"PcapDotNet.Core"

Open a generic source in order to capture / send (WinPcap only) traffic.

Length of the packet that has to be retained. For each packet received by the filter, only the first 'snapshotLength' bytes are stored in the buffer and passed to the user application. For instance, snaplen equal to 100 means that only the first 100 bytes of each packet are stored. Keeps several flags that can be needed for capturing packets. Read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it waits for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that don't, the read timeout is ignored. Thrown on failure.

List of addresses for the interface.

Interface flags. Currently the only possible flag is Loopback, that is set if the interface is a loopback interface.

if not null, a string giving a human-readable description of the device.

A string giving a name for the device.

Create a list of local machine network devices that can be opened with Open(). Platform independent.

A readonly collection of LivePacketDevices. Thrown if some errors occurred. An error could be due to several reasons: libpcap/WinPcap was not installed on the local/remote host.The user does not have enough privileges to list the devices.A network problem.other errors (not enough memory and others). There may be network devices that cannot be opened with Open() by the process calling AllLocalMachine, because, for example, that process might not have sufficient privileges to open them for capturing; if so, those devices will not appear on the list.

A live interface.

Open a generic source in order to capture / send (WinPcap only) traffic.

length of the packet that has to be retained. For each packet received by the filter, only the first 'snapshotLength' bytes are stored in the buffer and passed to the user application. For instance, snaplen equal to 100 means that only the first 100 bytes of each packet are stored. Keeps several flags that can be needed for capturing packets. Read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it waits for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that don't, the read timeout is ignored. Thrown on failure.

List of addresses for the interface.

Interface flags. Currently the only possible flag is Loopback, that is set if the interface is a loopback interface.

if not null, a string giving a human-readable description of the device.

A string giving a name for the device.

Creates a device object from a pcap file. The device can opened to read packets from.

The name of the pcap file.

An offline interface - a pcap file to read packets from.

No sampling has to be done on the current capture. In this case, no sampling algorithms are applied to the current capture.

Indicates the 'waiting time' in milliseconds before one packet got accepted. In other words, if 'value = 10', the first packet is returned to the caller; the next returned one will be the first packet that arrives when 10ms have elapsed.

Constructs by giving an interval as TimeSpan.

The time to wait between packets sampled. The interval is negative or larger than 2^31 milliseconds.

Constructs by giving an interval in milliseconds.

The number of milliseconds to wait between packets sampled. The given number of milliseconds is negative.

This sampling method defines that we have to return 1 packet every given time-interval. In other words, if the interval is set to 10 milliseconds, the first packet is returned to the caller; the next returned one will be the first packet that arrives when 10ms have elapsed.

Send a buffer of packets to the network. This function transmits the content of a queue to the wire.

Contains the packets to send. Determines if the send operation must be synchronized: if it is true, the packets are sent respecting the timestamps, otherwise they are sent as fast as possible. An error occurred during the send. The error can be caused by a driver/adapter problem or by an inconsistent/bogus send buffer.. Using this function is more efficient than issuing a series of SendPacket(), because the packets are buffered in the kernel driver, so the number of context switches is reduced. Therefore, expect a better throughput when using Transmit(). When isSync is true, the packets are synchronized in the kernel with a high precision timestamp. This requires a non-negligible amount of CPU, but allows normally to send the packets with a precision of some microseconds (depending on the accuracy of the performance counter of the machine). Such a precision cannot be reached sending the packets with SendPacket().

Statistics on current capture. The values represent packet statistics from the start of the run to the time of the call.

Thrown if there is an error or the underlying packet capture doesn't support packet statistics.

A network device packet communicator.

Open a generic source in order to capture / send (WinPcap only) traffic. Uses maxmimum snapshotLength (65536), promiscuous mode and 1 second read timeout.

Open a generic source in order to capture / send (WinPcap only) traffic.

List of addresses for the interface.

Interface flags. Currently the only possible flag is Loopback, that is set if the interface is a loopback interface.

if not null, a string giving a human-readable description of the device.

A string giving a name for the device.

This snapshort length value should be sufficient, on most if not all networks, to capture all the data available from the packet.

The base class of a live or offline interface.

Open a generic source in order to capture / send (WinPcap only) traffic. Uses maxmimum snapshotLength (65536), promiscuous mode and 1 second read timeout.

Open a generic source in order to capture / send (WinPcap only) traffic.

List of addresses for the interface.

Interface flags. Currently the only possible flag is Loopback, that is set if the interface is a loopback interface.

if not null, a string giving a human-readable description of the device.

A string giving a name for the device. The name of the device is returned directly by the network card driver.

Represents a live or offline interface.

Attributes of a device.

Interface is loopback.

No attributes apply.

The ip version 6 address.

An internet protocol version 6 address for a device.

Transmit is not supported on offline captures.

Thrown always.

TotalStatistics is not supported on offline captures.

Thrown always.

Indicates the number of packets (minus 1) that must be discarded before one packet got accepted. In other words, if 'value = 10', the first packet is returned to the caller, while the following 9 are discarded.

Constructs by giving a count.

1 packet out of count packets will be sampled (for each sampled packet, count-1 will be discarded). The given count is non-positive.

Defines that only 1 out of count packets must be returned to the user. In other words, if the count is set to 10, the first packet is returned to the caller, while the following 9 are discarded.

The Pcap library version.

This class holds methods for general pcap library functionality.

The maximum legal timestamp to put in a packet.

The minimum legal timestamp to put in a packet.

Close the files associated with the capture and deallocates resources.

Open a file to write packets. Called to open an offline capture for writing. The name "-" in a synonym for stdout.

Specifies the name of the file to open. A dump file to dump packets capture by the communicator. Thrown on failure. The created dump file should be disposed by the user. Only ISO-8859-1 characters filenames are supported.

Compile and associate a filter to a capture. This method actually wraps a call to CreateFilter(), SetFilter() and Dispose().

A high level filtering expression (see WinPcap Filtering expression syntax). Thrown on failure.

Associate a filter to a capture.

The filter to associate. Usually the result of a call to CreateFilter(). Thrown on failure.

Compile a packet filter according to the communicator IPv4 netmask. todo bug in documentation

A high level filtering expression (see WinPcap Filtering expression syntax) The compiled filter that can be applied on the communicator. An error occurred. The created filter should be disposed by the user.

Send a buffer of packets to the network. This function transmits the content of a queue to the wire.

Contains the packets to send. Determines if the send operation must be synchronized: if it is true, the packets are sent respecting the timestamps, otherwise they are sent as fast as possible. Trying to transmit to an offline device or an error occurred during the send. The error can be caused by a driver/adapter problem or by an inconsistent/bogus send buffer. Using this function is more efficient than issuing a series of SendPacket(), because the packets are buffered in the kernel driver, so the number of context switches is reduced. Therefore, expect a better throughput when using Transmit(). When isSync is true, the packets are synchronized in the kernel with a high precision timestamp. This requires a non-negligible amount of CPU, but allows normally to send the packets with a precision of some microseconds (depending on the accuracy of the performance counter of the machine). Such a precision cannot be reached sending the packets with SendPacket().

Send a raw packet. This function allows to send a raw packet to the network.

The packet to send (including the various protocol headers). The MAC CRC doesn't need to be included, because it is transparently calculated and added by the network interface driver. The packet wasn't successfully sent.

Set a flag that will force ReceiveSomePackets(), ReceivePackets() or ReceiveStatistics() to return rather than looping. They will return the number of packets/statistics that have been processed so far, with return value BreakLoop.

This routine is safe to use inside a signal handler on UNIX or a console control handler on Windows, as it merely sets a flag that is checked within the loop. The flag is checked in loops reading packets from the OS - a signal by itself will not necessarily terminate those loops - as well as in loops processing a set of packets/statistics returned by the OS. Note that if you are catching signals on UNIX systems that support restarting system calls after a signal, and calling Break() in the signal handler, you must specify, when catching those signals, that system calls should NOT be restarted by that signal. Otherwise, if the signal interrupted a call reading packets in a live capture, when your signal handler returns after calling Break(), the call will be restarted, and the loop will not terminate until more packets arrive and the call completes. ReceivePacket() will, on some platforms, loop reading packets from the OS; that loop will not necessarily be terminated by a signal, so Break() should be used to terminate packet processing even if ReceivePacket() is being used. Break() does not guarantee that no further packets/statistics will be processed by ReceiveSomePackets(), ReceivePackets() or ReceiveStatistics() after it is called; at most one more packet might be processed. If BreakLoop is returned from ReceiveSomePackets(), ReceivePackets() or ReceiveStatistics(), the flag is cleared, so a subsequent call will resume reading packets. If a different return value is returned, the flag is not cleared, so a subsequent call will return BreakLoop and clear the flag.

Collect a group of statistics every readTimeout given in LivePacketDevice.Open().

Number of statistics to process. A negative count causes ReceiveStatistics() to loop forever (or at least until an error occurs). Specifies a routine to be called with one argument: the statistics received. Return value description Ok Count is exhausted BreakLoop Indicates that the loop terminated due to a call to Break() before count statistics were processed. Thrown if the mode is not Statistics or an error occurred.

Receives a single statistics data on packets from an interface instead of receiving the packets. The statistics can be received in the resolution set by readTimeout when calling LivePacketDevice.Open().

The received statistics if it was read without problems. null otherwise. Return value description Ok The statistics has been read without problems. In statistics mode the readTimeout is always used and it never runs on offline captures so Ok is the only valid result. Thrown if the mode is not Statistics or an error occurred.

Collect a group of packets. Similar to ReceiveSomePackets() except it keeps reading packets until count packets are processed or an error occurs. It does not return when live read timeouts occur.

Number of packets to process. A negative count causes ReceivePackets() to loop forever (or at least until an error occurs). Specifies a routine to be called with one argument: the packet received. Return value description Ok Count is exhausted Eof Count wasn't exhausted and EOF was reached reading from an offline capture. BreakLoop Indicates that the loop terminated due to a call to Break() before count packets were processed. Thrown if the mode is not Capture or an error occurred.

Collect a group of packets. Used to collect and process packets.

Specifies the maximum number of packets to process before returning. This is not a minimum number; when reading a live capture, only one bufferful of packets is read at a time, so fewer than maxPackets packets may be processed. A maxPackets of -1 processes all the packets received in one buffer when reading a live capture, or all the packets in the file when reading an offline capture. Specifies a routine to be called with one argument: the packet received. The number of packets read is returned. 0 is returned if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the communicator is in non-blocking mode and no packets were available to be read) or if no more packets are available in an offline capture. Return value description Ok countGot packets has been read without problems. This includes the case where a read timeout occurred and the case the communicator is in non-blocking mode and no packets were available Eof EOF was reached reading from an offline capture. BreakLoop Indicates that the loop terminated due to a call to Break() before any packets were processed. Thrown if the mode is not Capture or an error occurred. Only the first bytes of data from the packet might be in the received packet (which won't necessarily be the entire packet; to capture the entire packet, you will have to provide a value for snapshortLength in your call to PacketDevice.Open() that is sufficiently large to get all of the packet's data - a value of 65536 should be sufficient on most if not all networks). When reading a live capture, ReceiveSomePackets() will not necessarily return when the read times out; on some platforms, the read timeout isn't supported, and, on other platforms, the timer doesn't start until at least one packet arrives. This means that the read timeout should NOT be used in, for example, an interactive application, to allow the packet capture loop to ``poll'' for user input periodically, as there's no guarantee that ReceiveSomePackets() will return after the timeout expires.

Read a packet from an interface or from an offline capture. This function is used to retrieve the next available packet, bypassing the callback method traditionally provided. The method fills the packet parameter with the next captured packet.

The received packet if it was read without problems. null otherwise. Return value description Ok The packet has been read without problems. Timeout The timeout set with LivePacketDevice.Open() has elapsed. In this case the packet out parameter will be null. Eof EOF was reached reading from an offline capture. In this case the packet out parameter will be null. Thrown if the mode is not Capture or an error occurred.

Define a sampling method for packet capture. This function allows applying a sampling method to the packet capture process. The mtthod will be applied as soon as the capture starts.

Warning: Sampling parameters cannot be changed when a capture is active. These parameters must be applied before starting the capture. If they are applied when the capture is in progress, the new settings are ignored. Warning: Sampling works only when capturing data on Win32 or reading from a file. It has not been implemented on other platforms. Sampling works on remote machines provided that the probe (i.e. the capturing device) is a Win32 workstation. The sampling method to be applied

Set the minumum amount of data received by the kernel in a single call. Changes the minimum amount of data in the kernel buffer that causes a read from the application to return (unless the timeout expires). If the value of size is large, the kernel is forced to wait the arrival of several packets before copying the data to the user. This guarantees a low number of system calls, i.e. low processor usage, and is a good setting for applications like packet-sniffers and protocol analyzers. Vice versa, in presence of a small value for this variable, the kernel will copy the packets as soon as the application is ready to receive them. This is useful for real time applications that need the best responsiveness from the kernel.

minimum number of bytes to copy Thrown on failure.

Set the size of the kernel buffer associated with an adapter. If an old buffer was already created with a previous call to SetKernelBufferSize(), it is deleted and its content is discarded. LivePacketDevice.Open() creates a 1 MByte buffer by default.

the size of the buffer in bytes Thrown on failure.

Switch between blocking and nonblocking mode. Puts a live communicator into "non-blocking" mode, or takes it out of "non-blocking" mode. In "non-blocking" mode, an attempt to read from the communicator with ReceiveSomePackets will, if no packets are currently available to be read, return immediately rather than blocking waiting for packets to arrive. ReceivePacket and ReceivePackets will not work in "non-blocking" mode.

Thrown if there is an error.

The working mode of the interface.

Statistics on current capture. The values represent packet statistics from the start of the run to the time of the call. Supported only on live captures, not on offline. No statistics are stored in offline, so no statistics are available when reading from an offline device.

Thrown if there is an error or the underlying packet capture doesn't support packet statistics.

The minor version number of the pcap library used to write the file.

The major version number of the pcap library used to write the file.

True if the current file uses a different byte order than the current system.

The IPv4 netmask of the network on which packets are being captured; useful for filters when checking for IPv4 broadcast addresses in the filter program. If the netmask of the network on which packets are being captured isn't known to the program, or if packets are being captured on the Linux "any" pseudo-interface that can capture on more than one network, the value will be null and a filter that tests for IPv4 broadcast addreses won't be done correctly, but all other tests in the filter program will be OK.

The dimension of the packet portion (in bytes) that is delivered to the application.

List of the supported data link types of the interface associated with the packet communicator. This property is currently unsupported to avoid memory leakage until a bug fix will be released in winpcap.

Thrown on failure.

The link layer of an adapter.

Thrown when setting the datalink fails.

Used to receive and send packets accross the network or to read and write packets to a pcap file.

This is the base sampling method class. Every sampling method is defined by a method and an optional value, both for internal usage.

The different return values when receiving from a packet communicator.

This return value should never be returned

The loop has been broken by a call to Break() before all the requested packets could be read.

EOF was reached reading from an offline capture.

The timeout set with Open() has elapsed when trying to read packets.

The packets/statistics have been read without problems.

Working modes for packet communicator.

Kernel dump working mode.

Kernel monitoring mode.

Statistical working mode.

Capture working mode.

Deletes a send buffer and frees all the memory associated with it.

Adds a raw packet at the end of the send buffer. 'Raw packet' means that the sending application will have to include the protocol headers, since every packet is sent to the network 'as is'. The CRC of the packets needs not to be calculated, because it will be transparently added by the network interface.

The packet to be added to the buffer Thrown on failure.

This function allocates a send buffer, i.e. a buffer containing a set of raw packets that will be transimtted on the network with PacketCommunicator.Transmit().

The size, in bytes, of the buffer, therefore it determines the maximum amount of data that the buffer will contain.

Represents a buffer of packets to be sent. Note that transmitting a send buffer is much more efficient than performing a series of Send(), because the send buffer is buffered at kernel level drastically decreasing the number of context switches.

Win32 specific. Number of packets captured, i.e number of packets that are accepted by the filter, that find place in the kernel buffer and therefore that actually reach the application.

Number of packets dropped by the interface.

Number of packets dropped by the driver.

Number of packets transited on the network.

Statistics on capture from the start of the run.

The number of bytes received during the last interval.

The number of packets received during the last interval.

The time the statistics was received.

Represents a statistics value when running in statistics mode.

Flags to use when openning a device to send and receive packets.

This flag configures the adapter for maximum responsiveness. In presence of a large value for nbytes, WinPcap waits for the arrival of several packets before copying the data to the user. This guarantees a low number of system calls, i.e. lower processor usage, i.e. better performance, which is good for applications like sniffers. If the user sets this flag, the capture driver will copy the packets as soon as the application is ready to receive them. This is suggested for real time applications (like, for example, a bridge) that need the best responsiveness.

Defines if the local adapter will capture its own generated traffic. This flag tells the underlying capture driver to drop the packets that were sent by itself. This is useful when building applications like bridges, that should ignore the traffic they just sent. Note that this flag applies to the specific PacketCommunicator opened with it only.

Defines if the remote probe will capture its own generated traffic. In case the remote probe uses the same interface to capture traffic and to send data back to the caller, the captured traffic includes the RPCAP traffic as well. If this flag is turned on, the RPCAP traffic is excluded from the capture, so that the trace returned back to the collector does not include this traffic.

Defines if the data trasfer (in case of a remote capture) has to be done with UDP protocol. Use this flag if you want a UDP data connection, don't use it if you want a TCP data connection; control connection is always TCP-based. A UDP connection is much lighter, but it does not guarantee that all the captured packets arrive to the client workstation. Moreover, it could be harmful in case of network congestion. This flag is meaningless if the source is not a remote interface. In that case, it is simply ignored.

Defines if the adapter has to go in promiscuous mode. Note that even if this parameter is false, the interface could well be in promiscuous mode for some other reason (for example because another capture process with promiscuous mode enabled is currently using that interface). On on Linux systems with 2.2 or later kernels (that have the "any" device), this flag does not work on the "any" device; if an argument of "any" is supplied, the 'promisc' flag is ignored.

No flags.

Closes a savefile.

Return the file position for a "savefile". Returns the current file position for the "savefile", representing the number of bytes written by PacketCommunicator.OpenDump() and Dump().

Thrown on error.

Flushes the output buffer to the ``savefile,'' so that any packets written with Dump() but not yet written to the ``savefile'' will be written.

Thrown on error.

Save a packet to disk. Outputs a packet to the "savefile" opened with PacketCommunicator.OpenDump().

The packet to write to disk.

Creates a dump file and saves the given packets to disk. This method is useful when you've got packets to save but no device.

The name of the dump file. The data link of the packets saved globally in the dump file. The dimension of the packet portion (in bytes) that is used when writing the packets. 65536 guarantees that the whole packet will be captured on all the link layers. The packets to save to the dump file.

A file to write packets.

The description of the datalink.

The name of the datalink.

The pcap value of the datalink.

The kind of the datalink.

Create the datalink its name.

The name of the pcap datalink.

Create the datalink from an int value (pcap value).

The pcap value of the datalink.

Create the datalink from one of the well defined datalink kinds.

The kind of datalink to create.

A packet communicator datalink.

Free a filter. Used to free up allocated memory when that BPF program is no longer needed, for example after it has been made the filter program for a packet communicator by a call to PacketCommunicator.SetFilter().

Returns if a given filter applies to an offline packet. This method is used to apply a filter to a packet that is currently in memory. This process does not need to open an adapter; we need just to create the proper filter (by settings parameters like the snapshot length, or the link-layer type) by means of the Pcap. The current API of libpcap does not allow to receive a packet and to filter the packet after it has been received. However, this can be useful in case you want to filter packets in the application, instead of into the receiving process. This function allows you to do the job.

The packet that has to be filtered. True iff the given packet satisfies the filter.

The length of the bytes that are currently available into the packet if the packet satisfies the filter, 0 otherwise. The packet that has to be filtered. True iff the given packet satisfies the filter.

Compile a packet filter without the need of opening an adapter. This constructor converts a high level filtering expression (see WinPcap Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine. Assumes the netmask of the network on which packets are being captured isn't known to the program, or that packets are being captured on the Linux "any" pseudo-interface that can capture on more than one network. Tests for IPv4 broadcast addreses won't be done correctly, but all other tests in the filter program will be OK.

A high level filtering expression (see WinPcap Filtering expression syntax) Length of the packet that has to be retained of the communicator this filter will be applied on. The link layer of an adapter that this filter will apply upon. Indicates an error. Probably caused by bad syntax. If the purpose of this filter is to apply it on a communicator and not to test packets in memory, it would be simpler to call to PacketCommunicator.CreateFilter() or to directly call PacketCommunicator.SetFilter().

A high level filtering expression (see WinPcap Filtering expression syntax) Length of the packet that has to be retained of the communicator this filter will be applied on. The link layer of an adapter that this filter will apply upon. Specifies the IPv4 netmask of the network on which packets are being captured; it is used only when checking for IPv4 broadcast addresses in the filter program. If the netmask of the network on which packets are being captured isn't known to the program, or if packets are being captured on the Linux "any" pseudo-interface that can capture on more than one network, null can be supplied; tests for IPv4 broadcast addreses won't be done correctly, but all other tests in the filter program will be OK. Indicates an error. Probably caused by bad syntax. If the purpose of this filter is to apply it on a communicator and not to test packets in memory, it would be simpler to call to PacketCommunicator.CreateFilter() or to directly call PacketCommunicator.SetFilter().

A packet filter, converting a high level filtering expression (see WinPcap Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine. The user must dispose instances of this class to deallocate resources.

The ip version 4 address.

An internet protocol version 4 address for a device.

if not null, the destination address corresponding to the address in Address; may be null if the interface isn't a point-to-point interface

if not null, the broadcast address corresponding to the address in Address; may be null if the interface doesn't support broadcasts.

if not null, the netmask corresponding to the address in Address.

The Device Address.

Representation of an interface address.

Family (type) of the socket address.

The base of all device addresses. Contains the family (type) of the address.

The type of socket address for a device address.

Bluetooth RFCOMM/L2CAP protocols

Network Designers OSI & gateway

IrDA

IEEE 1284.4 WG AF

Microsoft Wolfpack

Internetwork Version 6

Native ATM Services

Banyan

Somebody is using this!

Protocols from Firefox

VoiceView

NetBios-style addresses

AppleTalk

NSC Hyperchannel

LAT

Direct data link interface

DECnet

IBM SNA

CCITT protocols, X.25 etc

datakit protocols

european computer manufacturers

OSI is ISO

ISO protocols

IPX protocols: IPX, SPX, etc.

XEROX NS protocols

mit CHAOS protocols

pup protocols: e.g. BSP

arpanet imp addresses

internetwork: UDP, TCP, etc.

local to host (pipes, portals)

unspecified