Packet Capture (Network Interface) : Lab 1 A
Packet Capture (Network Interface) : Lab 1 A
Details
Aim: To provide a foundation in reading data packets
Activities
If Visual Studio is installed on your machine, download the following solution [1]:
http://www.dcs.napier.ac.uk/~bill/WinPCap1.zip
using System;
using Tamir.IPLib;
namespace NapierCapture
{
verWinPCap= Tamir.IPLib.Version.GetVersionString();
Console.WriteLine("Connected devices:\r\n");
Console.WriteLine();
count++;
}
}
}
}
Run the program, and verify that it produces a list of the available network cards, such
as:
WinPCap Version: 1.0.2.0
Connected devices:
1
0) Realtek RTL8169/8110 Family Gigabit Ethernet NIC
(Microsoft's Packet Scheduler)
Name: \Device\NPF_{A22E93C1-A78D-4AFE-AD2B-517889CE42D7}
Mode: Capture
IP Address: 192.168.2.1
Loopback: False
Next update the code so that it displays the information on the network connections [1]:
Console.WriteLine("\tIP Address:\t\t{0}",netConn.IpAddress);
Console.WriteLine("\tSubnet Mask:\t\t{0}",netConn.SubnetMask);
Console.WriteLine("\tMAC Address:\t\t{0}",netConn.MacAddress);
Console.WriteLine("\tDefault Gateway:\t{0}",netConn.DefaultGateway);
Console.WriteLine("\tPrimary WINS:\t\t{0}",netConn.WinsServerPrimary);
Console.WriteLine("\tSecondary WINS:\t\t{0}",netConn.WinsServerSecondary);
Console.WriteLine("\tDHCP Enabled:\t\t{0}",netConn.DhcpEnabled);
Console.WriteLine("\tDHCP Server:\t\t{0}",netConn.DhcpServer);
Console.WriteLine("\tDHCP Lease Obtained:\t{0}",netConn.DhcpLeaseObtained);
Console.WriteLine("\tDHCP Lease Expires:\t{0}",netConn.DhcpLeaseExpires);
Console.WriteLine();
count++;
}
[1] This code is based on the code wrapper for WinPCap developed by T.Gal
[http://www.thecodeproject.com/csharp/sharppcap.asp].
2
Lab 1b: Packet Capture (Filtering)
Details
Aim: To provide an understanding of events in reading data packets
Activities
Using the previous solution from Lab 1, update with the following code [1]. In this case
the 2nd connection is used (getNetConnections[1]) in a promiscuous mode (change, as
required, depending on your network connection). USE THE CONNECTION WHICH
IS THE ETHERNET CONNECTION.
http://www.dcs.napier.ac.uk/~bill/WinPCap2.zip
using System;
using Tamir.IPLib;
using Tamir.IPLib.Packets;
namespace NapierCapture
{
public class CapturePackets
{
public static void Main(string[] args)
{
PcapDeviceList getNetConnections = SharpPcap.GetAllDevices();
device.PcapStopCapture();
device.PcapClose();
}
private static void device_PcapOnPacketArrival(object sender, Packet packet)
{
DateTime time = packet.PcapHeader.Date;
int len = packet.PcapHeader.PacketLength;
Console.WriteLine("{0}:{1}:{2},{3} Len={4}",time.Hour, time.Minute,
time.Second, time.Millisecond, len);
}
}
}
3
Run the program, and produce some network traffic and versify that it is capturing
packets, such as:
13:17:56,990 Len=695
13:17:57,66 Len=288
13:17:57,68 Len=694
13:18:4,363 Len=319
13:18:4,364 Len=373
13:18:4,364 Len=371
13:18:4,365 Len=375
13:18:4,366 Len=367
Update the code with a filter. In the following case an IP and TCP filter is used [1]:
device.PcapOpen(true, 1000);
Generate some data traffic, such as loading a Web page, and show that the
program is capturing the data packets.
Next update the filter so that it only captures ICMP packets, such as:
Generate some data traffic, and prove that it does not capture the packets. Now
ping a node on your network, such as:
Ping 192.168.1.102
13:40:47,761 Len=74
13:40:48,756 Len=74
13:40:48,759 Len=74
13:40:49,757 Len=74
13:40:49,760 Len=74
13:40:50,757 Len=74
[1] This code is based on the code wrapper for WinPCap developed by T.Gal
[http://www.thecodeproject.com/csharp/sharppcap.asp].
4
Lab 1c: Packet Capture (IDS)
Details
Aim: To provide define the usage of an intrusion detection system
Activities
1. The WinPcap library can be used to read the source and destination IP
addresses and TCP ports. For this the TCPPacket class is used. Initially
modify the program in Lab 2 so that it now displays the source and
destination IP and TCP ports [1]:
http://www.dcs.napier.ac.uk/~bill/WinPCap3.zip
Where it can be seen that the WWW server TCP port is 80, and the local port
is 3582. Run the program, and generate some network activity, and
determine the output.
2. Modify the program in 3.12.1, so that it only displays traffic which is distended
for a Web server. Prove its operation.
5
3. Next modify the code so that it detects only ICMP packets (using the
ICMPPacket class), and displays the source and the destination addresses,
along with the TTL (time-to-live) value [1]:
Run the program, and ping a node on the network. What is the output, and why does
it show three responses for every ping:
4. Modify the program in 3.12.2, so that it displays the Ethernet details of the
data frame, such as [4]:
6
{
DateTime time = packet.PcapHeader.Date;
int len = packet.PcapHeader.PacketLength;
byte [] b = tcp.Data;
string s = format.GetString(b);
s=s.ToLower();
The above code detects the presence of the word Intel in the data packet. Run
the program, and then load a site with the word Intel in it, and prove that it
works, such as for:
Intel found...
Intel found...
7
6. It is then possible to filter for source and destination ports, and with source and
destination addresses. For example, the following detects the word Intel on the
destination port of 80:
byte [] b = tcp.Data;
string s = format.GetString(b);
s=s.ToLower();
Prove the operation of the code, and modify it so that it detects a SYN request
to a Web server (port: 80), and displays the destination IP address of the Web
server.
8. Modify the code in 7 so that it displays all the flags for data packets.
[1] This code is based on the code wrapper for WinPCap developed by T.Gal
[http://www.thecodeproject.com/csharp/sharppcap.asp].
8
Lab 1d: Packet Capture (IDS) – ARP Detection
Details
Aim: To provide define the capture of ARP information
Activities
1. The ARP protocol is important on networks, as it allows a node to determine
the MAC address of a destination node on the same network. For security it
is important, as it gives information on the activity on the local network. In
this lab ARP packets will be captured, and then displayed for their basic
information. The solution can be found at:
http://www.dcs.napier.ac.uk/~bill/WinPCap4.zip
16 bits 16 bits
Thus a program to capture the ARP packets is given next. Notice that the
byte array is read for the first two bytes for the hardware type, and the next
two for the protocol type [1]:
using System;
using Tamir.IPLib;
using Tamir.IPLib.Packets;
namespace NapierCapture
{
public class CapturePackets
{
public static void Main(string[] args)
{
PcapDeviceList getNetConnections = SharpPcap.GetAllDevices();
device.PcapOpen(true, 1000);
Console.WriteLine("Network connection: {0}", device.PcapDescription);
9
device.PcapStartCapture();
device.PcapStopCapture();
device.PcapClose();
}
private static void device_PcapOnPacketArrival(object sender, Packet packet)
{
if(packet is ARPPacket)
{
byte [] b = packet.Header;
3. Modify the code so that it displays the other fields in the ARP header.
4. Modify the code so that it displays the actual ARP type, rather than the code,
Such as with:
1 Note: For Ethernet, the type is normal set to 1 [2]. The protocol type for IP is 0x8000
(2048), and the table for the op-code is:
1 Request
2 Reply
3 Request Reverse
4 Rely Request
Console.Write("ARP: Hardware type {0}, protocol {1}, ",type,protocol);
if (opcode==1) Console.Write("{0}",opcode);
else if (opcode==2) …
References
[1] This code is based on the code wrapper for WinPCap developed by T.Gal
[http://www.thecodeproject.com/csharp/sharppcap.asp].
[2] http://www.networksorcery.com/enp/protocol/arp.htm
10