6

I've been following the guide over at http://www.codeproject.com/KB/IP/sharppcap.aspx for implementing a simple packet sniffer to automate authentications for me, I've managed to get to the Filtering section, and have had to make some adjustments to the tutorial code so far for it to work, but I am now stumped.

The error I am receiving is;

The best overloaded method match for 'PacketDotNet.TcpPacket.GetEncapsulated(PacketDotNet.Packet)' has some invalid arguments

Argument 1: cannot convert from 'SharpPcap.RawCapture' to 'PacketDotNet.Packet'

But I've yet to make any references to PacketDotNet my self (everything so far has been SharpPcap).

Entire code I have so far is included, the problem is in the device_OnPacketArrival() function.

 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text;
 using PacketDotNet;
 using SharpPcap;

 namespace ConsoleApplication1
 {
     class Program
     {
         static void Main(string[] args)
         {
             string ver = SharpPcap.Version.VersionString;
             Console.WriteLine("SharpPcap {0}, Example1.IfList.cs", ver);

             // Retrieve the device list
             CaptureDeviceList devices = CaptureDeviceList.Instance;

             // If no devices were found print an error
             if (devices.Count < 1)
             {
                 Console.WriteLine("No devices were found on this machine");
                 return;
             }

             // Extract a device from the list
             ICaptureDevice device = devices[0];

             // Register our handler function to the
             // 'packet arrival' event
             device.OnPacketArrival +=
                 new SharpPcap.PacketArrivalEventHandler(device_OnPacketArrival);

             // Open the device for capturing
             int readTimeoutMilliseconds = 1000;
             device.Open(DeviceMode.Promiscuous, readTimeoutMilliseconds);

             // tcpdump filter to capture only TCP/IP packets
             string filter = "ip and tcp";
             device.Filter = filter;

             Console.WriteLine();
             Console.WriteLine("-- The following tcpdump filter will be applied: \"{0}\"",
                 filter);
             Console.WriteLine("-- Listening on {0}, hit 'Enter' to stop...",
                 device.Description);

             // Start capturing packets indefinitely
             device.Capture();

             // Close the pcap device
             // (Note: this line will never be called since
             // we're capturing indefinitely
             device.Close();
         }
         private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
         {
             var tcp = TcpPacket.GetEncapsulated(e.Packet);
         }
     }
 }
Clorith
  • 459
  • 1
  • 6
  • 16

3 Answers3

6

A SharpPcap.RawPacket is used to hold the raw data captured over the network adapter but PacketDotNet needs the packet parsed before the GetEncapsulated() methods will work. The step you need will look like:

var packet = PacketDotNet.Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data);

Then you can extract the encapsulated TcpPacket via the GetEncapsulated() method by passing it packet.

Example 12 in the SharpPcap source download at https://sourceforge.net/projects/sharppcap/ shows the syntax and how packets can be modified.

Keep in mind that PacketType.GetEncapsulated() is returning a reference to that portion of the packet so modifying it will alter the original packet.

andyrandy
  • 72,880
  • 8
  • 113
  • 130
Chris Morgan
  • 1,277
  • 1
  • 13
  • 33
  • It appears I don't have the .Packet.Parse class, the closest to a Parse is TcpPacket.ParsePacket(), but I'm a bit unsure where you got the LinkLayer from (what's the rawPacket reference in this situation, I would expect it to be e.Packet but I'm not 100% certain) – Clorith Sep 11 '11 at 17:29
  • Referencing Example 12 now, and they have only 1 argument, but I am still getting an error; "No overload for method 'ParsePacket' takes 1 argument", this is all very confusing right now. – Clorith Sep 11 '11 at 17:48
  • What version of SharpPcap are you looking at? I'm looking at the latest git master version but I don't think that method has changed in some time. If you are on google chat, chmorgan@gmail.com and we'll work it out asap. – Chris Morgan Sep 11 '11 at 17:50
  • Alright, I see the issue. Codeproject is still using the old 3.5 release. If you upgrade to the 3.7 release, the latest release, you'll be all set. I'll contact the guy at codeproject and see about removing that download link. I'm pretty sure I asked to have it removed a few times now. – Chris Morgan Sep 11 '11 at 17:55
  • That would explain quite a bit, thank you again, it is much appreciated. – Clorith Sep 11 '11 at 18:16
  • @ChrisMorgan: It would be very helpfull, if we had a working tutorial for Version 4. Every tutorial I found so far is obsolete, including the one on CodeProject as I understand it. – Lorgarn Mar 25 '14 at 09:10
  • @Lorgarn: The sharppcap and packet.net source package downloads have a whole range of examples that are kept up to date. That is actually where the source code for the CodeProject tutorial comes from. The CP tutorial is in version control too but no one has updated it yet. Patches welcome :-) – Chris Morgan Apr 03 '14 at 12:08
1

As an update to Chris Morgan's answer (because I find myself doing this today), getEncapsulated() is now obsolete, instead you should use packet.Extract() to extract the encapsulated packet.

Hyperfine
  • 91
  • 7
0

Alternatively, you can use Pcap.Net, which only has one Packet class that you can dynamically parse to get whatever it may contain without doing any packet cast.

You just get a Packet object and do (for example):

uint sequenceNumber = packet.Ethernet.IpV4.Tcp.SequenceNumber;

No need to cast it or know what kind of packet it is in advance, all parsing is done dynamically.

brickner
  • 6,595
  • 3
  • 41
  • 54