问题描述:
最近公司新开发一个项目,需要读取pcap包信息,然后去分析。这个也是走了不少弯路,以前也没处理过这么底层的东西,网上能找到的例子也有限,最后用了SharpPcap这个工具,基本可以满足需要,这个工具读取的信息很全,我就不粘贴那么细了,具体的取值类似。
这里用控制台写两个例子做个示范:
1、pacp包信息读取,如果需要更多的值,建议可以进去断点看看,这里只是写个示范。
public static void Main(string[] args)
{
Console.WriteLine("Start!");
string filePath = @"D:\123.pcap";
var device = new SharpPcap.LibPcap.CaptureFileReaderDevice(filePath);
device.Open();
while (device.GetNextPacket(out var packet) > 0)
{
var sourceAddr = string.Empty;
var destAddr = string.Empty;
var protocol = string.Empty;
int sourcePort = 0;
int destPort = 0;
int ipDf = 0;//是否分片
int ipMf = 0;//是否最后一个分片
long totalLength = 0;//总长度
string data16 = string.Empty;//字节转为16进制字符串
if (packet.LinkLayerType != LinkLayers.Ethernet)
{
continue;
}
var packetLength = packet.Data.Length;
var ethPacket = Packet.ParsePacket(packet.LinkLayerType, packet.Data) as EthernetPacket;
var ipPacket = ethPacket.Extract<IPPacket>();
if (ipPacket == null)
{
continue;
}
destAddr = ipPacket.DestinationAddress.ToString();
sourceAddr = ipPacket.SourceAddress.ToString();
protocol = ipPacket.Protocol.ToString();
if (ethPacket.Type == PacketDotNet.EthernetType.IPv4)
{
var fragmentFlags = ((PacketDotNet.IPv4Packet)ipPacket).FragmentFlags;
ipDf = (ushort)fragmentFlags >> 6 & 0x01;
ipMf = (ushort)fragmentFlags >> 7 & 0x01;
var data = ((PacketDotNet.IPv4Packet)ipPacket).PayloadPacket?.PayloadData;
data16 = BytArrayToHexString(data);
totalLength = ((PacketDotNet.IPv4Packet)ipPacket).TotalLength;
}
else if (ethPacket.Type == PacketDotNet.EthernetType.IPv6)
{
var data = ((PacketDotNet.IPv6Packet)ipPacket).PayloadPacket.PayloadData;
data16 = BytArrayToHexString(data);
totalLength = ((PacketDotNet.IPv6Packet)ipPacket).TotalLength;
}
if (protocol == "Tcp")
{
sourcePort = ((PacketDotNet.TcpPacket)ipPacket.PayloadPacket).SourcePort;
destPort = ((PacketDotNet.TcpPacket)ipPacket.PayloadPacket).DestinationPort;
}
else if (protocol == "Udp")
{
sourcePort = ((PacketDotNet.UdpPacket)ipPacket.PayloadPacket).SourcePort;
destPort = ((PacketDotNet.UdpPacket)ipPacket.PayloadPacket).DestinationPort;
}
Console.WriteLine($"sourceAddr:{sourceAddr}, sourcePort:{sourcePort}, destAddr:{destAddr}, destPort:{destPort},protocol:{protocol}");
}
device.Close();
Console.WriteLine("End!");
}
public static string BytArrayToHexString(byte[] data)//16进制转换
{
StringBuilder sb = new StringBuilder(data.Length * 3);
foreach (var item in data)
{
sb.Append(Convert.ToString(item, 16).PadLeft(2, '0'));
}
return sb.ToString().ToUpper();
}
2、从pcap包中筛选信息,重新写数据包,这里实例演示写TCP的包,其余类型的一律过滤掉。(output.pcap找一个正常包就行,写的时候会覆盖的)
public static void Main(string[] args)
{
Console.WriteLine("Start");
var device = new SharpPcap.LibPcap.CaptureFileReaderDevice(@"D:\123.pcap");
var deviceOutput = new SharpPcap.LibPcap.CaptureFileWriterDevice(@"D:\output.pcap");
device.Open();
deviceOutput.Open();
while (device.GetNextPacket(out var packet) > 0)
{
if (packet.LinkLayerType != LinkLayers.Ethernet)
{
continue;
}
var ethPacket = Packet.ParsePacket(packet.LinkLayerType, packet.Data) as EthernetPacket;
var ipPacket = ethPacket.Extract<IPPacket>();
if (ipPacket == null)
{
continue;
}
if (ipPacket.Protocol == PacketDotNet.ProtocolType.Tcp)
{
deviceOutput.Write(packet);
}
Console.WriteLine($"SrcMac:{ethPacket.SourceHardwareAddress}, DstMac:{ethPacket.DestinationHardwareAddress}, SrcIP:{ipPacket.SourceAddress}, DstIP:{ipPacket.DestinationAddress}");
//再往上各层的分析以此类推
}
device.Close();
deviceOutput.Close();
Console.WriteLine("End!");
Console.ReadLine();
}