
    • public bool CaseSensitivity = true;
    • public bool Enabled = true;

    CurrentColumn defines which column will be used to sort the ListView. Direction enables to sort data from lower to higher or higher to lower. ColumnType defines what format the desired column is. CaseSenitivity enables to sort string data in case order and Enabled helps enabling or disabling the sort method to run.

  • Const

    This class contains protocol related constants and function.

  • DeviceIoCtlh

    This class contains device specific constants and structures.

  • Function

    This class contains all utility functions. It contains variable reading functions, bit decode function, node display function, Win32 API functions, format functions, etc.

  • NtddNDish

    This class contains device specific constants.

  • Packet32

    Wrapper class for Packet32h class. It contains functions for starting and stopping a capture session, loading and saving functions of captured packets, reading and writing function of capture parameters, etc.

  • Packet32h

    This class contains all ported functions of PacketNt.dll of WinPCap library. I also added some functions both to add support for different OS and to extend the use of ported functions.

  • PacketAARP

    This class contains Apple Talk Address Resolution Protocol parser functions

  • PacketARP

    This class contains Address Resolution Protocol parser functions

  • PacketCDP

    This class contains Cisco Discovery Protocol parser functions

  • PacketDCERPC

    This class contains DCE/RPC Protocol parser functions. This class isn't over yet.

  • PacketDLSW

    This class contains Data Link Switching Protocol parser functions

  • PacketDNS

    This class contains Domain Name Service Protocol parser functions

  • PacketEIGRP

    This class contains Extended Interior Gateway Routing Protocol parser functions

  • PacketETHERNET

    This class contains Ethernet Protocol parser functions

  • PacketHTTP

    This class contains Hyper Text Transfer Protocol parser functions

  • PacketICMP

    This class contains Internet Control Message Protocol parser functions

  • PacketINTERNET

    This class contains Internet Protocol parser functions

  • PacketIPX

    This class contains Internet Packet Exchange Protocol parser functions

  • PacketLLC

    This class contains Logical Link Control Protocol parser functions

  • PacketLOOPBACK

    This class contains Loopback Protocol parser functions


    This class contains Microsoft Windows Browser Protocol parser functions. This class isn't over yet.

  • PacketMSWLOGON

    This class contains Microsoft Windows Logon Protocol parser functions. This class isn't over yet.

  • PacketNBDS

    This class contains NetBIOS Datagram Service Protocol parser functions

  • PacketNBNS

    This class contains NetBIOS Name Service Protocol parser functions

  • PacketNBSS

    This class contains NetBIOS Session Service Protocol parser functions

  • PacketNETBIOS

    This class contains NetBIOS Protocol parser functions

  • PacketParser

    This class contains main parser functions

  • PacketSMB

    This class contains Server Message Block Protocol parser functions. This class hasn't finished yet


    This class contains SMB Mail Slot Protocol parser functions

  • PacketSTP

    This class contains Spanning Tree Protocol parser functions

  • PacketTB

    This class contains Trans Bridging Protocol parser functions. This class hasn't finished yet

  • PacketTCP

    This class contains Transmission Control Protocol parser functions

  • PacketTFTP

    This class contains Trivial File Transfer Protocol parser functions

  • PacketUDP

    This class contains Unary Datagram Protocol parser functions

  • WinService

    This class contains Windows service related functions and Win32 APIs.

  • PacketSQL by Keith Westley

    This class contains SQL Server/Sybase TDS packet parser functions

    I tried to make my program like Etheral. So many features are like Etheral's features. Those are as follows:

    • You can limit captured packet to a specified size
    • You can stop capturing when a specified count of packets is reached
    • You can stop capturing when a specified time is reached
    • You can stop capturing when specified bytes is reached
    • You can stop capturing regardless those above
    • You can capture packets in real time mode
    • You can scroll packets list in real time mode
    • You can resolve MAC names
    • You can see the statistic of the captured packets , their percentages in all packets, the running time of the capture process and the total bytes captured
    • You can change the hardware filter as your needs
    • You can change the capture mode
    • You can highlight the protocol data by clicking protocol node in TreeView node
    • You can highlight the protocol data by clicking Hex data display area and then the protocol node will be highlighted
    • You can save all or a selected or all selected packets in the format that Etheral understands
    • You can load a packet file for reviewing
    • You can sort the captured packets as your will
    • You can highlight a node and its corresponding value in the hex data display by clicking the hex data display control
    • You can copy data from hex data. There are two ways to do this
      • Select the node of which its data is being copied and then click the "Copy" item into the "Edit" menu or click the Copy button on the toolbar
      • Click the right button of the mouse when it is over the hex-data display and then click "Select start point" or "Select end point". do this both for the start and stop points. And then later click "Lock the region" and then click "Copy" in the "Edit" menu or on the toolbar

        With those two ways, the selected data as being string will be copied to clipboard into hex format.

    • You can delete a packet by selecting it in the ListView control and then clicking the "Delete selected packet" button on the toolbar
    • You can capture messages sent by NetSend. Use Capture->Capture Net Send
    • You can manually install or remove the npf.sys driver by using "Driver" menu items. Use Driver->Install driver, Driver->Uninstall driver
    • You can enable or disable displaying list view columns. Use Options->Columns options
    • You can change the view of the program by adding transparency to it. Use Options->Transparency options
    • You can view capture statistics whenever you want. Use View->Show statistics, View->Hide statistics


To run the code you need to have those below:

  • Windows NT / 2K / XP
  • A PC with an Ethernet card (LOL)
  • NDIS packet capture driver (npf.sys) installed

npf.sys can be downloaded from the site which is the one I used. But the project zip file contains necessary npf.sys files for both Win NT and Win 2K/XP. If npf.sys hasn't been installed yet, the program will install it for you.


After downloading the project files. First create a solution. Then add Pacanal and MyClassess projects into the solution. Don't forget giving a reference to the MyClasses in the project Pacanal.


I tested my program on a PC running Windows 2000 OS and Win NT. For XP, I haven't tried it, but probably it should work. There may be bugs that I couldn't catch or see yet. Please inform me about any bug you find.

I hope you like and find useful this source code and program.

Update - 16/09/2003

SQL Server/Sybase TDS packet parser class and a display form which enables to analyze the byte counts between IP/MAC addresses were added by Keith Westley. So much thanks to Keith for using and supporting Pacanal and sharing her stuff with us.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

firat kocak
Web Developer
Turkey Turkey
Hi to all...
I am an alone programmer. i am not a specialist on programming but i love it. anyone who supports source code sharing is definetely my friend.
Because i am so poor on writing about myself, anyone who wants to learn more about me can feel free to contact me...

You may also be interested in...

Comments and Discussions

Questiontry for win2000? Pin
Anil D S3-Jan-11 22:10
memberAnil D S3-Jan-11 22:10 
Generalinformation Pin
khalfan22-Nov-10 22:46
memberkhalfan22-Nov-10 22:46 
Questionnetwork analyzer Pin
sarahoseini17-Aug-10 3:24
membersarahoseini17-Aug-10 3:24 
Generalbad luck with 3.1 winpcap [modified] Pin
miran6129-Jul-10 22:54
membermiran6129-Jul-10 22:54 
GeneralRe: bad luck with 3.1 winpcap [modified] Pin
carlmalden1-Nov-11 8:18
membercarlmalden1-Nov-11 8:18 
QuestionSIP protocol Pin
Lý Tầm Hoan3-Jun-10 19:32
memberLý Tầm Hoan3-Jun-10 19:32 
AnswerRe: SIP protocol Pin
ashwinrath1-Jul-10 2:29
memberashwinrath1-Jul-10 2:29 
GeneralUndable to get adapter ..list. Pin
mygapula sudheer20-May-10 17:24
membermygapula sudheer20-May-10 17:24 
Hi ,

I am unable to get abapter info in xp pc what might be the problem. I debugged and got clue that open handle to adapter is failing how to fix it.

GeneralRe: Undable to get adapter ..list. Pin
miran6128-Jul-10 10:30
membermiran6128-Jul-10 10:30 
GeneralException occurred Pin
Member 463202929-Apr-10 1:39
memberMember 463202929-Apr-10 1:39 
Generalplz help: unhandled exception has occured. value cannot be null. Parameter name:item Pin
furquan43113-Feb-10 9:18
memberfurquan43113-Feb-10 9:18 
GeneralI can run the application Pin
SaramMalik12-Jan-10 10:55
memberSaramMalik12-Jan-10 10:55 
GeneralRe: I can run the application Pin
nonintrusive23-Mar-10 6:34
membernonintrusive23-Mar-10 6:34 
GeneralMyClasses dll missing Pin
santhosh9589-Jan-10 16:38
membersanthosh9589-Jan-10 16:38 
GeneralRe: MyClasses dll missing Pin
Anusha N Rao27-Dec-11 20:20
memberAnusha N Rao27-Dec-11 20:20 
GeneralSystem.ArgumentNullException in FormPacanal.cs when the Caapture Options button is clicked Pin
spicture2-Dec-09 12:10
memberspicture2-Dec-09 12:10 
GeneralHTTP detail Pin
Member 39235552-Dec-09 10:23
memberMember 39235552-Dec-09 10:23 
GeneralWinPcap 3.1 Pin
cent.iqra24-Nov-09 6:48
membercent.iqra24-Nov-09 6:48 
GeneralRe: WinPcap 3.1 Pin
shaamboo10-Dec-10 2:35
membershaamboo10-Dec-10 2:35 
Generalhelp: how to track CDP protocal using this program Pin
syed197312-Nov-09 1:07
membersyed197312-Nov-09 1:07 
Generaloutlook smtp Pin
supersup9-Nov-09 2:14
membersupersup9-Nov-09 2:14 
GeneralExtract from listview Pin
supersup28-Oct-09 22:33
membersupersup28-Oct-09 22:33 
GeneralRe: Extract from listview Pin
ddarko1003-Nov-09 9:16
memberddarko1003-Nov-09 9:16 
GeneralRe: Extract from listview Pin
supersup4-Nov-09 19:13
membersupersup4-Nov-09 19:13 
GeneralTo solve the problem "out of bounds index array" exception Pin
randy wu27-Sep-09 16:37
memberrandy wu27-Sep-09 16:37 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.180111.1 | Last Updated 24 Sep 2003
Article Copyright 2003 by firat kocak
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid