Packet Capture and Analyzer

 Project Name:   Packet Capture and Analyzer
 Programmer:   firat kocak
 Type:   Network
 Technology:  C#
 IDE:   NONE
 Description:   The first idea of writing a packet sniffer program came from a reply to my comments on one of the projects named "NetSend ( Sending popup messenger messages between computers )" by Marc Clifton. Marc asked me "What about receiving message". To say the truth, I didn't know how I could do that. I knew a program which I had downloaded and tested years ago. But I didn't know the way of it. So I made a search on net about programs that can receive messages created by NetSend. And I noticed that many of them were using packet sniffer libraries. And then decided to learn how it is done. My search attempts gave a result and I found a free library named WinPCap.

After previewing the WinPCap source code , my first trial was to write a wrapper class for it. But what I did was not what I expected. And I had no control over the code. So I decided to port the base library of WinPCap named PacketNt.dll to C#. After many weeks and debug trials, I finished it. And then I wrote a new class to make capture process easy. And all these happen, a new class was created, Function. Yes, now I could catch packets from the network card but I wasn't able to display them. Because I had no idea what they meant. My next search was to find a program with free source code that can display packets. Yes, yes, as you guess, I found it. Its name is Etheral. It is really a great program and free.

First I traced the packets captured by Etheral and built some protocols and was able to display them in my test program. And then (after getting the source code of it ), I used the source code to learn the protocol structures. Now my program supports over 15 protocols. My aim is to add all protocols supported by Etheral to my program and to make it available to all of you. At this point, I will be very happy if some of you are interested in this kind of projects, to finish it. I am alone, and to port all protocols to C# is absolutely time consuming and tiring.

Attachments

Pacanal.zip

(364.86 KiB) Downloaded 4441 times

witch IDE did u use .i can't make this program work
thx

we want any software to run this project?

Hi,

i am doing Packet Capture and Analyzer project..
i download the pacanal.zip from your post....
but it is not executing... could you help me to run the project...

it is a C# program . Here is a code sample
csharp code

using System;
using System.Windows.Forms;

namespace MyClasses
{

	public class PacketTCP
	{

		public struct PACKET_TCP
		{
			public ushort SourcePort;
			public ushort DestinationPort;
			public uint SequenceNumber;
			public uint Acknowledgement;
			public byte HeaderLength;
			public byte Falgs;
			public ushort WindowSize;
			public ushort Checksum;
			public ushort Options;
		}


		public PacketTCP()
		{
		}

		public static bool Parser( ref TreeNodeCollection mNode, 
			byte [] PacketData , 
			ref int Index , 
			ref ListViewItem LItem , ref uint PreviousHttpSequence )
		{
			TreeNode mNodex;
			TreeNode mNode1;
			string Tmp = "";
			PACKET_TCP PTcp;

			mNodex = new TreeNode();
			mNodex.Text = "TCP ( Transmission Control Protocol )";
			Function.SetPosition( ref mNodex , Index , Const.LENGTH_OF_TCP , true );
	
			if( ( Index + Const.LENGTH_OF_TCP ) > PacketData.Length )
			{
				mNode.Add( mNodex );

				Tmp = "[ Malformed TCP packet. Remaining bytes 

don't fit an TCP packet. Possibly due to bad decoding ]";
				mNode.Add( Tmp );
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = Tmp;
				
				return false;
			}

			try
			{
				PTcp.SourcePort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );

				Tmp = "Source Port : " + Function.ReFormatString( PTcp.SourcePort , 

Const.GetPortStr( PTcp.SourcePort ) );

				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 2 , 2 , false );
				LItem.SubItems[ Const.LIST_VIEW_SOURCE_PORT_INDEX ].Text = 

PTcp.SourcePort.ToString();

				PTcp.DestinationPort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				Tmp = "Destination Port : " + Function.ReFormatString( PTcp.DestinationPort , 

Const.GetPortStr( PTcp.DestinationPort ) );
				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 2 , 2 , false );
				LItem.SubItems[ Const.LIST_VIEW_DESTINATION_PORT_INDEX ].Text = 

PTcp.DestinationPort.ToString();

				PTcp.SequenceNumber = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL 

);
				Tmp = "Sequence Number : " + Function.ReFormatString( PTcp.SequenceNumber , null );
				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 4 , 4 , false );
				LItem.SubItems[ Const.LIST_VIEW_SEQUENCE_INDEX ].Text = 

PTcp.SequenceNumber.ToString();

				PTcp.Acknowledgement = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL );
				Tmp = "Acknowledgement : " + Function.ReFormatString( PTcp.Acknowledgement , null );
				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 4 , 4 , false );
				LItem.SubItems[ Const.LIST_VIEW_ACKNOWLEDGE_INDEX ].Text = PTcp.Acknowledgement.ToString();

				PTcp.HeaderLength = PacketData[ Index++ ];
				PTcp.HeaderLength = (byte) ( ( (int) PTcp.HeaderLength >> 4 ) * 4 );
				Tmp = "Length : " + Function.ReFormatString( PTcp.HeaderLength , null );
				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 1 , 1 , false );

				PTcp.Falgs = PacketData[ Index++ ];
				mNode1 = new TreeNode();
				mNode1.Text = "Flags : " + Function.ReFormatString( PTcp.Falgs , null );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , true );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x80 

, "Congestion window reduced ( CWR ) : Set" , "Congestion window reduced ( CWR ) : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x40 

, "ECN-Echo : Set" , "ECN-Echo : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x20

 , "Urgent : Set" , "Urgent : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x10

 , "Acknowldegement : Set" , "Acknowldegement : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x08 

, "Push : Set" , "Push : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 0x04 , "Reset : Set" , "Reset : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs , 

0x02 , "Sync : Set" , "Sync : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNode1.Nodes.Add( Function.DecodeBitField( PTcp.Falgs ,

 0x01 , "Fin : Set" , "Fin : Not set" ) );
				Function.SetPosition( ref mNode1 , Index - 1 , 1 , false );
				mNodex.Nodes.Add( mNode1 );

				PTcp.WindowSize = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );

				Tmp = "Window Size : " + Function.ReFormatString( PTcp.WindowSize , null );

				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 2 , 2 , false );

				PTcp.Checksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				Tmp = "Checksum : " + Function.ReFormatString( PTcp.Checksum , null );
				mNodex.Nodes.Add( Tmp );

				Function.SetPosition( ref mNodex , Index - 2 , 2 , false );

				PTcp.Options = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				Tmp = "Options : " + Function.ReFormatString( PTcp.Options , null );
				mNodex.Nodes.Add( Tmp );
				Function.SetPosition( ref mNodex , Index - 2 , 2 , false );

				LItem.SubItems[ Const.LIST_VIEW_PROTOCOL_INDEX ].Text = "TCP";
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = "Source Port = " + 

PTcp.SourcePort.ToString() + " ( " + Const.GetPortStr( PTcp.SourcePort ) + " ) , Destination Port = " + 

PTcp.DestinationPort.ToString() + " ( " + Const.GetPortStr( PTcp.DestinationPort ) + " )";

				mNode.Add( mNodex );

				bool IsCifs = false;

				if( ( PTcp.SourcePort == Const.IPPORT_HTTP ) ||
					( PTcp.DestinationPort == Const.IPPORT_HTTP ) ||
					( PTcp.SourcePort == Const.IPPORT_HTTP2 ) ||
					( PTcp.DestinationPort == Const.IPPORT_HTTP2 ) )
				{
					if( PreviousHttpSequence == ( PTcp.SequenceNumber - ( PacketData.Length - 54 ) ) )
					{
						PreviousHttpSequence = PTcp.SequenceNumber;
						PacketHTTP.Parser( ref mNode , PacketData , ref Index , ref LItem , false );
					}
					else
					{
						PreviousHttpSequence = 0;
						PacketHTTP.Parser( ref mNode , PacketData , ref Index , ref LItem , true );
					}

				}
// <KEITH>
            // This code calls PacketSQL to parse the contents
            else if ( ( PTcp.SourcePort == Const.IPPORT_SQL ) ||
               ( PTcp.DestinationPort == Const.IPPORT_SQL ) )
            {
               PacketSQL.Parser( ref mNode, PacketData, ref Index, ref LItem, true );
            }
// </KEITH>
            else if( ( PTcp.SourcePort == Const.IPPORT_NBSSN ) ||
					( PTcp.DestinationPort == Const.IPPORT_NBSSN ) )
				{
					if( ( PTcp.SourcePort == Const.TCP_PORT_CIFS ) || ( PTcp.DestinationPort == 


Const.TCP_PORT_CIFS ) )
						IsCifs = true;
					else
						IsCifs = false;

					PacketNBSS.Parser( ref mNode , PacketData , ref Index , ref LItem , IsCifs );
				}


			}
			catch( Exception Ex )
			{
				mNode.Add( mNodex );
				Tmp = 
"[ Malformed TCP packet. Remaining bytes

 don't fit an TCP packet. Possibly due

 to bad decoding ]";
				mNode.Add( Tmp );
				Tmp = "[ Exception raised is <" + Ex.GetType().ToString() + "> at packet index <" + Index.ToString() + "> ]";
				mNode.Add( Tmp );
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = 

"[ Malformed TCP packet. Remaining bytes don't fit an TCP packet. Possibly due to bad decoding ]";

				return false;
			}

			return true;

		}


		public static bool Parser( byte [] PacketData , 
			ref int Index , 
			ref ListViewItem LItem , ref uint PreviousHttpSequence )
		{
			string Tmp = "";
			PACKET_TCP PTcp;

			if( ( Index + Const.LENGTH_OF_TCP ) > PacketData.Length )
			{
				Tmp = "[ Malformed TCP packet. Remaining bytes don't fit an TCP packet. Possibly due

 to bad decoding ]";
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = Tmp;
				
				return false;
			}

			try
			{
				PTcp.SourcePort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.DestinationPort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.SequenceNumber = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.Acknowledgement = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.HeaderLength = PacketData[ Index++ ];
				PTcp.HeaderLength = (byte) ( ( (int) PTcp.HeaderLength >> 4 ) * 4 );
				PTcp.Falgs = PacketData[ Index++ ];
				PTcp.WindowSize = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.Checksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
				PTcp.Options = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );

				LItem.SubItems[ Const.LIST_VIEW_SOURCE_PORT_INDEX ].Text = PTcp.SourcePort.ToString();
				LItem.SubItems[ Const.LIST_VIEW_DESTINATION_PORT_INDEX ].Text = PTcp.DestinationPort.ToString();
				LItem.SubItems[ Const.LIST_VIEW_SEQUENCE_INDEX ].Text = PTcp.SequenceNumber.ToString();
				LItem.SubItems[ Const.LIST_VIEW_ACKNOWLEDGE_INDEX ].Text = PTcp.Acknowledgement.ToString();
				LItem.SubItems[ Const.LIST_VIEW_PROTOCOL_INDEX ].Text = "TCP";
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = "Source Port = "

 + PTcp.SourcePort.ToString() + " ( " + Const.GetPortStr( PTcp.SourcePort ) + " ) ,

 Destination Port = " + PTcp.DestinationPort.ToString() +

 " ( " + Const.GetPortStr( PTcp.DestinationPort ) + " )";

				bool IsCifs = false;

            if( ( PTcp.SourcePort == Const.IPPORT_HTTP ) ||
               ( PTcp.DestinationPort == Const.IPPORT_HTTP ) ||
               ( PTcp.SourcePort == Const.IPPORT_HTTP2 ) ||
               ( PTcp.DestinationPort == Const.IPPORT_HTTP2 ) )
            {
               if( PreviousHttpSequence == ( PTcp.SequenceNumber - ( PacketData.Length - 54 ) ) )
               {
                  PreviousHttpSequence = PTcp.SequenceNumber;
                  PacketHTTP.Parser( PacketData , ref Index , ref LItem , false );
               }
               else
               {
                  PreviousHttpSequence = 0;
                  PacketHTTP.Parser( PacketData , ref Index , ref LItem , true );
               }
            }
// <KEITH>
            // This code calls PacketSQL to parse the contents
            else if ( ( PTcp.SourcePort == Const.IPPORT_SQL ) ||
               ( PTcp.DestinationPort == Const.IPPORT_SQL ) )
            {
               PacketSQL.Parser( PacketData, ref Index, ref LItem, false );
            }
// </KEITH>
            else if( ( PTcp.SourcePort == Const.IPPORT_NBSSN ) ||
               ( PTcp.DestinationPort == Const.IPPORT_NBSSN ) )
            {
               if( ( PTcp.SourcePort == Const.TCP_PORT_CIFS ) || ( PTcp.DestinationPort == 

Const.TCP_PORT_CIFS ) )
                  IsCifs = true;
               else
                  IsCifs = false;

               PacketNBSS.Parser( PacketData , ref Index , ref LItem , IsCifs );
            }


			}
			catch
			{
				LItem.SubItems[ Const.LIST_VIEW_INFO_INDEX ].Text = "[ Malformed TCP packet. 

Remaining bytes don't fit an TCP packet. Possibly due to bad decoding ]";

				return false;
			}

			return true;

		}


	}
}

Do you have this code in Java