Network Packet monitoring using Visual C #

This article introduces some programming of the original socket (raw socket) implemented by C # in Windows Sockets and the network packet Monitoring Technology Based on this. Compared with winsock1, Winsock2 supports the raw socket type most obviously. Using raw socket, you can set the NIC to the hybrid mode. In this mode, we can receive the IP packet on the network, of course, for the purpose of not the local IP packet, through the original socket, we can also more freely control the various protocols in windows, it can also control the underlying transmission mechanism of the network.

In this example, the rawsocket class is implemented in the nbyte. basicclass namespace, which includes the core technology for implementing packet monitoring. Before implementing this class, you need to write an IP header structure to temporarily store some information about network packets:

[Structlayout (layoutkind. explicit)]
Public struct ipheader
{
[Fieldoffset (0)] public byte ip_verlen; // I4-bit Header Length + 4-bit IP version number
[Fieldoffset (1)] public byte ip_tos; // 8-bit service type TOS
[Fieldoffset (2)] public ushort ip_totallength; // The total length of a 16-bit data packet (in bytes)
[Fieldoffset (4)] public ushort ip_id; // 16-bit ID
[Fieldoffset (6)] public ushort ip_offset; // 3-Bit Flag
[Fieldoffset (8)] public byte ip_ttl; // 8-bit TTL
[Fieldoffset (9)] public byte ip_protocol; // 8-bit protocol (TCP, UDP, ICMP, etc .)
[Fieldoffset (10)] public ushort ip_checksum; // 16-bit IP header checksum
[Fieldoffset (12)] public uint ip_srcaddr; // 32-bit source IP address
[Fieldoffset (16)] public uint ip_destaddr; // 32-bit destination IP address
}

In this way, when each packet arrives, you can use forced type conversion to convert the data stream in the packet into ipheader objects.

The following describes the rawsocket class. At the beginning, several parameters are defined, including:

Private bool error_occurred; // whether an error occurs when the socket receives the packet
Public bool keeprunning; // whether to continue
Private Static int len_receive_buf; // The length of the data stream.
Byte [] receive_buf_bytes; // received bytes
Private Socket socket = NULL; // declare a socket

There is also a constant:

Const int sio_rcvall = unchecked (INT) 0x98000001); // listen to all data packets

The sio_rcvall indicates that rawsocket receives all data packets. It will be used in later iocontrl functions. In the following constructor, initialization of some variable parameters is implemented:

Public rawsocket () // Constructor
{
Error_occurred = false;
Len_receive_buf = 4096;
Receive_buf_bytes = new byte [len_receive_buf];
}

The following function creates rawsocket and binds it to the endpoint (ipendpoint: local IP address and port:

Public void createandbindsocket (string IP) // create and bind a socket
{
Socket = new socket (addressfamily. InterNetwork, sockettype. Raw, protocoltype. IP );
Socket. Blocking = false; // set the non-blocking status of the socket.
Socket. BIND (New ipendpoint (IPaddress. parse (IP), 0); // bind a socket

If (setsocketoption () = false) error_occurred = true;
}

In the example

Socket = new socket (addressfamily. InterNetwork, sockettype. Raw, protocoltype. IP );