Introduction & Scope
The PCAP-NG file format is used to store network captured data used by great programs like Wireshark. There are several API's available for both Linux and Windows but none that are ported to .NET. I decided to make one for my own use in building a network traffic replay agent.
This code demonstrates an approach to reading in PCAP-NG files. Most of the time I was concerned with the enhanced packet block type since it stored the TCP payloads I wanted to replay.
Design Considerations
All block types derive from a common abstract class (BlockBase). This is useful when you need a collection of blocks with different subtypes, as in the second code segments below. Internally, all classes populate themselves from the underlying binary reader.
The reader class can be used to iterate over a single block type.
var reader = new PcapngFile.Reader("test.pcapng");
foreach (var packet in reader.EnhancedPackets)
{
byte[] payload = packet.Data;
}
... or all of them, cast into their parent type.
var blocks = new List<PcapngFile.BlockBase>();
while (reader.PeekStoreType() != PcapngFile.BlockType.None)
{
blocks.Add(reader.ReadBlock());
}
The Code and NuGet Package
Get access to the complete project here on my GitHub account. If you have any suggestions or comments, feel free to leave a comment. I also have the assembly available via NuGet here.
Neat, thanks for sharing this. Have you assigned a license to your code?
ReplyDeleteGood question. I went ahead and updated the source files to license under BSD. It seems like the best license to maintain attribution while not being too constraining on the end user. Let me know if this works for you.
Deletehi how to run this?>
DeleteDo you want to run this to just read PCAP-NG files or for use in your code? If you just want to read PCAP-NG files, I would recommend using a program like Wireshark. If you want to use it in code, then you can bring the project in from GitHub as a project reference in your IDE.
Deletei downloaded the files...but how to change this code to work for any pcapng file?
DeleteI provide an example in my post on how to read from a file. This only works for PCAP-NG format files. I am not sure what you are trying to do.
Deleteyeah... i also want to read pcapng files....i downloaded your code ...but how to run it.? can u please help?
ReplyDeleteI don't know what you mean by "how to run it". I provide examples on how to use the code in the post and on the GitHub page. It is written in C#, so you would need to compile the code with either Visual Studio or Mono.
Deletei did....i got the output as pcapng.File.Sectionheader block ...and some list of blocks...how can i get the hexadecimal values as output
Deletewhich file should i compile??? there are lot of cs files in ur project...u r reading test.pcapng. i want to change it to read my file .. where should i change.. which file should i modify.. pls help
ReplyDeletei compiled and got the output..but it is displaying block names. i need to get the hexadecimal values of each block and display...how should i do them?
ReplyDeletePlease keep your replies to a single thread. What block types and properties do you want to analyze? Read this before responding. http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
DeleteCan you please help me how to get the time stamp. I am not able to use the functions that you have provided.
ReplyDeleteThanks
Hi Raja,
DeletePlease see my comment to Art. I'll see if I can provide an update to the code so you can just get it as a DateTime.
Your code is good, but I am having problems getting a valid timestamp from the EnhancedPacketBlock. Can you post pseduo code on how to get the time stamp, where the timeresolution field = 6?
ReplyDeleteI originally was going to have this be a DateTime property but was having problems converting using the time value and if_tsresol. It is definitely a UNIX epoch offset (https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionepb) but I still need to work out the spec's time units to .NET time.
DeleteCan you provide an example time value from the packet and a ball park time you expect it to show up as? I will see if I can work out the conversion and commit it to the repo.
The value that you are receiving from the byte array for the data member Timestamp is changing very oddly. For a capture with 900ms difference it is showing a difference of about 1hr! and in the method "GetTimePrecisionDivisor" we need to convert the time from microsec to millisec and so the conversion factor too is also different. Please help if you can. Other than that your code is working perfectly fine for the bytes from the messages.
DeleteThanks.
The Timestamp property appeared to jump wildly because the endianness interpretation was wrong. I updated the project with various bug fixes and a more comprehensive approach to translating the timestamp fields.
Deletehttps://github.com/awalsh128/PcapngFile
You should now be able to either call EnhancedPacketBlock.GetTimestamp with the InterfaceDescriptionBlock or without and get back an appropiate DateTime object.
You should make this into a nuget package so people don't have to download the source directly.
ReplyDeleteAgreed. When I get some time I will do so.
DeleteThis is now available as a NuGet package.
Deletehttps://www.nuget.org/packages/PcapngFile/1.0.1