Previous Tip  |  Next Tip  |  Index (recent)   |  Design Tips   | [Bill's Home]

236. Data Packet Capture (Filters: IP, TCP, ARP, Ethernet, etc)

The WinPcap library can be used to read the source and destination IP addresses and TCP ports. For this the TCPPacket class is used[Click here]. The solution and demo of this example is at:

[Click here to download of the solution]
Video: [Click here for a demo]

and uses the following code:

private static void device_PcapOnPacketArrival( object sender, Packet packet) 
{ if (packet is TCPPacket) { DateTime time = packet.PcapHeader.Date; int len = packet.PcapHeader.PacketLength; TCPPacket tcp = (TCPPacket)packet; string srcIp = tcp.SourceAddress; string dstIp = tcp.DestinationAddress; int srcPort = tcp.SourcePort; int dstPort = tcp.DestinationPort; Console.WriteLine("{0}:{1} -> {2}:{3}", srcIp, srcPort, dstIp, dstPort); }
}

A sample run shows data packets and their lengths:

84.53.143.151:80 -> 192.168.1.101:3582
84.53.143.151:80 -> 192.168.1.101:3582
192.168.1.101:3582 -> 84.53.143.151:80

Next modify the code so that it detects only ICMP packets (using the ICMPPacket class), and displays the source and the destination addresses, along with the TTL (time-to-live) value:

private static void device_PcapOnPacketArrival( object sender, Packet packet)
{
  if (packet is ICMPPacket)
  {
    DateTime time = packet.PcapHeader.Date;
    int len = packet.PcapHeader.PacketLength;
    ICMPPacket icmp = (ICMPPacket)packet;
    string srcIp=icmp.DestinationAddress;
    string dstIp=icmp.SourceAddress;
    string ttl=icmp.TimeToLive.ToString();
    Console.WriteLine("{0}->{1} TTL:{2}", srcIp, dstIp, ttl);
  }
} 

A sample run is :

Press any <RETURN> to exit 
192.168.1.101->192.168.1.102 TTL:128 
192.168.1.102->192.168.1.101 TTL:128 
192.168.1.101->192.168.1.102 TTL:128 

It is possible to read the contents of the data package by converting it to a byte array (using the Data property), and then convert it to a string, such as:

private static void device_PcapOnPacketArrival( object sender, Packet packet)
{
  if (packet is TCPPacket)
  {
    DateTime time = packet.PcapHeader.Date;
    int len = packet.PcapHeader.PacketLength;
    TCPPacket tcp = (TCPPacket)packet;
    byte [] b = tcp.Data;
    System.Text.ASCIIEncoding format = new System.Text.ASCIIEncoding();
    string s = format.GetString(b);
    s=s.ToLower();
    if (s.IndexOf("intel")>0) Console.WriteLine("Intel found...");
  }
} 

The above code detects the presence of the word Intel in the data packet. Run the program, and then load a site with the word Intel in it. It is then possible to filter for source and destination ports, and with source and destination addresses. For example, the following detects the word Intel on the destination port of 80:

private static void device_PcapOnPacketArrival( object sender, Packet packet)
{
  if (packet is TCPPacket)
  {
  DateTime time = packet.PcapHeader.Date;
  int len = packet.PcapHeader.PacketLength;
  TCPPacket tcp = (TCPPacket)packet;
  int destPort = tcp.SourcePort;
  byte [] b = tcp.Data;
  System.Text.ASCIIEncoding format = new System.Text.ASCIIEncoding();
  string s = format.GetString(b);
  s=s.ToLower();
   if (destPort==80 && (s.IndexOf("intel")>0))
    Console.WriteLine("Intel found in outgoing on port 80...");
  }
} 

A key indication of network traffic is in the TCP flags. The following determines when the SYN flag is detected, and also the SYN, ACK flags:

if (packet is TCPPacket) 
{
  DateTime time = packet.PcapHeader.Date;
  int len = packet.PcapHeader.PacketLength;
  TCPPacket tcp = (TCPPacket)packet;
  int destPort = tcp.SourcePort;
  if (tcp.Syn) Console.WriteLine("SYN request");
  if (tcp.Syn && tcp.Ack) Console.WriteLine("SYN and ACK");
} 

Prove the operation of the code, and modify it so that it detects a SYN request to a Web server (port: 80), and displays the destination IP address of the Web server.