Lab 2: Packet Capture (Traffic Filtering)

Details
Aim: To provide an understanding of reading and filtering data packets using the
WinPcap packet capture drivers.

Outline
In this lab Visual Studio will be used to create a C#.NET application, which uses the
WinPcap packet capture drivers, to read and filter network traffic from a NIC on the local
machine.

 WinPcap documentation can be found at:

http://www.winpcap.org/docs/docs_40_2/html/main.html

Activities
Capturing Packets
If Visual Studio is installed on your machine, download the following solution to your
desktop:

 http://www.dcs.napier.ac.uk/~cs342/CSN11102/WinPCap2.zip

Extract the WinPcap2 folder to the desktop, and open the C#.NET solution (.sln file). It
should contain the following which uses the SharpPcap wrapper code (Gal, 2010), for
the WinPcap packet capture drivers.

Change the network interface index number to the inbex of the Ethernet interface
found in the previous lab.

using System;
using Tamir.IPLib;
using Tamir.IPLib.Packets;

namespace NapierCapture
{
public class CapturePackets
{
public static void Main(string[] args)
{
// Get the list of NICs
PcapDeviceList NICList = SharpPcap.GetAllDevices();

// Network Interface 1 (change as required)

NetworkDevice netConn = (NetworkDevice)NICList[1];
PcapDevice nic = netConn;

// Define Event Handler Procedure for the Packet Arrival Event

nic.PcapOnPacketArrival +=
new SharpPcap.PacketArrivalEvent(nic_OnPacketArrival);

// Open the network interface for capturing packets

e-Security Packet Capture with C#.NET – Rich Macfarlane/Bill Buchanan 1

 // true -- means promiscuous mode
// 1000 -- means a read wait of 1000ms
nic.PcapOpen(true, 1000);

Console.WriteLine("Capturing packets on: {0}, \nPress <RETURN> to exit...\n",

nic.PcapDescription);

//Start the capturing process

nic.PcapStartCapture();

// Wait for the user to hit <RETURN>

Console.Read();

// Stop the capture

nic.PcapStopCapture();
nic.PcapClose();
}

// Packet Arrival Event Handler Procedure

// Displays the time recieved and length of each recieved packet.
private static void nic_OnPacketArrival(object sender, Packet packet)
{
DateTime time = packet.PcapHeader.Date;
int len = packet.PcapHeader.PacketLength;
Console.WriteLine("Packet Recieved: {0}:{1}:{2},{3}\tLength: {4}",
time.Hour, time.Minute, time.Second, time.Millisecond, len);
}
}
}

Run the program, and test it by producing some network traffic. Verify that the
program is capturing packets. The output should look similar to the below.

Questions

Q: Are packets being captured, and the details displayed?

YES/NO

WinPcap Filters
A powerful feature offered by WinPcap, is the capture filtering engine. This allows
traffic to be filtered using a filter string. Update the code with the filter shown in the
following code. In this case an “tcp” filter, so only packets containing tcp protocol
traffic will be captured.

e-Security Packet Capture with C#.NET – Rich Macfarlane/Bill Buchanan 2

 Console.WriteLine("Capturing packets on: {0}, \nPress <RETURN> to exit...\n",
nic.PcapDescription);

// Create a filter, and associate the filter with this capture.

string filter = "tcp";
nic.PcapSetFilter(filter);
Console.WriteLine("-- Using WinPcap Filter: \"{0}\"\n", filter);

//Start the capturing process

nic.PcapStartCapture();

Test the program, by generating some tcp traffic, such as loading a Web page, and
show that the program is capturing the data packets.

Questions

Q: Are packets being captured, and the details displayed?

YES/NO

The following web page provides a summary of WinPcap filtering:

 http://www.winpcap.org/docs/docs_40_2/html/group__language.html

Using the web page to research how to create a filter to only capture packets containing the
ICMP protocol.

Questions

Q: What is the filter?

Test the filter by generating some network traffic which should not containing the ICMP
protocol, and prove that the program DOES NOT capture the packets (such as web traffic).

Questions

Q: Are ICMP packets being captured, and the details displayed?

YES/NO

Now test using ICMP traffic. The ping command line utility uses ICMP packets to test
connectivity to another system. Ping a neighbours PC on the local network, or ping a web
server on the internet, as shown below.

e-Security Packet Capture with C#.NET – Rich Macfarlane/Bill Buchanan 3

Questions

Q: Are ICMP packets being captured, and the details displayed?

YES/NO

The program should display the ICMP packets as shown below.

References
Gal, T. (2010, Jan). SharpPcap - A Packet Capture Framework for .NET. Retrieved Jan 2011, from
The Code Project: http://www.codeproject.com/KB/IP/sharppcap.aspx

e-Security Packet Capture with C#.NET – Rich Macfarlane/Bill Buchanan 4