转自http://www.cnblogs.com/billmo/archive/2008/11/09/1329972.html
在做大学最后的毕业设计了,无线局域网络远程安全监控策略
那么抓包是这个系统设计的基础
以前一直都是知道用winpcap的,现在网上搜了一下,有用C#封装好了的,很好用
下面是其中的几个用法
这个类库作者的主页:http://www.tamirgal.com/home/default.aspx
PcapOpen()有下面几个方法
- PcapOpen()
- PcapOpen(bool promiscuous_mode)
- PcapOpen(bool promiscuous_mode, int read_timeout)
promiscuous_mode:在普通的抓取模式下,我们只抓取那些目的地为目标网络的包,而处于promiscuous_mode时,则抓取所有的包,包括转发的包.通常我们都是开启这种模式的
下面是示例:
//Extract a device from the listPcapDevice device = devices[i];//Register our handler function to the //'packet arrival' eventdevice.PcapOnPacketArrival += new SharpPcap.PacketArrivalEvent(device_PcapOnPacketArrival);//Open the device for capturing//true -- means promiscuous mode//1000 -- means a read wait of 1000msdevice.PcapOpen(true, 1000);Console.WriteLine( "-- Listenning on {0}, hit 'Enter' to stop...", device.PcapDescription);//Start the capturing processdevice.PcapStartCapture();//Wait for 'Enter' from the user.Console.ReadLine();//Stop the capturing processdevice.PcapStopCapture();//Close the pcap devicedevice.PcapClose();
PcapStartCapture()对应PcapStopCapture()
使用PcapCapture(int packetCount)时我们可以使用SharpPcap.INFINITE,来达到持续抓包的功能
Note:通常CRC的数据是不在数据包的中的,因为通常错误的CRC包会被自动丢弃.
上面的需要注册一个event handle,这在很多时候是不可行的,所以我们推荐使用下面这个方法PcapGetNextPacket()
//Extract a device from the listPcapDevice device = devices[i];//Open the device for capturing//true -- means promiscuous mode//1000 -- means a read wait of 1000msdevice.PcapOpen(true, 1000);Console.WriteLine();Console.WriteLine("-- Listenning on {0}...",device.PcapDescription);Packet packet = null;//Keep capture packets using PcapGetNextPacket()while( (packet=device.PcapGetNextPacket()) != null )
{
// Prints the time and length of each received packet DateTime time = packet.PcapHeader.Date; int len = packet.PcapHeader.PacketLength; Console.WriteLine("{0}:{1}:{2},{3} Len={4}", time.Hour, time.Minute, time.Second, time.Millisecond, len);
}//Close the pcap device device.PcapClose();Console.WriteLine("-- Capture stopped, device closed.");
PcapSetFilter() 设置过滤条件
string filter = "ip and tcp";
device.PcapSetFilter( filter );
下面这个例子通过抓取TCP包,输出他们的时间,长度,源IP,源端口,目的IP,目的端口
/// <SUMMARY>/// Prints the time, length, src ip, /// src port, dst ip and dst port/// for each TCP/IP packet received on the network/// </SUMMARY>private static void device_PcapOnPacketArrival( object sender, Packet packet){ if(packet is TCPPacket)
{ DateTime time = packet.Timeval.Date; int len = packet.PcapHeader.len; TCPPacket tcp = (TCPPacket)packet; string srcIp = tcp.SourceAddress; string dstIp = tcp.DestinationAddress; int srcPort = tcp.SourcePort; int dstPort = tcp.DestinationPort; Console.WriteLine("{0}:{1}:{2}, {3} Len={4} {5}:{6} -> {7}:{8}", time.Hour, time.Minute, time.Second, time.Millisecond, len, srcIp, srcPort, dstIp, dstPort);
}
}
