SharpPcap-中文开发全攻略.doc

《SharpPcap-中文开发全攻略.doc》由会员分享，可在线阅读，更多相关《SharpPcap-中文开发全攻略.doc（27页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、!-简介Packet capturing (or packet sniffing) is the process of collecting all packets of data that pass through a given network interface.包捕获（或数据包嗅探）是收集数据，通过特定的网络接口将所有数据包的过程。Capturing network packets in our applications is a powerful capability which lets us write network monitoring, packet analyzers a

2、nd security tools.在我们的应用程序捕获网络数据包是一个强大的能力，它可以让我们写网络监控，数据包分析器和安全工具。The libpcap library for UNIX based systems and WinPcap for Windows are the most widely used packet capture drivers that provide API for low-level network monitoring.本的libpcap库和基于UNIX系统WinPcap的用于Windows是最广泛使用的数据包捕获驱动程序监视API提供低级别的网络。Amo

3、ng the applications that use libpcap/WinPcap as its packet capture subsystem are the famous tcpdump and Wireshark .其中应用程序使用的libpcap / WinPcap的包捕获子系统为是著名的tcpdump的和Wireshark的。In this article, we will introduce the SharpPcap .NET assembly (library) for interfacing with libpcap or winpcap from your .NET

4、 application and will give you a detailed programming tutorial on how to use it.在这篇文章中，我们将介绍SharpPcap WinPcap的从您的。NET应用程序。）NET程序集（库接口与libpcap的或并会给你一个详细的方案编制教程教你如何使用。Background背景Tamir Gal started the SharpPcap project around 2004.塔米尔加尔在2004年左右开始的SharpPcap项目。He wanted to use WinPcap in a .NET applicat

5、ion while working on his final project for university.他想用在。NET应用WinPcap而在他的大学最后项目的工作。The project involved analyzing and decoding VoIP traffic and he wanted to keep coding simple with C# which has time saving features like garbage collection.该项目涉及VoIP流量分析和解码，他想继续用C编码具有省时，如垃圾收集功能简单。Accessing the WinPc

6、ap API from .NET seemed to be quite a popular requirement, and he found some useful projects on CodeProjects website that let you do just that: WinPcap的API的访问似乎从净是相当流行的要求，他发现在CodeProject上的一些网站，让您做到这一点有益的项目。： Packet Capture and Analyzer数据包捕获和分析仪 Raw Socket Capturing Using C#原始套接字捕获使用C Packet sniffing

7、 with winpcap functions ported to a .NET library与WinPcap的包嗅探功能移植到。NET库The first project is a great ethereal .NET clone that lets you capture and analyze numerous types of protocol packets.第一个项目是一个伟大的空灵。NET的克隆，让您获取和分析大量的数据包的协议类型。However, a few issues with this project make it almost impossible to be

8、shared among other .NET applications.然而，随着这个项目的几个问题使它几乎不可能得到在其他。NET应用程序共享。Firstly, the author did not provide any generic API for capturing packets that can be used by other .NET applications.首先，作者没有提供用于捕获，可以通过其他。NET应用程序中使用任何通用的API包。He didnt separate his UI code and his analyzing and capturing code,

9、 making his capturing code depend on the GUI classes such as ListView to operate.他没有单独的UI代码和他的分析和捕获的代码，使他的捕捉代码类依赖于图形用户界面，如ListView操作。Secondly, for some reason the author chose to re-implement some of WinPcaps functions in C# by himself rather than just wrapping them.其次，由于某些原因，笔者选择了重新实现在C由他本人，而不是仅仅Wi

10、nPcap的包装他们的部分职能。This means that his application cant take advantage of the new WinPcap versions since he hard coded a certain version of WinPcap in his application.这意味着他的应用程序无法利用新的WinPcap的版本的硬编码的优势，因为他在他的WinPcap的应用程序的某些版本。The second and the third articles are nice starts for wrapper projects for Win

11、Pcap, however they didnt provide some important WinPcap features such as handling offline pcap files and applying kernel-level packet filters, and most importantly they provide no parser classes for analyzing protocol packets.第二个和第三个物品的包装项目为WinPcap的好开始，但他们没有提供一些重要的WinPcap的功能，如离线pcap的文件处理和应用内核级数据包过滤器

12、，以及最重要的是他们提供了这样的分析没有协议分析器类包。Both projects didnt post their library source code together with the article in order to let other people extend their work and add new features and new packet parser classes.这两个项目没有张贴的文章，以自己的库的源代码，让其他人一起延长他们的工作和增加新功能和新的数据包分析器类。And so, Tamir decided to start his own libra

13、ry for the task.因此，塔米尔决定开始他对自己的图书馆工作。Several versions in the 1.x series were released.在1.x系列的几个版本发布。Development slowed towards mid-2007 when the last version in the 1.x series was released, SharpPcap 1.6.2.发展放缓对2007年年中时，在1.x系列的最后一个版本发布时，SharpPcap 1.6.2。Chris Morgan took over development of SharpPcap

14、 in November of 2008.克里斯摩根发生在2008年11月超过SharpPcap发展。Since then SharpPcap has had major internal rewrites and API improvements.从那时起SharpPcap主要内部已重写和API改进。In late February 2010, SharpPcap v3.0 was released. 2010年2月下旬，SharpPcap 3.0被释放。This release represents a rewrite of SharpPcaps packet parsers.此版本是一个

15、重写SharpPcap的数据包分析器。Packet parsing functionality was broken out into a new library, Packet.Net .分组分析功能被打破，进入一个新的图书馆，Packet.Net。SharpPcap takes care of interfacing with libpcap/winpcap and Packet.Net takes care of packet dissection and creation. SharpPcap注意到与libpcap的/ WinPcap的包和Packet.Net注意到接口解剖和创造护理照

16、顾。The details of Packet.Nets architecture will be discussed later in the tutorial.对Packet.Net的建筑的细节将在本教程的后面讨论。SharpPcap v3.5 was released February 1 st , 2011. SharpPcap v3.5版本发布了2月1 日，2011年。The 3.5 release contains significant API changes as well as WinPcap remote capture and AirPcap support. 3.5版本

17、包含重大的空气污染指数的变化以及WinPcap的远程采集和支持AirPcap。About SharpPcap关于SharpPcap The purpose of SharpPcap is to provide a framework for capturing, injecting and analyzing network packets for .NET applications.的目的SharpPcap是提供一个框架NET应用程序捕获，注资。和分析网络数据包。SharpPcap is openly and actively developed with its source code a

18、nd file releases hosted on SourceForge. SharpPcap是公开和积极发展同它的源代码和文件发布在SourceForge托管。Source code patches to improve or fix issues are welcome via the sharppcap developers mailing list .源代码补丁，以改善或解决问题欢迎通过sharppcap开发者邮件列表。Bug reports, feature requests and other queries are actively answered on the suppo

19、rt forums and issue trackers there so if you have any trouble with the library please feel free to ask.错误报告，功能要求和其他查询正在积极回答问题的论坛和跟踪支持，所以如果你有任何问题请与库随时问。SharpPcap is a fully managed cross platform library. SharpPcap是一个完全跨平台的库管理。The same assembly runs under Microsoft .NET as well as Mono on both 32 and

20、 64bit platforms.同一程序集运行在微软的。NET以及单在32位和64位平台。The following list illustrates the features currently supported by SharpPcap:下面的列表说明了目前SharpPcap功能支持： Single assembly for Microsoft .NET and Mono platforms on Windows (32 or 64bit) , Linux (32 or 64bit) and Mac .单一组件的Microsoft。NET和 Mono平台上的Windows（32位或64

21、位）和Linux（32或64位）和 Mac。 High performance - SharpPcap can capture fast enough to keep up with 3MB/s scp transfer rates高性能 - SharpPcap可以捕捉足够快跟上的3MB / s的传输速率高达SCP的 WinPcap extensions are partially supported:WinPcap的扩展部分支持：o Setting the kernel buffer size设置内核缓冲区大小o Injecting packets using send queues.注射用

22、的数据包发送队列。o Collecting network statistics on a given network interface收集在一个特定的网络接口的网络统计 AirPcap supportAirPcap支持 Enumerating and showing details about the physical network interface on a Windows machine.枚举和显示有关Windows机器上的物理网络接口的细节。 Capturing low-level network packets going through a given interface.捕

23、获低级别的网络数据包将通过给定的接口。 Analyzing and parsing the following protocols:分析和解析以下协议：o Ethernet以太网o SLL (Linux Cooked-Mode Capture)血清瘦素（Linux的熟食方式采集）o ARP (Address Resolution Protocol)ARP（地址解析协议）o IP (Internet Protocol) :IP（因特网协议）： IPv4IPv4的 IPv6IPv6的o TCP (Transmission Control Protocol)TCP（传输控制协议）o UDP (Use

24、r Datagram Protocol)UDP（用户数据报协议）o ICMP (Internet Control Message Protocol) :ICMP协议（Internet控制消息协议）： ICMPv4ICMPv4 ICMPv6ICMPv6报o IGMPv2IGMPv2的o PPPoEPPPoE协议o PTP和平之路o LLDPLLDP功能o Wake-on-LAN(WOL)唤醒局域网（网络唤醒） Injecting low-level network packets on a given interface.在给定接口注入的低级别的网络数据包。 Handling (reading

25、and writing) offline packet capture files.处理（阅读和写作）离线数据包捕获文件。 Retrieving adapter statistics on packets received vs. dropped检索的数据包接收适配器统计对比下降Please check the project homepage homepage for the latest updates and bug fixes.请检查项目主页主页最新的更新和bug修复。SharpPcap architecture SharpPcap架构SharpPcap has a layered a

26、rchitecture, at the top level are classes that work across all devices: SharpPcap具有层状结构，在顶层的类，所有设备的工作： CaptureDeviceList - Retrieves a list of all devices on the systemCaptureDeviceList -检索系统名单上的所有设备 OfflineCaptureDevice - Device that reads from a pcap capture fileOfflineCaptureDevice -文件读取装置从一个pcap

27、的捕捉 ICaptureDevice - All capture devices have ICaptureDevice interfacesICaptureDevice -所有的捕捉设备有ICaptureDevice接口The namespaces are layed out hierarchically:该命名空间的布局层次： LibPcaplibpcap的o LibPcapLiveDevice - An ICaptureDeviceLibPcapLiveDevice -一个ICaptureDeviceo LibPcapLiveDeviceList - Retrieves a list o

28、f LibPcapLiveDevice devices (these include pcap/winpcap and airpcap devices)LibPcapLiveDeviceList -检索一个名单LibPcapLiveDevice设备（其中包括pcap的/ WinPcap的和airpcap设备） WinPcapWinPcap的o WinPcapDeviceList - Retrieves a list of WinPcapDevices (these include winpcap and airpcap devices)WinPcapDeviceList -检索一个名单WinP

29、capDevices（其中包括WinPcap的和airpcap设备）o WinPcapDevice - A LibPcapLiveDevice with additional WinPcap features and interfacesWinPcapDevice -阿LibPcapLiveDevice额外WinPcap的功能和接口 AirPcapAirPcapo AirPcapDeviceList - Retrieves a list of AirPcapDevicesAirPcapDeviceList -检索一个名单AirPcapDeviceso AirPcapDevice - A Win

30、PcapDevice with additional AirPcap features and interfacesAirPcapDevice -阿WinPcapDevice额外AirPcap功能和接口CaptureDeviceList returns a list of fully differentiated devices.CaptureDeviceList返回一个设备清单完全分化。This means that each ICaptureDevice returned by CaptureDeviceList is either a LibPcapLiveDevice , a WinP

31、capDevice or a AirPcapDevice .这意味着每个ICaptureDevice由归国CaptureDeviceList要么是LibPcapLiveDevice，一WinPcapDevice或AirPcapDevice。This allows you to retrieve the entire list of devices and differentiate by looking at the type of each device.这使您可以检索整个列表的设备和差异化在每个设备类型看。If you would like to get a specific type o

32、f device only, you can use one of the particular *DeviceList classes.如果你想获得一个特定的特定类型的设备只，你可以使用一个*DeviceList类。Collapse | Copy Code/ Retrieve all capture devices/ /检索所有捕获设备var devices = CaptureDeviceList; = CaptureDeviceList VaR的装置;/ differentiate based upon types/ /类型的区分依据foreach (ICaptureDevice dev

33、in devices)的foreach（ICaptureDevice dev的设备中） if (dev is AirPcapDevice)如果（dev 是 AirPcapDevice） / process as an AirPcapDevice/ /过程作为AirPcapDevice else if (dev is WinPcapDevice) 否则如果（dev 是 WinPcapDevice） / process as an WinPcapDevice/ /过程作为WinPcapDevice else if (dev is LibPcapLiveDevice) 否则如果（dev 是 LibP

34、capLiveDevice） / process as an LibPcapLiveDevice/ /过程作为LibPcapLiveDevice Collapse | Copy Code/ Retrieve only WinPcap (and AirPcap devices)/ /只检索WinPcap的（和AirPcap设备）var devices = AirPcapDeviceList; = AirPcapDeviceList VaR的装置;foreach (AirPcapDevice dev in devices)的foreach（AirPcapDevice dev的设备中） / Proc

35、ess this AirPcap device/ /处理该AirPcap设备 Packet.Net Architecture and Usage Packet.Net结构和用法Packet.Net switched from the inheritance model of SharpPcap 2.x to one of nesting packets. Packet.Net切换从2.x到SharpPcap继承模型的嵌套包之一。All packets contain a Packet PayloadPacket property and a Byte PayloadData property.

36、所有的数据包包含一个Packet PayloadPacket属性和一个Byte PayloadData财产。One or neither of these can be valid.一个或多个这些都不能有效。A TCP packet captured on Ethernet may be EthernetPacket - IPv4 Packet - Tcp Packet.以太网上的TCP数据包捕获的可能EthernetPacket“ - IPv4包 - ”TCP数据包。In Packet.Net, the TCP packet could be accessed like capturedPa

37、cket.PayloadPacket.PayloadPacket but to aid users static GetEncapsulsted() methods have been added so users can do var tcpPacket = TcpPacket.GetEncapsulated(capturedPacket); .在Packet.Net时，TCP数据包可能被访问一样capturedPacket.PayloadPacket.PayloadPacket而是要帮助用户从static GetEncapsulsted()方法被添加，因此用户可以做的var tcpPack

38、et = TcpPacket.GetEncapsulated(capturedPacket);。The GetEncapsulated() methods are intelligent and designed to work in many different cases. UdpPacket.GetEncapsulated() will return the Udp packet of a packet that consists of EthernetPacket - IP packet - UdpPacket or Linux Cooked Capture - IP - UdpPac

39、ket or an EthernetPacket - PPPoE - PTP - IP - UdpPacket.该GetEncapsulated()方法是很聪明，设计工作在许多不同的情况。UdpPacket.GetEncapsulated()将返回EthernetPacket UDP包的数据包，包括“ - IP数据包” - UdpPacket或Linux熟捕捉- “知识产权” - UdpPacket或EthernetPacket - “的PPPoE - ”和平之路“ - 知识产权 - ”UdpPacket。We recommend using the GetEncapsulated() met

40、hods to retrieve sub packets.我们建议使用GetEncapsulated()方法来检索子数据包。With Packet.Net, constructing packets looks like:随着Packet.Net，建设包是这样的：Collapse | Copy Codeusing PacketDotNet;使用 PacketDotNet;ushort tcpSourcePort = 123 ;ushort的 tcpSourcePort = 123;ushort tcpDestinationPort = 321 ;ushort的 tcpDestinationPo

41、rt = 321;var tcpPacket = new TcpPacket(tcpSourcePort, tcpDestinationPort);风险 tcpPacket = 新 TcpPacket（tcpSourcePort，tcpDestinationPort）;var ipSourceAddress = System.Net.IPAddress.Parse( 192.168.1.1 );风险 ipSourceAddress = System.Net.IPAddress.Parse（“192.168.1.1”）;var ipDestinationAddress = System.Net.

42、IPAddress.Parse( 192.168.1.2 );风险 ipDestinationAddress = System.Net.IPAddress.Parse（“192.168.1.2”）;var ipPacket = new IPv4Packet(ipSourceAddress, ipDestinationAddress);风险 ipPacket = 新 IPv4Packet（ipSourceAddress，ipDestinationAddress）;var sourceHwAddress = 90-90-90-90-90-90 ;风险 sourceHwAddress =“90-90

43、-90-90-90-90”;var ethernetSourceHwAddress =风险 ethernetSourceHwAddress = System.Net.NetworkInformation.PhysicalAddress.Parse(sourceHwAddress); System.Net.NetworkInformation.PhysicalAddress.Parse（sourceHwAddress）;var destinationHwAddress = 80-80-80-80-80-80 ;风险 destinationHwAddress =“80-80-80-80-80-80

44、”;var ethernetDestinationHwAddress =风险 ethernetDestinationHwAddress = System.Net.NetworkInformation.PhysicalAddress.Parse(destinationHwAddress); System.Net.NetworkInformation.PhysicalAddress.Parse（destinationHwAddress）;/ NOTE: using EthernetPacketType.None to illustrate that the ethernet/ /注意：使用Ethe

45、rnetPacketType.None说明了以太网/ protocol type is updated based on the packet payload that is/ /协议类型的更新是基于数据包有效载荷/ assigned to that particular ethernet packet/ /分配给特定的以太网包var ethernetPacket = new EthernetPacket(ethernetSourceHwAddress,风险 ethernetPacket = 新 EthernetPacket（ethernetSourceHwAddress，ethernetDe

46、stinationHwAddress, ethernetDestinationHwAddress，EthernetPacketType.None); EthernetPacketType.None）;/ Now stitch all of the packets together/ /现在所有的数据包缝在一起ipPacket.PayloadPacket = tcpPacket; ipPacket.PayloadPacket = tcpPacket;ethernetPacket.PayloadPacket = ipPacket; ethernetPacket.PayloadPacket = ip

47、Packet;/ and print out the packet to see that it looks just like we wanted it to/ /并打印出包地看到，它看上去就像我们希望它Console.WriteLine(ethernetPacket.ToString(); Console.WriteLine（ethernetPacket.ToString（）;/ to retrieve the bytes that represent this newly created/ /要检索的字节表示这个新创建/ EthernetPacket use the Bytes prop

48、erty/ / EthernetPacket使用属性的字节byte packetBytes = ethernetPacket.Bytes;字节 packetBytes = ethernetPacket.Bytes; SharpPcap Tutorial: A Step by Step Guide to Using SharpPcap SharpPcap教程：一步步教您使用SharpPcap Examples can be found in the Examples/ directory of the source package.例子可以发现，在示例/包目录源。The text of this tutorial was taken directly from WinPcaps official tutorial but is modified to show the C# use of the SharpPcap library.本教程的文本，这是直接取自WinPcap的的官方教程，但修改以显示C中使用SharpPcap库。All examples can be downloaded