/home/cmorgan/sharppcap_git/SharpPcap/bin/Release/SharpPcap

Capture live packets from a network device

Constructs a new PcapDevice based on a 'pcapIf' struct

A 'pcapIf' struct representing the pcap device

Default contructor for subclasses

Gets the pcap name of this network device

Addresses that represent this device

Gets the pcap description of this device

Interface flags, see pcap_findalldevs() man page for more info

True if device is a loopback interface, false if not

Set/Get Non-Blocking Mode. returns allways false for savefiles.

Set the kernel value buffer size in bytes WinPcap extension

PcapDevice finalizer. Ensure PcapDevices are stopped and closed before exit.

Open the device with default values of: promiscuous_mode = false, read_timeout = 1000 To start capturing call the 'StartCapture' function

Open the device. To start capturing call the 'StartCapture' function

A

Open the device. To start capturing call the 'StartCapture' function

A A

Sends a raw packet throgh this device

The packet to send

Sends a raw packet throgh this device

The packet to send The number of bytes to send

Sends a raw packet throgh this device

The packet bytes to send

Sends a raw packet throgh this device

The packet bytes to send The number of bytes to send

Sends all packets in a 'PcapSendQueue' out this pcap device

A A A

Retrieves pcap statistics

A

General Pcap Exception.

A wrapper class for libpcap's pcap_pkthdr structure

Constructs a new PcapHeader

Constructs a new PcapHeader

The seconds value of the packet's timestamp The microseconds value of the packet's timestamp The actual length of the packet The length of the capture

The seconds value of the packet's timestamp

The microseconds value of the packet's timestamp

The actual length of the packet

The length of the capture

Return the DateTime value of this pcap header

Marshal this structure into the platform dependent version and return and IntPtr to that memory NOTE: IntPtr MUST BE FREED via Marshal.FreeHGlobal()

A

Capture packets from an offline pcap file

Constructs a new offline device for reading pcap files

The description of this device

The name of the capture file Description of the device Number of bytes in the capture file

The underlying pcap file name

Opens the device for capture

Retrieves pcap statistics

A

Interface to the WinPcap send queue extension methods

Creates and allocates a new SendQueue

The maximun amount of memory (in bytes) to allocate for the queue

The current length in bytes of this queue

Add a packet to this send queue. The PcapHeader defines the packet length.

The packet bytes to add The pcap header of the packet True if success, else false

Add a packet to this send queue.

The packet bytes to add The pcap header of the packet True if success, else false

Add a packet to this send queue.

The packet bytes to add True if success, else false

Add a packet to this send queue.

The packet to add True if success, else false

Add a packet to this send queue.

The packet to add The 'seconds' part of the packet's timestamp The 'microseconds' part of the packet's timestamp True if success, else false

Send a queue of raw packets to the network.

The device on which to send the queue A A A

Destroy the send queue.

Holds network statistics entry from winpcap when in statistics mode See http://www.winpcap.org/docs/docs_41b5/html/group__wpcap__tut9.html

This holds byte received and packets received

This holds time value

Number of packets received since last sample

Number of bytes received since last sample

Constants and static helper methods

Represents the infinite number for packet captures

Returns the pcap version string retrieved via a call to pcap_lib_version()

Helper class/method to retrieve the version of the SharpPcap assembly

Returns the current version string of the SharpPcap library

the current version string of the SharpPcap library

Item in a list of interfaces.

Representation of an interface address.

Structure used by kernel to store a generic address Look at the sa_family value to determine which specific structure to use 'struct sockaddr'

Structure that holds an ipv4 address

Structure that holds an ipv4 address 'struct sockaddr'

Structure that holds an ipv6 address NOTE: we cast the 'struct sockaddr*' to this structure based on the sa_family type 'struct sockaddr_in6'

Structure to represent a low level address, like a hardware address

Windows and Unix differ in their memory models and make it difficult to support struct timeval in a single library, like this one, across multiple platforms. See http://en.wikipedia.org/wiki/64bit#Specific_data_models The issue is that struct timeval { long tv_sec; long tv_usec; } has different sizes on Linux 32 and 64bit but the same size on Windows 32 and 64 bit Thanks to Jon Pryor for his help in figuring out both the issue with Linux 32/64bit and the issue between Windows and Unix

Windows version of struct timeval, the longs are 32bit even on 64-bit versions of Windows

Each packet in the dump file is prepended with this generic header. This gets around the problem of different headers for different packet interfaces.

Each packet in the dump file is prepended with this generic header. This gets around the problem of different headers for different packet interfaces.

Packet data bytes NOTE: This struct doesn't exist in header files, it is a construct to map to an unmanaged byte array

A BPF pseudo-assembly program for packet filtering

A queue of raw packets that will be sent to the network with pcap_sendqueue_transmit()

Define the return values from int pcap_stats()

Unix version of 'struct pcap_stat' Uses the same trick as timeval_unix

Packets received

Packets dropped

Drops by interface (maybe not yet supported)

Windows version of 'struct pcap_stat'

Packets received

Packets dropped

Drops by interface (maybe not yet supported)

Packets that reach the application WIN32 only, based on struct pcap_stat in pcap.h

Per http://msdn.microsoft.com/en-us/ms182161.aspx

The delegate declaration for PcapHandler requires an UnmanagedFunctionPointer attribute. Without this it fires for one time and then throws null pointer exception

Create a list of network devices that can be opened with pcap_open().

Open a file to write packets.

Save a packet to disk.

close the files associated with p and deallocates resources.

To avoid callback, this returns one packet at a time

Send a raw packet.
This function allows to send a raw packet to the network. The MAC CRC doesn't need to be included, because it is transparently calculated and added by the network interface driver.

the interface that will be used to send the packet contains the data of the packet to send (including the various protocol headers) the dimension of the buffer pointed by data 0 if the packet is succesfully sent, -1 otherwise.

Compile a packet filter, converting an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine.

Free up allocated memory pointed to by a bpf_program struct generated by pcap_compile()

return the error text pertaining to the last pcap library error.

Returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number.

return the standard I/O stream of the 'savefile' opened by pcap_dump_open().

Flushes the output buffer to the 'savefile', so that any packets written with pcap_dump() but not yet written to the 'savefile' will be written. -1 is returned on error, 0 on success.

Closes a savefile.

Return the link layer of an adapter.

Set nonblocking mode. pcap_loop() and pcap_next() doesnt work in nonblocking mode!

Get nonblocking mode, returns allways 0 for savefiles.

Read packets until cnt packets are processed or an error occurs.

Retrieves a selectable file descriptor

A A

Fills in the pcap_stat structure passed to the function based on the pcap_t adapter

A A A

Returns the file descriptor number from which captured packets are read, if a network device was opened with pcap_create() and pcap_activate() or with pcap_open_live(), or -1, if a ``savefile'' was opened with pcap_open_offline() Libpcap specific method

A A

Set the working mode of the interface p to mode. Valid values for mode are MODE_CAPT (default capture mode) and MODE_STAT (statistical mode). See the tutorial "\ref wpcap_tut9" for details about statistical mode. WinPcap specific method

WinPcap specific method for setting the kernel buffer size associated with this adapter. The old buffer is discarded when the buffer size is changed. See http://www.winpcap.org/docs/docs_40_2/html/group__wpcapfunc.html

A A A

Allocate a send queue.

The size of the queue A pointer to the allocated buffer

Destroy a send queue.

A pointer to the queue start address

Add a packet to a send queue.

A pointer to a queue The pcap header of the packet to send The packet data

Send a queue of raw packets to the network.

determines if the send operation must be synchronized: if it is non-zero, the packets are sent respecting the timestamps, otherwise they are sent as fast as possible The amount of bytes actually sent. If it is smaller than the size parameter, an error occurred during the send. The error can be caused by a driver/adapter problem or by an inconsistent/bogus send queue.

Base class for all pcap devices

If Environment.OSVersion.Platform is unix and MonoUnixFound is true then we can support proper termination of the capture loop

A

Low level interface object that contains device specific information

Handle to an open dump file, not equal to IntPtr.Zero if a dump file is open

Handle to a pcap adapter, not equal to IntPtr.Zero if an adapter is open

Number of packets that this adapter should capture

Fires whenever a new packet is processed, either when the packet arrives from the network device or when the packet is read from the on-disk file.
For network captured packets this event is invoked only when working in "PcapMode.Capture" mode.

Fires whenever a new pcap statistics is available for this Pcap Device.
For network captured packets this event is invoked only when working in "PcapMode.Statistics" mode.

Fired when the capture process of this pcap device is stopped

Return a value indicating if the capturing process of this adapter is started

Maximum time within which the capture thread must join the main thread (on ) or else the thread is aborted and an exception thrown.

Low level pcap device values

Return a value indicating if this adapter is opened

Gets a value indicating wether pcap dump file is already associated with this device

Gets the name of the device

Description of the device

Return the pcap link layer value of an adapter.

WinPcap specific property

The underlying pcap device handle

The last pcap error associated with this pcap device

Setup the reflection type and methodinfo for invocation of Mono.Unix.Native.Syscall.poll() to avoid timeouts when stopping the capture thread

Starts the capturing process

Stops the capture process Throws an exception if the stop capture timeout is exceeded and the capture thread was aborted

Synchronously capture packets on this device. Method blocks forever.

Synchronously captures packets on this network device. This method will block until capturing is finished.

The number of packets to be captured. -1 means capture indefiniately

The capture thread

Retrieve the last error string for a given pcap_t* device

A A

Open the device with class specific options

Closes this adapter

Retrieves pcap statistics

A

Notify the OnPacketArrival delegates about a newly captured packet

A

Notify the delegates that are subscribed to the capture stopped event

A

Gets the next packet captured on this device

The next packet captured on this device

Gets the next packet captured on this device

A packet reference A reference to a packet object

Pcap_loop callback method.

Convert an unmanaged packet into a managed PacketDotNet.RawPacket

A A A

Opens a file for packet writings

Closes the opened dump file

Flushes all write buffers of the opened dump file

Writes a packet to the pcap dump file associated with this device.

Writes a packet to the pcap dump file associated with this device.

The packet to write

Writes a packet to the pcap dump file associated with this device.

The packet to write

Compile a kernel level filtering expression, and associate the filter with this device. For more info on filter expression syntax, see: http://www.winpcap.org/docs/docs31/html/group__language.html

The filter expression to compile or unmanaged memory will be leaked

Free memory allocated in CompileFilter()

A

Returns true if the filter expression was able to be compiled into a program without errors

Helper method for ensuring we are running in winpcap. Throws a PcapWinPcapRequiredException() if not on a windows platform

Helper method for checking that the adapter is open, throws an exception with a string of ExceptionString if the device isn't open

A

Override the default ToString() implementation

A

Managed representation of the unmanaged pcap_addr structure

The address value of this PcapAddress, null if none is present

Netmask of this PcapAddress, null if none is present

Broadcast address of this PcapAddress, null if none is present

Destination address, null if the interface isn't a point-to-point interface

ToString override

A

Container class that represents either an ip address or a mac address An analog to the 'sockaddr_' series of structures

Create a Sockaddr from a PhysicalAddress which is presumed to be a hardware address

A

Types of addresses a Sockaddr can represent

Address represents an ipv4 or ipv6 address

Address represents a physical hardware address eg. a ethernet mac address

Unknown address type

Address type represented by this Sockaddr

If type == AF_INET_AF_INET6

If type == HARDWARE

Address family

ToString override

A

managed version of struct pcap_if NOTE: we can't use pcap_if directly because the class contains a pointer to pcap_if that will be freed when the device memory is freed, so instead convert the unmanaged structure to a managed one to avoid this issue

Name of the interface. Used internally when passed to pcap_open_live() Human readable interface name derived from System.Net.NetworkInformation.NetworkInterface.Name Text description of the interface as given by pcap/winpcap Gateway address of this device NOTE: May only be available on Windows Addresses associated with this device Pcap interface flags

MacAddress of the interface

ToString override

A

A PcapDevice or dumpfile is not ready for capture operations.

Adapter statistics, received, dropped packet counts etc

Retrieve pcap statistics from the adapter

pcap_t* for the adapter A Number of packets received Number of packets dropped Number of interface dropped packets

ToString override

A

thrown when pcap_stats() reports an error

string constructor

A

Exception thrown when a WinPcap extension method is called from a non-Windows platform

string constructor

A

Thrown when a method not supported on an offline device is called

string constructor

A

The mode used when opening a device

Promiscuous mode. Instructs the OS that we want to receive all packets, even those not intended for the adapter. On non-switched networks this can result in a large amount of addtional traffic. NOTE: Devices in this mode CAN be detected via the network

Not promiscuous mode

Capture event arguments

Constructor

A A

Packet that was captured

Device this EventArgs was generated for

Event that contains statistics mode data NOTE: WinPcap only

Constructor for a statistics mode event

A A

Statistics data for this event

The types of transmit modes allowed by the WinPcap specific send queue implementation

Packets are sent as fast as possible

Packets are synchronized in the kernel with a high precision timestamp

The working mode of a Pcap device

Set a Pcap device to capture packets, Capture mode

Set a Pcap device to report statistics.
Statistics mode is only supported in WinPcap

List of available Pcap Interfaces.

Represents a strongly typed, read-only list of PcapDevices.

The name or description of the pcap interface to get.

Method to retrieve this classes singleton instance

Caution: Use the singlton instance unless you know why you need to call this. One use is for multiple filters on the same physical device. To apply multiple filters open the same physical device multiple times, one for each filter by calling this routine and picking the same device out of each list.

A

Retrieve a list of the current PcapDevices

A

Refresh the device list

Resolves MAC addresses from IP addresses using the Address Resolution Protocol (ARP)

Constructs a new ARP Resolver

Constructs a new ARP Resolver

The name of the network device on which this resolver sends its ARP packets

The source MAC address to be used for ARP requests. If null, the local device MAC address is used

The source IP address to be used for ARP requests. If null, the local device IP address is used

The default device name on which to send ARP requests

Resolves the MAC address of the specified IP address. The 'DeviceName' propery must be set prior to using this method.

The IP address to resolve The MAC address that matches to the given IP address

Resolves the MAC address of the specified IP address

The IP address to resolve The local network device name on which to send the ARP request The MAC address that matches to the given IP address

Status types when capture is stopped

Capture completed without errors

Error while capturing

A delegate for Packet Arrival events

A delegate for delivering network statistics when using winpcap in statistics mode

A delegate for notifying of a capture stopped event