3

how can I parse a UDP packet in .NET?

I'm using PCap.Net to capture packets, in this case UDP packets, which I can access from the PCap.net object via (PcapDotNet.packets.Ethernet.IpV4.Udp).

How can I take the results, the Udp packet, and parse this? In particular to unbundle DNS requests and responses that occur that are housed within a UDP packet.

Is there a library that could help here?

EDIT: To be more specific what I want to be able to do is extract the IP address from the DNS response, and based on examination using Wireshark it would be by:

(a) Input: Payload of a UDP packet that is a DNS response

(b) Processing: Parse out the DNS response portion of the UDP packet. Find the Answers portion, within this find the answer record for which the type is A (Host Address) [not a CNAME record], then with this answer record get the IP address.

(c) Return: The IP address from the DNS response.

brickner
  • 6,595
  • 3
  • 41
  • 54
Greg
  • 34,042
  • 79
  • 253
  • 454
  • Doesn't WinPCAP come with a bunch of parsers? – Will A Aug 19 '10 at 03:43
  • Go for Newtwork Monitor API http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en –  Aug 19 '10 at 04:33
  • @Will - I can get down to UDP OK, but it's justing parsing the detail of a UDP packet that is carrying DNS responses I'm interested in. – Greg Aug 19 '10 at 10:09
  • @Amit - are you suggesting if I'm using PCap.Net for packet capture, once I've got the UDP payload there are UDP/DNS parsers available that I could use in a Microsoft Network Monitor library? – Greg Aug 19 '10 at 10:10
  • I already gave you a bunch of pointers (including the relevant RFC) in your other related question. Please go read that RFC - you'll learn a damned site more than just using someone else's API. – Alnitak Aug 21 '10 at 17:05

1 Answers1

1

From PCAP.Net:

Pcap.Net.DevelopersPack.0.7.0.46671.x64\src\InterpretingThePackets\Program.cs

            // Compile the filter
            using (BerkeleyPacketFilter filter = communicator.CreateFilter("ip and udp"))
            {
                // Set the filter
                communicator.SetFilter(filter);
            }

            Console.WriteLine("Listening on " + selectedDevice.Description + "...");

            // start the capture
            communicator.ReceivePackets(0, PacketHandler);
    }


    // Callback function invoked by libpcap for every incoming packet
    private static void PacketHandler(Packet packet)
    {
        // print timestamp and length of the packet
        Console.WriteLine(packet.Timestamp.ToString("yyyy-MM-dd hh:mm:ss.fff") + " length:" + packet.Length);

        IpV4Datagram ip = packet.Ethernet.IpV4;
        UdpDatagram udp = ip.Udp;

        // print ip addresses and udp ports
        Console.WriteLine(ip.Source + ":" + udp.SourcePort+ " -> " + ip.Destination + ":" + udp.DestinationPort);
    }

Isn't it enough?

Vasyl Boroviak
  • 5,959
  • 5
  • 51
  • 70
  • I'm ok getting down to the UDP packet with PCap.Net, but it's parsing the detail of a UDP packet that is carrying DNS responses I'm interested in. Basically want to be able to have a DNS response UDP packet, then parse it to obtain the IP address(es?) within the Answer records of the DNS packet which are Type A (not Type CNAME). So basically being able to parse out the DNS portion of a UDP/DNS packet. – Greg Aug 19 '10 at 10:15
  • Now the question is more clear. Well, several years ago I was able to extract IPs from DNS packets. All I used is some RFCs. Try this: http://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__PARSING.htm – Vasyl Boroviak Aug 19 '10 at 12:01