c# - how to sniff packets in an app without relying on WinPCap?

Asked 15/8, 2010 at 0:53 Answered 10/11, 2010 at 23:19

Solved c#.net winpcap packet-sniffers sharppcap

BACKGROUND: I now understand how to write a C# application that can monitor packets going in/out of the network card on the PC the application is running on. The approach I know relies on http://www.winpcap.org/ being already installed on the PC however, and then I use a C# wrapper such as http://pcapdotnet.codeplex.com/ or http://sourceforge.net/projects/sharppcap/ .

QUESTION: My question however, what would I need to do to be able to have a C# application that can sniff packets that does NOT require a 3rd party application/drivers to be pre-installed?

CLARIFICATION: That is I really want the application I currently have but without any requirement for me to tell the user to have to go and download/install XYZ prior to being able to use the application. For the purpose of the question assume that automating the download and install of a 3rd party application/drivers is not allowed either. (with WinPCap I'm not sure if you can bundle it, however I believe you're not supposed to in any case unfortunately)

thanks

Tobar answered 15/8, 2010 at 0:53 Comment(6)

Reimplement the functionality of WinPCAP or Microsoft's Network Monitor in C# - problem solved. Seriously, though - monitoring packets is pretty hard-core so you're either going to have to get some serious coding done or rely on a third-party package. – Strop 15/8, 2010 at 0:57

Interesting. Wouldn't this put your app in the position to monitor and log all communications on that PC? In fact, you ought to be able to centrally consolidate the data you acquire. – Student 15/8, 2010 at 0:58

winpcap.org/misc/copyright.htm - looks fairly redistributable to me, Greg. – Strop 15/8, 2010 at 1:7

Wireshark and other networking tools distribute winpcap. – Bait 15/8, 2010 at 2:5

I think wireshark just automates calling out to the winpcap website to facilitate the download. I haven't tacked such an approach with a setup project before so I'm not sure how easy it is. Perhaps an order of magnitude easier than what my question was asking for? BTW I noted netlimiter.com seems for example to install without asking for a 3rd party library prerequisite. Perhaps there's some hard core code under this little tool then – Tobar 15/8, 2010 at 2:30

I'm usually pretty good at understanding licensing schemes when it comes to open source projects but there's no clear solution on the winpcap site to handle users that want to bundle the winpcap.dll file with their software. LibPcap (the linux implementation of pcap) OTOH falls under the BSD 3-clause license so it's possible to distribute the code (even in commercial proprietary code) as long as you follow the rules of the license. If you aren't stuck using Windows, I know SharpPcap can use both pcap libraries and I doubt pcap.net doesn't do the same. – Moo 3/2, 2012 at 21:56

Personally I would stick to WinPCap. But since you asked, it is possible to sniff packets from the network using for the following code to enable raw sockets.

Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
s.Bind(new IPEndPoint(IPAddress.Parse("<IP Address Here of NIC to sniff>"), 0));
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1);
byte[] inBytes = new byte[] { 1, 0, 0, 0 };
byte[] outBytes = new byte[] { 0, 0, 0, 0 };
s.IOControl(IOControlCode.ReceiveAll, inBytes, outBytes);

Once this is done, you can use Socket.Receive or Socket.BeginReceive to read the raw IP packets.

Theism answered 15/8, 2010 at 7:7 Comment(11)

hey Chris - I've not looked into raw sockets yet, however I have heard stories about Microsoft removing raw sockets from their O/S? Not sure if this is true or not. I guess the generalized question here is whether you can count on them (and therefore this code) being available across say XP, Vistra & Windows 7? Also I assume the benefit of raw sockets is then you don't have to write a driver yourself then? – Tobar 15/8, 2010 at 9:47

PS. Chris - After googling I'm getting the impression re reading (not writing) packets using raw sockets Microsoft may have left this in place. Do you happen to know the pro's/con's of using raw sockets over WinPCap? For example why did you mentioned you'd personally stick in WinPCap? thanks – Tobar 15/8, 2010 at 10:55

@Greg, well I am not aware of MS plan for RAW sockets, but I do know that they still work on Windows 7. I have a litte app that I wrote years ago that still works. I would stick to winpcap just because it is well supported and widely used. If you are only interested in reading IP (TCP, UDP, ICMP etc.) packets then I think RAW sockets are just fine. – Theism 15/8, 2010 at 11:37

@Gerg, on this page msdn.microsoft.com/en-us/library/ms740548(VS.85).aspx near the end, there are a list of limitations of RAW sockets for the various OS's but all are related to sending data over the RAW socket. – Theism 15/8, 2010 at 11:48

I had done packet capturing in the past. With raw sockets you are still passing packets all the way through winsock kernel stack. The performance would be very bad specially on giagabit networks. Moreover you cannot do efficient filtering (e.g. only port 80 from ip x.y.z.v) like you can using WinPcap which works at a lower layer. I also doubt if you can do promiscuous mode capturing using raw sockets. – Fundamental 11/11, 2010 at 0:18

Like Pratik says, .Net relies on the Windows winsock networking driver implementation. WinPcap provides an alternate networking driver that provides low level access to the networking interface. Trying to pound winsock into doing low level captures is a bad idea, it's a consumer-level implementation whereas WinPcap is designed specifically for developers who do protocol prototyping and/or need access to the lower layers of the networking stack. – Moo 19/2, 2011 at 14:10

Let me clarify, Windows is reluctant to provide support to the lower layers of the stack because of security risks. While I found this frustrating at first I can understand their position. Most network attacks rely on sniffing and/or manipulating lower level networking protocols to work in unintended ways. Man-in-the middle attacks intercept ARP requests and send fake responses to pollute a node's ARP cache. Smurf attacks modify the source IP of certain requests (Echo, Ping). DDOS create half-opened TCP requests. IP and MAC spoofing can be used to protect a hackers identity. – Moo 3/2, 2012 at 21:29

(cont) Limiting users to only be capable of limiting the TCP/IP layers by default is a good thing. Pcap libraries exist primarily to fill the gap for the small minority of developers that need create tools for network analysis and custom protocol design. – Moo 3/2, 2012 at 21:40

You can do promiscuous mode in Windows Raw Sockets, at least on Windows-7. But there are drawbacks beside the efficiency ones. PCAP gives you everything (according to your filters), RAW gives you what the OS does not eat in its servers (SSDP, WS-Discovery, ...). PCAP gives you fragments, RAW gives you de-fragmented messages. RAW requires actually running at Administrator level. – Exhaustion 25/9, 2014 at 21:13

I have used this code recently and found that my dev machine captured all the packets that SharpPcap did, but when I put it in test, there were a huge number of missed packets whereas SharpPcap got everything. – Banditry 17/8, 2015 at 18:48

There is a way to capture incoming/outgoing packets on .NET using just the standard winsocks implementation. I've seen a blog with example of how but I don't have the link anymore.

Long story short, it's an extreme edge case because that's not what winsocks (the standard windows networking driver) was intended for.

The reason Pcap is usually necessary to capture packets is, it uses its own NDIS networking driver that unlocks the full capabilities of your NIC. On top of that, it also provides an easy way to set filters to limit the amount of packets being captured on the specified interface.

IE, the driver will ignore packets of a specific type at the kernel level instead of the usermode level. Therefore, you'll be able to filter packets much more efficiently and capture under larger loads on the network.

In .NET, to filter packets, you'd need to provide your own application layer packet filtering scheme that would be much less efficient.

Windows blocks access to non-standard protocols for 'security reasons' so they don't really support the use of RAW packets for networking (even though code may exist to make it possible). RAW packets were always intended for researching the design of new protocols, not general use.

For all of those reasons it is usually a good idea to pick up Winpcap and a wrapper for your specific language to implement any type of capturing application.

Note: I personally prefer SharpPcap, but I'm also biased as I do development on the project. Pcap.net is very similar in its implementation when it comes to capturing, it mainly diverges when it comes to how packets are parsed.

Moo answered 10/11, 2010 at 23:19 Comment(0)

Recommended topics

Hot tags