/home/cmorgan/hdd/sharppcap_git/SharpPcap/bin/Release/SharpPcap

Adapter bus types

Usb

Pci

PciExpress

MiniPci

MiniPciExpress

Cardbus

Expresscard

Types of airpcap adapters

Class

Class release 2

AirPcap TX

AirPcap EX

AirPcap N

AirPcap Nx

Frequency bands

2.4 GHz band

5 GHz band

Channel info

Channel frequency, in MHz

802.11n specific. Offset of the extension channel in case of 40MHz channels. Possible values are -1, 0 +1: - -1 means that the extension channel should be below the control channel (e.g. Control = 5 and Extension = 1) - 0 means that no extension channel should be used (20MHz channels or legacy mode) - +1 means that the extension channel should be above the control channel (e.g. Control = 1 and Extension = 5) In case of 802.11a/b/g channels (802.11n legacy mode), this field should be set to 0.

Channel Flags. The only flag supported at this time is \ref AIRPCAP_CIF_TX_ENABLED.

ToString() override

Channel info flags

No flags set

Channel info flag: the channel is enabled for transmission, too. To comply with the electomagnetic emission regulations of the different countries, the AirPcap hardware can be programmed to block transmission on specific channels. This flag is set by AirpcapGetDeviceSupportedChannels() to indicate that a channel in the list supports transmission.

Type of decryption the adapter performs. An adapter can be instructed to turn decryption (based on the device-configured keys configured with \ref AirpcapSetDeviceKeys()) on or off.

This adapter performs decryption

This adapter does not perform decryption

AirPcap device

Led states

Led on

Led off

TODO: Get this from packet.net or another place in System.Net.xxx?

Handle to the device

The last pcap error associated with this pcap device

Device capabilities, whether the device can transmit, its id, model name etc

Adapter channel

Adapter frequency

Channel information

Decryption keys that are currently associated with the specified device

Global list of decryption keys that AirPcap is using with all the devices.

Tells if decryption of the incoming frames with the device-specific keys.

Tells if this open instance is configured to perform the decryption of the incoming frames with the global set of keys.

Configures the adapter on whether to include the MAC Frame Check Sequence in the captured packets.

The kinds of frames that the device will capture By default all frames are captured

Kernel packet buffer size for this adapter in bytes

Number of leds on this adapter

Link type

Link type in terms of PacketDotNet.LinkLayers

Mac address

Mac flags

Adapter statistics

List of supported channels

Transmit power

Device timestamp

See ThrowIfNotOpen(string ExceptionString)

Retrieve the last error string for a given pcap_t* device

A A

Open a device

Open the device. To start capturing call the 'StartCapture' function

A A

Opens an Airpcap device with optional WinPcap.OpenFlags

A A

Close a device

Size in bytes of a key collection with a given count of keys

Convert a AirpcapKeysCollection unmanaged buffer to a list of managed keys

Convert an array of keys into unmanaged memory

Constructor

A A

AirPcap specific capture thread

Marshal a chunk of captured packets into a packet list

Capabilities for the adapter

An id that identifies the adapter model

String containing a printable adapter model

The type of bus the adapter is plugged to

An OR combination of the media that the device supports. Possible values are: \ref AIRPCAP_MEDIUM_802_11_A, \ref AIRPCAP_MEDIUM_802_11_B, \ref AIRPCAP_MEDIUM_802_11_G or \ref AIRPCAP_MEDIUM_802_11_N. Not supported at the moment.

An OR combination of the bands that the device supports. Can be one of: \ref AIRPCAP_BAND_2GHZ, \ref AIRPCAP_BAND_5GHZ.

TRUE if the adapter is able to perform frame injection.

TRUE if the adapter's transmit power is can be specified by the user application.

TRUE if the adapter supports plugging one or more external antennas.

ToString() overload

Adapter description

Device name

Device description

ToString() override

AirPcap device list

Represents a strongly typed, read-only list of PcapDevices.

The name or description of the pcap interface to get.

Method to retrieve this classes singleton instance

Caution: Use the singlton instance unless you know why you need to call this. One use is for multiple filters on the same physical device. To apply multiple filters open the same physical device multiple times, one for each filter by calling this routine and picking the same device out of each list.

Retrieve an array of AirPcapDevices

Refresh the device list

Defines the internal AirPcap device timestamp

Current value of the device counter, in microseconds.

Value of the software counter used to timestamp packets before reading the device counter, in microseconds.

Value of the software counter used to timestamp packets after reading the device counter, in microseconds.

ToString() override

WEB key container

Constructor

Number of bytes in a wep key

Type of key, can be on of: \ref AIRPCAP_KEYTYPE_WEP, \ref AIRPCAP_KEYTYPE_TKIP, \ref AIRPCAP_KEYTYPE_CCMP. Only AIRPCAP_KEYTYPE_WEP is supported by the driver at the moment.

Key data

Type of keys in the adapter

Key type: WEP. The key can have an arbitrary length smaller than 32 bytes.

Key type: TKIP (WPA). NOT SUPPORTED YET by AirPcap

Key type: CCMP (WPA2). NOT SUPPORTED YET by AirPcap

Mac flags

If set, the device is configured to work in monitor mode. When monitor mode is on, the device captures all the frames transmitted on the channel. This includes: - unicast packets - multicast packets - broadcast packets - control and management packets When monitor mode is off, the device has a filter on unicast packets to capture only the packets whose MAC destination address equals the device's address. This means the following frames will be received: - unicast packets whose destination is the address of the device - multicast packets - broadcast packets - beacons and probe requests

If set, the device will acknowledge the data frames sent to its address. This is useful when the device needs to interact with other devices on the 802.11 network, bacause handling the ACKs in software is normally too slow.

Medium type

802.11a medium

802.11b medium

802.11g medium

802.11n medium

Packet header

Seconds field

Microseconds field

Number of bytes captured

On-line packet size in bytes

Header length in bytes

ToString() override

Per http://msdn.microsoft.com/en-us/ms182161.aspx

Sets variables to the particular version being used

Pointer to a variable that will be filled with the major version number Pointer to a variable that will be filled with the minor version number Pointer to a variable that will be filled with the revision number Pointer to a variable that will be filled with the build number

Returns the last error related to the specified handle

Handle to an open adapter String with the last error, a PCHAR

Returns the list of available devices

Address to a caller allocated pointer. On success this pointer will receive the head of a list of available devices. String that will contain error information if FALSE is returned. The size of the string must be AIRPCAP_ERRBUF_SIZE bytes. TRUE on success. FALSE is returned on failure, in which case Ebuf is filled in with an appropriate error message.

Frees a list of devices returned by AirpcapGetDeviceList()

Head of the list of devices returned by AirpcapGetDeviceList()

Opens an adapter

Name of the device to open. Use AirpcapGetDeviceList() to get the list of devices. String that will contain error information in case of failure. The size of the string must be AIRPCAP_ERRBUF_SIZE bytes. A PAirpcapHandle handle on success. NULL is returned on failure, in which case Ebuf is filled in with an appropriate error message.

Closes an adapter

Handle to the adapter to close.

Get the capabilities of a device NOTE: The PCapabilities structure returned by AirpcapGetDeviceCapabilities() must be considered invalid after the adapter has been closed.

Handle to the adapter Pointer to a library-allocated AirpcapDeviceCapabilities structure that contains the capabilities of the adapter True on success

Sets the device's monitor mode and acknowledgment settings. When an adapter is plugged into the system, it's always configured with monitor mode ON and acknowledgment settings OFF. These values are not stored persistently, so if you want to turn monitor mode off, you will need to do it every time you attach the adapter. \note currently, the AirPcap adapter supports frames acknowleging when the adapter is NOT in monitor mode. This means that the combinations in which the two flags have the same value will cause AirpcapSetDeviceMacFlags() to fail.

Handle to the adapter Flags word, that contains a bitwise-OR combination of the following flags: \ref AIRPCAP_MF_MONITOR_MODE_ON and \ref AIRPCAP_MF_ACK_FRAMES_ON . TRUE on success

Gets the device's monitor mode and acknowledgement settings When an adapter is plugged into the system, it's always configured with monitor mode ON and acknowledgment settings OFF. These values are not stored persistently, so if you want to turn monitor mode off, you will need to do it every time you attach the adapter.

Handle to the adapter User-provided flags word, that will be filled by the function with an OR combination of the following flags: \ref AIRPCAP_MF_MONITOR_MODE_ON and \ref AIRPCAP_MF_ACK_FRAMES_ON. TRUE on success

Sets the link type of an adapter the "link type" determines how the driver will encode the packets captured from the network. Aircap supports two link types: - \ref AIRPCAP_LT_802_11, to capture 802.11 frames (including control frames) without any power information. Look at the "Capture_no_radio" example application in the developer's pack for a reference on how to decode 802.11 frames with this link type. - \ref AIRPCAP_LT_802_11_PLUS_RADIO, to capture 802.11 frames (including control frames) with a radiotap header that contains power and channel information. More information about the radiotap header can be found in the \ref radiotap section. Moreover, the "Capture_radio" example application in the developer's pack can be used as a reference on how to decode 802.11 frames with radiotap headers. - \ref AIRPCAP_LT_802_11_PLUS_PPI, to capture 802.11 frames (including control frames) with a Per Packet Information (PPI) header that contains per-packet meta information like channel and power information. More details on the PPI header can be found in the PPI online documentation (TODO).

the "link type", i.e. the format of the frames that will be received from the adapter. TRUE on success

Gets the link type of the specified adapter the "link type" determines how the driver will encode the packets captured from the network. Aircap supports two link types: - \ref AIRPCAP_LT_802_11, to capture 802.11 frames (including control frames) without any power information. Look at the "Capture_no_radio" example application in the developer's pack for a reference on how to decode 802.11 frames with this link type. - \ref AIRPCAP_LT_802_11_PLUS_RADIO, to capture 802.11 frames (including control frames) with a radiotap header that contains power and channel information. More information about the radiotap header can be found int the \ref radiotap section. Moreover, the "Capture_radio" example application in the developer's pack can be used as a reference on how to decode 802.11 frames with radiotap headers. - \ref AIRPCAP_LT_802_11_PLUS_PPI, to capture 802.11 frames (including control frames) with a Per Packet Information (PPI) header that contains per-packet meta information like channel and power information. More details on the PPI header can be found in the PPI online documentation (TODO).

Handle to the adapter Pointer to a caller allocated AirpcapLinkType variable that will contain the link type of the adapter TRUE on success

Configures the adapter on whether to include the MAC Frame Check Sequence in the captured packets. In the default configuration, the adapter includes the FCS in the captured packets. The MAC Frame Check Sequence is 4 bytes and is located at the end of the 802.11 packet, with \ref AIRPCAP_LT_802_11, \ref AIRPCAP_LT_802_11_PLUS_RADIO and \ref AIRPCAP_LT_802_11_PLUS_PPI link types. When the FCS inclusion is turned on, and if the link type is \ref AIRPCAP_LT_802_11_PLUS_RADIO, the radiotap header that precedes each frame has two additional fields at the end: Padding and FCS. These two fields are not present when FCS inclusion is off.

Handle to the adapter TRUE if the packets should include the FCS, FALSE otherwise TRUE on success

PIsFcsPresent is tue if the specified adapter includes the MAC Frame Check Sequence in the captured packets In the default configuration, the adapter includes the FCS in the captured packets. The MAC Frame Check Sequence is 4 bytes and is located at the end of the 802.11 packet, with \ref AIRPCAP_LT_802_11, \ref AIRPCAP_LT_802_11_PLUS_RADIO and \ref AIRPCAP_LT_802_11_PLUS_PPI link types. When the FCS inclusion is turned on, and if the link type is \ref AIRPCAP_LT_802_11_PLUS_RADIO, the radiotap header that precedes each frame has two additional fields at the end: Padding and FCS. These two fields are not present when FCS inclusion is off.

Handle to the adapter User-provided variable that will be set to true if the adapter is including the FCS TRUE if the operation is successful. FALSE otherwise.

Configures the adapter to accept or drop frames with an incorrect Frame Check sequence (FCS) NOTE: By default the driver is configured in \ref AIRPCAP_VT_ACCEPT_EVERYTHING mode

Handle to the adapter The type of validation the driver will perform. See the documentation of \ref AirpcapValidationType for details. TRUE on success

Checks if the specified adapter is configured to capture frames with incorrect an incorrect Frame Check Sequence (FCS). \note By default, the driver is configured in \ref AIRPCAP_VT_ACCEPT_EVERYTHING mode.

Handle to the adapter Pointer to a user supplied variable that will contain the type of validation the driver will perform. See the documentation of \ref AirpcapValidationType for details. TRUE if the operation is successful, FALSE otherwise

Sets the list of decryption keys that AirPcap is going to use with the specified device. AirPcap is able to use a set of decryption keys to decrypt the traffic transmitted on a specific SSID. If one of the keys corresponds to the one the frame has been encrypted with, the driver will perform decryption and return the cleartext frames to the application. This function allows to set the device-specific set of keys. These keys will be used by the specified device only, and will not be used by other airpcap devices besides the specified one. At this time, the only supported decryption method is WEP. The keys are applied to the packets in the same order they appear in the KeysCollection structure until the packet is correctly decrypted, therefore putting frequently used keys at the beginning of the structure improves performance. \note When you change the set of keys from an open capture instance, the change will be immediately reflected on all the other capture instances on the same device.

Handle to the adapter Pointer to a \ref PAirpcapKeysCollection structure that contains the keys to be set in the device. TRUE if the operation is successful. FALSE otherwise.

Returns the list of decryption keys that are currently associated with the specified device This function returns the device-specific set of keys. These keys are used by the specified device only, and not by other airpcap devices besides the specified one. AirPcap is able to use a set of decryption keys to decrypt the traffic transmitted on a specific SSID. If one of the keys corresponds to the one the frame has been encrypted with, the driver will perform decryption and return the cleartext frames to the application. AirPcap supports, for every device, multiple keys at the same time. The configured decryption keys are device-specific, therefore AirpcapGetDeviceKeys() will return a different set of keys when called on different devices. At this time, the only supported decryption method is WEP.

Handle to an open adapter User-allocated PAirpcapKeysCollection structure that will be filled with the keys. - \b IN: pointer to a user-allocated variable that contains the length of the KeysCollection structure, in bytes. - \b OUT: amount of data moved by AirPcap in the buffer pointed by KeysBuffer, in bytes. TRUE if the operation is successful. If an error occurs, the return value is FALSE and KeysCollectionSize is zero. If the provided buffer is too small to contain the keys, the return value is FALSE and KeysCollectionSize contains the needed KeysCollection length, in bytes. If the device doesn't have any decryption key configured, the return value is TRUE, and KeysCollectionSize will be zero.

Set the global list of decryption keys that AirPcap is going to use with all the devices. The AirPcap driver is able to use a set of decryption keys to decrypt the traffic transmitted on a specific SSID. If one of the keys corresponds to the one the frame has been encrypted with, the driver will perform decryption and return the cleartext frames to the application. This function allows to set the global set of keys. These keys will be used by all the devices plugged in the machine. At this time, the only supported decryption method is WEP. The keys are applied to the packets in the same order they appear in the KeysCollection structure until the packet is correctly decrypted, therefore putting frequently used keys at the beginning of the structure improves performance. \note When you change the set of keys from an open capture instance, the change will be immediately reflected on all the other capture instances.

Handle to an open adapter Pointer to a \ref PAirpcapKeysCollection structure that contains the keys to be set globally. TRUE if the operation is successful. FALSE otherwise.

Returns the global list of decryption keys that AirPcap is using with all the devices. This function returns the global set of keys. These keys will be used by all the devices plugged in the machine. The AirPcap driver is able to use a set of decryption keys to decrypt the traffic transmitted on a specific SSID. If one of the keys corresponds to the one the frame has been encrypted with, the driver will perform decryption and return the cleartext frames to the application. At this time, the only supported decryption method is WEP.

Handle to an adapter User-allocated PAirpcapKeysCollection structure that will be filled with the keys. - \b IN: pointer to a user-allocated variable that contains the length of the KeysCollection structure, in bytes. - \b OUT: amount of data moved by AirPcap in the buffer pointed by KeysBuffer, in bytes. TRUE if the operation is successful. If an error occurs, the return value is FALSE and KeysCollectionSize is zero. If the provided buffer is too small to contain the keys, the return value is FALSE and KeysCollectionSize contains the needed KeysCollection length, in bytes. If no global decryption keys are configured, the return value is TRUE, and KeysCollectionSize will be zero.

Turns on or off the decryption of the incoming frames with the device-specific keys. The device-specific decryption keys can be configured with the \ref AirpcapSetDeviceKeys() function. \note By default, the driver is configured with \ref AIRPCAP_DECRYPTION_ON.

Handle to the adapter Either AIRPCAP_DECRYPTION_ON or AIRPCAP_DECRYPTION_OFF TRUE on success

Tells if this open instance is configured to perform the decryption of the incoming frames with the device-specific keys. The device-specific decryption keys can be configured with the \ref AirpcapSetDeviceKeys() function. \note By default, the driver is configured with \ref AIRPCAP_DECRYPTION_ON.

Handle to the adapter Pointer to a user supplied variable that will contain the decryption configuration. See \ref PAirpcapDecryptionState for details. TRUE if the operation is successful, FALSE otherwise

Turns on or off the decryption of the incoming frames with the global set of keys. The global decryption keys can be configured with the \ref AirpcapSetDriverKeys() function. \note By default, the driver is configured with \ref AIRPCAP_DECRYPTION_ON.

Handle to the adapter Either \ref AIRPCAP_DECRYPTION_ON or \ref AIRPCAP_DECRYPTION_OFF TRUE on success

Tells if this open instance is configured to perform the decryption of the incoming frames with the global set of keys. The global decryption keys can be configured with the \ref AirpcapSetDriverKeys() function. \note By default, the driver is configured with \ref AIRPCAP_DECRYPTION_ON.

Sets the radio channel of a device The list of available channels can be retrieved with \ref AirpcapGetDeviceSupportedChannels(). The default channel setting is 6. \note This is a device-related function: when you change the channel from an open capture instance, the change will be immediately reflected on all the other capture instances.

Handle to the adapter The new channel to set TRUE on success

Gets the radio channel of a device The list of available channels can be retrieved with \ref AirpcapGetDeviceSupportedChannels(). The default channel setting is 6. \note This is a device-related function: when you change the channel from an open capture instance, the change will be immediately reflected on all the other capture instances.

Handle to the adapter Pointer to a user-supplied variable into which the function will copy the currently configured radio channel. TRUE on success

Sets the channel of a device through its radio frequency. In case of 802.11n enabled devices, it sets the extension channel, if used. \note This is a device-related function: when you change the channel from an open capture instance, the change will be immediately reflected on all the other capture instances.

Handle to the adapter The new channel information to set TRUE on success

Gets the channel of a device through its radio frequency. In case of 802.11n enabled devices, it gets the extension channel, if in use. \note This is a device-related function: when you change the channel from an open capture instance, the change will be immediately reflected on all the other capture instances.

Handle to the adapter Pointer to a user-supplied variable into which the function will copy the currently configured channel information. TRUE on success

Gets the list of supported channels for a given device. In case of a 802.11n capable device, information related to supported extension channels is also reported. Every control channel is listed multiple times, one for each different supported extension channel. For example channel 6 (2437MHz) is usually listed three times: - Frequency 2437 Extension +1. Control channel is 6, extension channel is 10. - Frequency 2437 Extension 0. Control channel is 6, no extension channel is used (20MHz channel and legacy mode). - Frequency 2437 Extension -1. Control channel is 6, extension channel is 2. \note The supported channels are not listed in any specific order.

Handle to the adapter Pointer to a user-supplied variable that will point to an array of supported channel. Such list must not be freed by the caller Number of channels returned in the array TRUE on success

Converts a frequency to the corresponding channel

Frequency of the channel in MHz Pointer to a user-supplied variable that will contain the channel number on success Pointer to a user-supplied variable that will contain the band (a orb/g) of the given channel TRUE on success, i.e. the frequency corresponds to a valid a or b/g channel

Converts a given channel to the corresponding frequency Because of the overlap of channels with respect to 1-14BG and 1-14A, this function will give precidence to BG. Thus, the channels are returned as follows: - Channel 0: 5000MHz - Channels 1-14: 2412MHz - 2484MHz - Channels 15-239: 5005MHz - 6195MHz - Channels 240-255: 4920MHz - 4995MHz

Channel number to be converted Pointer to a user-supplied variable that will contain the channel frequency in MHz on success>

Sets the size of the kernel packet buffer for this adapter Every AirPcap open instance has an associated kernel buffer, whose default size is 1 Mbyte. This function can be used to change the size of this buffer, and can be called at any time. A bigger kernel buffer size decreases the risk of dropping packets during network bursts or when the application is busy, at the cost of higher kernel memory usage. \note Don't use this function unless you know what you are doing. Due to caching issues and bigger non-paged memory consumption, bigger buffer sizes can decrease the capture performace instead of improving it.

Handle to the adapter New size in bytes TRUE on success

Gets the size of the kernel packet buffer for this adapter Every AirPcap open instance has an associated kernel buffer, whose default size is 1 Mbyte. This function can be used to get the size of this buffer.

Handle to the adapter User-allocated variable that will be filled with the size of the kernel buffer. TRUE on success

Sets the power of the frames transmitted by adapter The transmit power value is monotonically increasing with higher power levels. 1 is the minimum allowed transmit power. \note The maximum transmit power on each channel is limited by FCC regulations. Therefore, the maximum transmit power changes from channel to channel. When the channel is changed with \ref AirpcapSetDeviceChannel() or \ref AirpcapSetDeviceChannelEx() the power is set to the maximum allowd value for that channel. You can read this value with \ref AirpcapGetTxPower(). Not all the AirPcap adapters support setting the transmit power; you can use \ref AirpcapGetDeviceCapabilities() to find if the current adapter supports this feature.

Handle to the adapter The transmit power. Setting a zero power makes the adapter select the highest possible power for the current channel. TRUE on success. False on failure or if the adapter doesn't support setting the transmit power.

Returns the current transmit power level of the adapter The transmit power value is monotonically increasing with higher power levels. 0 is the minimum allowed power. \note The maximum transmit power on each channel is limited by FCC regulations. Therefore, the maximum transmit power changes from channel to channel. When the channel is changed with \ref AirpcapSetDeviceChannel() or \ref AirpcapSetDeviceChannelEx() the power is set to the maximum allowd value for that channel. Not all the AirPcap adapters support setting the transmit power; you can use \ref AirpcapGetDeviceCapabilities() to find if the current adapter supports this feature.

Handle to the adapter User-allocated variable that will be filled with the size of the transmit power TRUE on success, false on failure or if the adapter doesn't support getting the transmit power

Saves the configuration of the specified adapter in the registry, so that it becomes the default for this adapter. Almost all the AirPcap calls that modify the configuration (\ref AirpcapSetLinkType(), \ref AirpcapSetFcsPresence(), \ref AirpcapSetFcsValidation(), \ref AirpcapSetKernelBuffer(), \ref AirpcapSetMinToCopy()) affect only the referenced AirPcap open instance. This means that if you do another \ref AirpcapOpen() on the same adapter, the configuration changes will not be remembered, and the new adapter handle will have default configuration settings. Exceptions to this rule are the \ref AirpcapSetDeviceChannel() and \ref AirpcapSetDeviceKeys() functions: a channel change is reflected on all the open instances, and remembered until the next call to \ref AirpcapSetDeviceChannel(), until the adapter is unplugged, or until the machine is powered off. Same thing for the configuration of the WEP keys. AirpcapStoreCurConfigAsAdapterDefault() stores the configuration of the give open instance as the default for the adapter: all the instances opened in the future will have the same configuration that this adapter currently has. The configuration is stored in the registry, therefore it is remembered even when the adapter is unplugged or the machine is turned off. However, an adapter doesn't bring its configuration with it from machine to machine. the configuration information saved in the registry includes the following parameters: - channel - kernel buffer size - mintocopy - link type - CRC presence - Encryption keys - Encryption Enabled/Disabled state The configuration is device-specific. This means that changing the configuration of a device doesn't modify the one of the other devices that are currently used or that will be used in the future. \note AirpcapStoreCurConfigAsAdapterDefault() must have exclusive access to the adapter -- it will fail if more than one AirPcap handle is opened at the same time for this device. AirpcapStoreCurConfigAsAdapterDefault() needs administrator privileges. It will fail if the calling user is not a local machine administrator.

Handle to an adapter TRUE on success. FALSE on failure.

Sets the BPF kernel filter for an adapter The AirPcap driver is able to perform kernel-level filtering using the standard BPF pseudo-machine format. You can read the WinPcap documentation at http://www.winpcap.org/devel.htm for more details on the BPF filtering mechaism. A filter can be automatically created by using the pcap_compile() function of the WinPcap API. This function converts a human readable text expression with the tcpdump/libpcap syntax into a BPF program. If your program doesn't link wpcap, but you need to generate the code for a particular filter, you can run WinDump with the -d or -dd or -ddd flags to obtain the pseudocode.

Handle to the adapter pointer to the first BPF instruction in the array. Corresponds to the bf_insns in a bpf_program structure (see the WinPcap documentation at http://www.winpcap.org/devel.htm). \param Len Number of instructions in the array pointed by the previous field. Corresponds to the bf_len in a a bpf_program structure (see the WinPcap documentation at http://www.winpcap.org/devel.htm). TRUE on success

Returns the MAC address of a device

Handle to the adapter Pointer to a user allocated \ref AirpcapMacAddress structure that will receive the MAC address on success. TRUE on success

Sets the MAC address of a device Using this function, the programmer can change the MAC address of the device. This is useful when disabling monitor mode with \ref AirpcapSetDeviceMacFlags(), because the device will acknowledge the data frames sent to its MAC address. \note The address change is temporary: when the device is unplugged or when the host PC is turned off, the address is reset to the original value.

Handle to the adapter Pointer to a user-initialized structure containing the MAC address TRUE on success. FALSE on failure, or if the adapter doesn't support changing the address.

Sets the mintocopy parameter for an open adapter When the number of bytes in the kernel buffer changes from less than mintocopy bytes to greater than or equal to mintocopy bytes, the read event is signalled (see \ref AirpcapGetReadEvent()). A high value for mintocopy results in poor responsiveness since the driver may signal the application "long" after the arrival of the packet. And a high value results in low CPU loading by minimizing the number of user/kernel context switches. A low MinToCopy results in good responsiveness since the driver will signal the application close to the arrival time of the packet. This has higher CPU loading over the first approach.

Handle to the adapter is the mintocopy size in bytes TRUE on success

Gets an event that is signalled when packets are available in the kernel buffer (see \ref AirpcapSetMinToCopy()). \note The event is signalled when at least mintocopy bytes are present in the kernel buffer (see \ref AirpcapSetMinToCopy()). This event can be used by WaitForSingleObject() and WaitForMultipleObjects() to create blocking behavior when reading packets from one or more adapters (see \ref AirpcapRead()).

Handle to the adapter Pointer to a user-supplied handle in which the read event will be copied. TRUE on success

Fills a user-provided buffer with zero or more packets that have been captured on the referenced adapter. 802.11 frames are returned by the driver in buffers. Every 802.11 frame in the buffer is preceded by a \ref AirpcapBpfHeader structure. The suggested way to use an AirPcap adapter is through the pcap API exported by wpcap.dll. If this is not possible, the Capture_radio and Capture_no_radio examples in the AirPcap developer's pack show how to properly decode the packets in the read buffer returned by AirpcapRead(). \note This function is NOT blocking. Blocking behavior can be obtained using the event returned by \ref AirpcapGetReadEvent(). See also \ref AirpcapSetMinToCopy().

Handle to the adapter pointer to the buffer that will be filled with captured packets. size of the input buffer that will contain the packets, in bytes. Pointer to a user supplied variable that will receive the number of bytes copied by AirpcapRead. Can be smaller than BufSize. TRUE on success

Transmits a packet The packet will be transmitted on the channel the device is currently set. To change the device adapter, use the \ref AirpcapSetDeviceChannel() function. If the link type of the adapter is AIRPCAP_LT_802_11, the buffer pointed by TxPacket should contain just the 802.11 packet, without additional information. The packet will be transmitted at 1Mbps. If the link type of the adapter is AIRPCAP_LT_802_11_PLUS_RADIO, the buffer pointed by TxPacket should contain a radiotap header followed by the 802.11 packet. AirpcapWrite will use the rate information in the radiotap header when transmitting the packet. If the link type of the adapter is AIRPCAP_LT_802_11_PLUS_PPI, the buffer pointed by TxPacket should contain a PPI header followed by the 802.11 packet. AirpcapWrite will use the rate information in the PPI header when transmitting the packet. If the packet should be transmitted at a 802.11n rate, the packet must include a PPI 802.11n MAC+PHY Extension header, containing the rate expressed in terms of MCS, short/long guard interval (SGI/LGI) and 20MHz or 40MHz channel. When the MAC+PHY Extension header is present, the rate field in the PPI 802.11-Common header is ignored. By default on 802.11n-capable AirPcap adapters, packets are transmitted with no A-MPDU aggregation. A-MPDU aggregation is controlled by the adapter, but it's possible to give a hint to the hardware to aggregate some packets by setting the "Aggregate" and "More aggregates" flags in the PPI 802.11n MAC+PHY extension header.

Handle to the adapter Pointer to a buffer that contains the packet to be transmitted. Length of the buffer pointed by the TxPacket argument, in bytes TRUE on success

Gets per-adapter WinPcap-compatible capture statistics.

Handle to the adapter Pointer to a user-allocated AirpcapStats structure that will be filled with statistical information. TRUE on success

Gets the number of LEDs the referenced adapter has available

Handle to the adapter Number of LEDs available on this adapter

Turns on one of the adapter's LEDs.

Handle to the adapter Zero-based identifier of the LED to turn on

Turns off one of the adapter's LEDs.

Handle to the adapter Zero-based identifier of the LED to turn off.

Gets the current value of the device counter used to timestamp packets.

Handle to the adapter Pointer to a caller allocated 64bit integer that will receive the device timestamp, in microseconds. TRUE on success

Device statistics

Number of packets received Number of packets dropped Number of interface dropped packets

Number of packets that pass the BPF filter, find place in the kernel buffer and therefore reach the application.

ToString override

Channel information Used by \ref AirpcapSetDeviceChannelEx(), \ref AirpcapGetDeviceChannelEx(), \ref AirpcapGetDeviceSupportedChannels()

Channel frequency, in MHz UINT

Channel Flags. The only flag supported at this time is \ref AIRPCAP_CIF_TX_ENABLED. UCHAR

Reserved. It should be set to {0,0}.

Capture statistics Returned by AirpcapGetStats()

Number of packets that the driver received by the adapter from the beginning of the current capture. This value includes the packets dropped because of buffer full.

Number of packets that the driver dropped from the beginning of a capture. A packet is lost when the the buffer of the driver is full.

Packets dropped by the card before going to the USB bus. Not supported at the moment.

Number of packets that pass the BPF filter, find place in the kernel buffer and therefore reach the application.

Device capabilities Returned by AirpcapGetDeviceCapabilities()

An id that identifies the adapter model

String containing a printable adapter model

The type of bus the adapter is plugged to

TRUE if the adapter is able to perform frame injection.

TRUE if the adapter's transmit power is can be specified by the user application.

TRUE if the adapter supports plugging one or more external antennas.

An OR combination of the bands that the device supports. Can be one of: \ref AIRPCAP_BAND_2GHZ, \ref AIRPCAP_BAND_5GHZ.

WEB key container

Type of key, can be on of: \ref AIRPCAP_KEYTYPE_WEP, \ref AIRPCAP_KEYTYPE_TKIP, \ref AIRPCAP_KEYTYPE_CCMP. Only AIRPCAP_KEYTYPE_WEP is supported by the driver at the moment.

Length of the key in bytes

Key data

frequency Band. 802.11 adapters can support different frequency bands, the most important of which are: 2.4GHz (802.11b/g/n) and 5GHz (802.11a/n).

Automatically pick the best frequency band

2.4 GHz frequency band

4 GHz frequency band

5 GHz frequency band

Entry in the list returned by \ref AirpcapGetDeviceList().

Next element in the list struct _AirpcapDeviceDescription*

Device name PCHAR

Device description PCHAR

Number of keys in the collection

Packet header This structure defines the BPF that preceeds every packet delivered to the application

Timestamp associated with the captured packet. SECONDS. UINT

Timestamp associated with the captured packet. MICROSECONDS. UINT

Length of captured portion. The captured portion can be different from the original packet, because it is possible (with a proper filter) to instruct the driver to capture only a portion of the packets.

Original length of packet UINT

Length of bpf header (this struct plus alignment padding). In some cases, a padding could be added between the end of this structure and the packet data for performance reasons. This field can be used to retrieve the actual data of the packet. USHORT

Structure used to read the free running counter on a device This structure contains the current value of the counter used by the device to timestamp packets (when the hardware supports hardware timestamps). This structure also contains the value of the software counter (used to timestamp packets in software), before and after the hardware counter is read on the device.

Current value of the device counter, in microseconds.

Value of the software counter used to timestamp packets before reading the device counter, in microseconds.

Value of the software counter used to timestamp packets after reading the device counter, in microseconds.

Type of frame validation the adapter performs. An adapter can be instructed to accept different kind of frames: correct frames only, frames with wrong Frame Check Sequence (FCS) only, all frames.

Accept all the frames the device captures

Accept correct frames only, i.e. frames with correct Frame Check Sequence (FCS).

Accept corrupt frames only, i.e. frames with worng Frame Check Sequence (FCS).

Unknown validation type. You should see it only in case of error.

Version

Returns the version in separate fields

Returns the version in a.b.c.d format

List of available capture devices

Represents a strongly typed, read-only list of PcapDevices.

The name or description of the pcap interface to get.

Method to retrieve this classes singleton instance

Retrieve a list of the current devices

Refresh the device list

General Pcap Exception.

A wrapper for libpcap's pcap_pkthdr structure

A wrapper class for libpcap's pcap_pkthdr structure

Constructs a new PcapHeader

The seconds value of the packet's timestamp The microseconds value of the packet's timestamp The actual length of the packet The length of the capture

DateTime(1970, 1, 1).Ticks, saves cpu cycles in the Date property

The seconds value of the packet's timestamp

The microseconds value of the packet's timestamp

The length of the packet on the line

The the bytes actually captured. If the capture length is small CaptureLength might be less than PacketLength

Return the DateTime value of this pcap header

Get a PcapHeader structure from a pcap_pkthdr pointer.

Marshal this structure into the platform dependent version and return and IntPtr to that memory NOTE: IntPtr MUST BE FREED via Marshal.FreeHGlobal()

Constants and static helper methods

Represents the infinite number for packet captures

Returns the pcap version string retrieved via a call to pcap_lib_version()

Helper class/method to retrieve the version of the SharpPcap assembly

Returns the current version string of the SharpPcap library

the current version string of the SharpPcap library

Item in a list of interfaces.

Representation of an interface address.

Structure used by kernel to store a generic address Look at the sa_family value to determine which specific structure to use 'struct sockaddr'

Structure that holds an ipv4 address

Structure that holds an ipv4 address 'struct sockaddr'

Structure that holds an ipv6 address NOTE: we cast the 'struct sockaddr*' to this structure based on the sa_family type 'struct sockaddr_in6'

Structure to represent a low level address, like a hardware address

Windows and Unix differ in their memory models and make it difficult to support struct timeval in a single library, like this one, across multiple platforms. See http://en.wikipedia.org/wiki/64bit#Specific_data_models The issue is that struct timeval { long tv_sec; long tv_usec; } has different sizes on Linux 32 and 64bit but the same size on Windows 32 and 64 bit Thanks to Jon Pryor for his help in figuring out both the issue with Linux 32/64bit and the issue between Windows and Unix

Windows version of struct timeval, the longs are 32bit even on 64-bit versions of Windows

Each packet in the dump file is prepended with this generic header. This gets around the problem of different headers for different packet interfaces.

Packet data bytes NOTE: This struct doesn't exist in header files, it is a construct to map to an unmanaged byte array

A BPF pseudo-assembly program for packet filtering

A queue of raw packets that will be sent to the network with pcap_sendqueue_transmit()

Define the return values from int pcap_stats()

Unix version of 'struct pcap_stat' Uses the same trick as timeval_unix

Packets received

Packets dropped

Drops by interface (maybe not yet supported)

Windows version of 'struct pcap_stat'

Packets received

Packets dropped

Drops by interface (maybe not yet supported)

Packets that reach the application WIN32 only, based on struct pcap_stat in pcap.h

Per http://msdn.microsoft.com/en-us/ms182161.aspx

The delegate declaration for PcapHandler requires an UnmanagedFunctionPointer attribute. Without this it fires for one time and then throws null pointer exception

Open a file to write packets.

Save a packet to disk.

close the files associated with p and deallocates resources.

To avoid callback, this returns one packet at a time

Send a raw packet.
This function allows to send a raw packet to the network. The MAC CRC doesn't need to be included, because it is transparently calculated and added by the network interface driver.

the interface that will be used to send the packet contains the data of the packet to send (including the various protocol headers) the dimension of the buffer pointed by data 0 if the packet is succesfully sent, -1 otherwise.

Compile a packet filter, converting an high level filtering expression (see Filtering expression syntax) in a program that can be interpreted by the kernel-level filtering engine.

Free up allocated memory pointed to by a bpf_program struct generated by pcap_compile()

return the error text pertaining to the last pcap library error.

Returns a pointer to a string giving information about the version of the libpcap library being used; note that it contains more information than just a version number.

return the standard I/O stream of the 'savefile' opened by pcap_dump_open().

Flushes the output buffer to the 'savefile', so that any packets written with pcap_dump() but not yet written to the 'savefile' will be written. -1 is returned on error, 0 on success.

Closes a savefile.

Return the link layer of an adapter.

Set nonblocking mode. pcap_loop() and pcap_next() doesnt work in nonblocking mode!

Get nonblocking mode, returns allways 0 for savefiles.

Read packets until cnt packets are processed or an error occurs.

Retrieves a selectable file descriptor

A A

Fills in the pcap_stat structure passed to the function based on the pcap_t adapter

A A A

Returns the snapshot length

A A

Returns the file descriptor number from which captured packets are read, if a network device was opened with pcap_create() and pcap_activate() or with pcap_open_live(), or -1, if a ``savefile'' was opened with pcap_open_offline() Libpcap specific method

A A

Base class for all pcap devices

Thread that is performing the background packet capture

Flag that indicates that a capture thread should stop

If Environment.OSVersion.Platform is unix and MonoUnixFound is true then we can support proper termination of the capture loop

Low level interface object that contains device specific information

Handle to a pcap adapter, not equal to IntPtr.Zero if an adapter is open

Number of packets that this adapter should capture

Cached open and linkType variables, avoids a unsafe pointer comparison and a pinvoke call for each packet retrieved as MarshalRawPacket retrieves the LinkType

Fires whenever a new packet is processed, either when the packet arrives from the network device or when the packet is read from the on-disk file.
For network captured packets this event is invoked only when working in "PcapMode.Capture" mode.

Fired when the capture process of this pcap device is stopped

Return a value indicating if the capturing process of this adapter is started

Maximum time within which the capture thread must join the main thread (on ) or else the thread is aborted and an exception thrown.

Device name

Description

Implemented because there isn't any way to perform if(OnPacketArrival == null) isn't permitted outside of the containing class this operation results in a CS0070 compile error

A Low level pcap device values

Return a value indicating if this adapter is opened

The underlying pcap device handle

The last pcap error associated with this pcap device

Link type in terms of PacketDotNet.LinkLayers

Retrieves pcap statistics

Mac address of the physical device

Kernel level filtering expression associated with this device. For more info on filter expression syntax, see: http://www.winpcap.org/docs/docs31/html/group__language.html

Setup the reflection type and methodinfo for invocation of Mono.Unix.Native.Syscall.poll() to avoid timeouts when stopping the capture thread

Starts the capturing process via a background thread OnPacketArrival() will be called for each captured packet

Stops the capture process Throws an exception if the stop capture timeout is exceeded and the capture thread was aborted

Synchronously capture packets on this device. Method blocks forever.

Synchronously captures packets on this network device. This method will block until capturing is finished.

The number of packets to be captured. -1 means capture indefiniately

The capture thread

Retrieve the last error string for a given pcap_t* device

A A

Open the device with class specific options

Open the device. To start capturing call the 'StartCapture' function

A A

Closes this adapter

Notify the OnPacketArrival delegates about a newly captured packet

Notify the delegates that are subscribed to the capture stopped event

Gets the next packet captured on this device

The next packet captured on this device

Gets the next packet captured on this device

A A that contains the result code

Gets pointers to the next PCAP header and packet data. Data is only valid until next call to GetNextPacketNative. Advanced use only. Intended to allow unmanaged code to avoid the overhead of marshalling PcapHeader and packet contents to allocated memory.

Pcap_loop callback method.

Convert an unmanaged packet into a managed PacketDotNet.RawPacket

A A A

Assign a filter to this device given a filterExpression

The filter expression to compile or unmanaged memory will be leaked

Free memory allocated in CompileFilter()

Returns true if the filter expression was able to be compiled into a program without errors

Sends a raw packet throgh this device

The packet to send

Sends a raw packet throgh this device

The packet to send The number of bytes to send

Sends a raw packet throgh this device

The packet bytes to send

Sends a raw packet throgh this device

The packet bytes to send The number of bytes to send

Helper method for checking that the adapter is open, throws an exception with a string of ExceptionString if the device isn't open

Override the default ToString() implementation

Managed representation of the unmanaged pcap_addr structure

The address value of this PcapAddress, null if none is present

Netmask of this PcapAddress, null if none is present

Broadcast address of this PcapAddress, null if none is present

Destination address, null if the interface isn't a point-to-point interface

ToString override

Container class that represents either an ip address or a mac address An analog to the 'sockaddr_' series of structures

Create a Sockaddr from a PhysicalAddress which is presumed to be a hardware address

Types of addresses a Sockaddr can represent

Address represents an ipv4 or ipv6 address

Address represents a physical hardware address eg. a ethernet mac address

Unknown address type

Address type represented by this Sockaddr

If type == AF_INET_AF_INET6

If type == HARDWARE

Address family

ToString override

managed version of struct pcap_if NOTE: we can't use pcap_if directly because the class contains a pointer to pcap_if that will be freed when the device memory is freed, so instead convert the unmanaged structure to a managed one to avoid this issue

Name of the interface. Used internally when passed to pcap_open_live() Human readable interface name derived from System.Net.NetworkInformation.NetworkInterface.Name Text description of the interface as given by pcap/winpcap Gateway address of this device NOTE: May only be available on Windows Addresses associated with this device Pcap interface flags

MacAddress of the interface

ToString override

A PcapDevice or dumpfile is not ready for capture operations.

Adapter statistics, received, dropped packet counts etc

Retrieve pcap statistics from the adapter

pcap_t* for the adapter A Number of packets received Number of packets dropped Number of interface dropped packets

ToString override

Exception thrown when a WinPcap extension method is called from a non-Windows platform

string constructor

A delegate for Packet Arrival events

A delegate for notifying of a capture stopped event

The mode used when opening a device

Promiscuous mode. Instructs the OS that we want to receive all packets, even those not intended for the adapter. On non-switched networks this can result in a large amount of addtional traffic. NOTE: Devices in this mode CAN be detected via the network

Not promiscuous mode

Capture event arguments

Constructor

A A

Packet that was captured

Device this EventArgs was generated for

Resolves MAC addresses from IP addresses using the Address Resolution Protocol (ARP)

Constructs a new ARP Resolver

The network device on which this resolver sends its ARP packets

Timeout for a given call to Resolve()

Resolves the MAC address of the specified IP address. The 'DeviceName' propery must be set prior to using this method.

The IP address to resolve The MAC address that matches to the given IP address

Resolves the MAC address of the specified IP address

The IP address to resolve The local IP address from which to send the ARP request, if null the local address will be discovered The localMAC address to use, if null the local mac will be discovered The MAC address that matches to the given IP address or null if there was a timeout

Status types when capture is stopped

Capture completed without errors

Error while capturing

Thrown when an operation can't be performed because a background capture has been started via PcapDevice.StartCapture()

string constructor

Per http://msdn.microsoft.com/en-us/ms182161.aspx

Extended pcap_open() method that is WinPcap specific that provides extra flags and functionality See http://www.winpcap.org/docs/docs_40_2/html/group__wpcapfunc.html#g2b64c7b6490090d1d37088794f1f1791

A A A A A A A

Create a list of network devices that can be opened with pcap_open().

Set the working mode of the interface p to mode. Valid values for mode are MODE_CAPT (default capture mode) and MODE_STAT (statistical mode). See the tutorial "\ref wpcap_tut9" for details about statistical mode. WinPcap specific method

WinPcap specific method for setting the kernel buffer size associated with this adapter. The old buffer is discarded when the buffer size is changed. See http://www.winpcap.org/docs/docs_40_2/html/group__wpcapfunc.html

A A A

changes the minimum amount of data in the kernel buffer that causes a read from the application to return (unless the timeout expires) See http://www.winpcap.org/docs/docs_412/html/group__wpcapfunc.html#gab14ceacbf1c2f63026416dd73f80dc0d

A A A

Returns the AirPcap handler associated with an adapter. This handler can be used to change the wireless-related settings of the CACE Technologies AirPcap wireless capture adapters. Note: THIS FUNCTION SHOULD BE CONSIDERED PROVISIONAL, AND MAY BE REPLACED IN THE FUTURE BY A MORE COMPLETE SET OF FUNCTIONS FOR WIRELESS SUPPORT. pcap_get_airpcap_handle() allows to obtain the airpcap handle of an open adapter. This handle can be used with the AirPcap API functions to perform wireless-releated operations, e.g. changing the channel or enabling WEP decryption. For more details about the AirPcap wireless capture adapters, see http://www.cacetech.com/products/airpcap.html Parameters: p,: handle to an open libpcap adapter Returns: a PAirpcapHandle pointer to an open AirPcap handle, used internally by the libpcap open adapter. NULL if the libpcap adapter doesn't have wireless support through AirPcap.

Allocate a send queue.

The size of the queue A pointer to the allocated buffer

Destroy a send queue.

A pointer to the queue start address

Add a packet to a send queue.

A pointer to a queue The pcap header of the packet to send The packet data

Send a queue of raw packets to the network.

determines if the send operation must be synchronized: if it is non-zero, the packets are sent respecting the timestamps, otherwise they are sent as fast as possible The amount of bytes actually sent. If it is smaller than the size parameter, an error occurred during the send. The error can be caused by a driver/adapter problem or by an inconsistent/bogus send queue.

Interface to the WinPcap send queue extension methods

Creates and allocates a new SendQueue

The maximun amount of memory (in bytes) to allocate for the queue

The current length in bytes of this queue

Add a packet to this send queue. The PcapHeader defines the packet length.

The packet bytes to add The pcap header of the packet True if success, else false

Add a packet to this send queue.

The packet bytes to add The pcap header of the packet True if success, else false

Add a packet to this send queue.

The packet bytes to add True if success, else false

Add a packet to this send queue.

The packet to add True if success, else false

Add a packet to this send queue.

The packet to add The 'seconds' part of the packet's timestamp The 'microseconds' part of the packet's timestamp True if success, else false

Send a queue of raw packets to the network.

The device on which to send the queue A A A

Destroy the send queue.

The types of transmit modes allowed by the WinPcap specific send queue implementation

Packets are sent as fast as possible

Packets are synchronized in the kernel with a high precision timestamp

Event that contains statistics mode data NOTE: WinPcap only

Constructor for a statistics mode event

A A

Statistics data for this event

A delegate for delivering network statistics when using winpcap in statistics mode

Holds network statistics entry from winpcap when in statistics mode See http://www.winpcap.org/docs/docs_41b5/html/group__wpcap__tut9.html

This holds byte received and packets received

This holds time value

Number of packets received since last sample

Number of bytes received since last sample

The mode used when opening a device

Defines if the adapter has to go in promiscuous mode.

Defines if the data trasfer (in case of a remote capture) has to be done with UDP protocol.

Defines if the remote probe will capture its own generated traffic.

Defines if the local adapter will capture its own generated traffic.

This flag configures the adapter for maximum responsiveness.

Interfaces for capture devices

Fired when the capture process of this pcap device is stopped

Gets the name of the device

Description of the device

The last pcap error associated with this pcap device

Kernel level filtering expression associated with this device. For more info on filter expression syntax, see: http://www.winpcap.org/docs/docs31/html/group__language.html

Retrieves pcap statistics

Mac address of the physical device

Return a value indicating if the capturing process of this adapter is started

Maximum time within which the capture thread must join the main thread (on ) or else the thread is aborted and an exception thrown.

Return the pcap link layer value of an adapter.

Opens the adapter

Open the device. To start capturing call the 'StartCapture' function

A A

Closes this adapter

Start the capture

Stop the capture

Synchronously capture packets on this device. Method blocks forever.

Retrieves the next packet from a device

Sends a raw packet throgh this device

The packet to send

Sends a raw packet throgh this device

The packet to send The number of bytes to send

Sends a raw packet throgh this device

The packet bytes to send

Sends a raw packet throgh this device

The packet bytes to send The number of bytes to send

WinPcap device

Constructs a new PcapDevice based on a 'pcapIf' struct

A 'pcapIf' struct representing the pcap device

Fires whenever a new pcap statistics is available for this Pcap Device.
For network captured packets this event is invoked only when working in "PcapMode.Statistics" mode.

WinPcap specific property Set the kernel value buffer size in bytes WinPcap extension Set the minumum amount of data (in bytes) received by the kernel in a single call. WinPcap extension

Starts the capturing process via a background thread OnPacketArrival() will be called for each captured packet NOTE: Winpcap devices can capture packets or statistics updates so only if both a packet handler AND a statistics handler are defined will an exception be thrown

Open the device

Open

A A A

Open a device with specific flags WinPcap extension - Use of this method will exclude your application from working on Linux or Mac

Close the device

Notify the OnPacketArrival delegates about a newly captured packet

Sends all packets in a 'PcapSendQueue' out this pcap device

A A A

Helper method for ensuring we are running in winpcap. Throws a PcapWinPcapRequiredException() if not on a windows platform

thrown when pcap_stats() reports an error

string constructor

The working mode of a Pcap device

Set a Pcap device to capture packets, Capture mode

Set a Pcap device to report statistics.
Statistics mode is only supported in WinPcap

WinPcap specific unmanaged structures

Struct to specifiy Remote Address using rpcapd.exe, Winpcaps Remote Packet Capture Daemon

NOTE: IntPtr used to ensure that the correct data size is used depending on the platform being used, 32bits on a 32bit machine, 64bits on a 64bit machine Auth Type, 0=Null, 1= Password

Username

Password

Remote authentication type and parameters

Constructor

A A A

Type of authentication

Username

Password

Converts this structure to an unmanaged IntPtr. Should be freed with Marshal.FreeHGlobal(IntPtr);

Types of authentication

Null authentication

Username/password authentication

Link type

plain 802.11 link type. Every packet in the buffer contains the raw 802.11 frame, including MAC FCS.

802.11 plus radiotap link type. Every packet in the buffer contains a radiotap header followed by the 802.11 frame. MAC FCS is included.

Unknown link type, should be seen only in error

802.11 plus PPI header link type. Every packet in the buffer contains a PPI header followed by the 802.11 frame. MAC FCS is included.

Adapter statistics, received, dropped packet counts etc

Number of packets received Number of packets dropped Number of interface dropped packets

Remote adapter list

Represents a strongly typed, read-only list of PcapDevices.

Port used by rpcapd by default

The name or description of the pcap interface to get.

Method to retrieve this classes singleton instance

Retrieve the local devices

Refresh the device list

Capture live packets from a network device

Constructs a new PcapDevice based on a 'pcapIf' struct

A 'pcapIf' struct representing the pcap device

Default contructor for subclasses

Gets the pcap name of this network device

Addresses that represent this device

Gets the pcap description of this device

Interface flags, see pcap_findalldevs() man page for more info

True if device is a loopback interface, false if not

Set/Get Non-Blocking Mode. returns allways false for savefiles.

Retrieves pcap statistics

PcapDevice finalizer. Ensure PcapDevices are stopped and closed before exit.

Open the device with default values of: promiscuous_mode = false, read_timeout = 1000 To start capturing call the 'StartCapture' function

Open the device. To start capturing call the 'StartCapture' function

A A

Sends a raw packet throgh this device

The packet bytes to send The number of bytes to send

List of available Pcap Interfaces.

Represents a strongly typed, read-only list of PcapDevices.

The name or description of the pcap interface to get.

Method to retrieve this classes singleton instance

Retrieve a list of the current PcapDevices

Refresh the device list

Represents a raw captured packet

Constructor

A A A

Fetch data portion of the packet.

Data as a class field vs. a virtual property improves performance significantly. ~2.5% when parsing the packet with Packet.Net and ~20% when reading each byte of the packet Link layer from which this packet was captured The unix timeval when the packet was created

Output this packet as a readable string

POSIX.4 timeval

Constructor with Seconds and MicroSeconds fields

A A

Construct a PosixTimeval using the current UTC time

Number of seconds in the timeval Number of microseconds in the timeval

The timeval as a DateTime in Utc

Equals override

A A

GetHashCode override

Convert the timeval to a string like 'SECONDS.MICROSECONDSs'

Compare this to another

A A

Operator < overload

A A A

Operator > overload

A A A

Operator <=

A A A

Operator >=

A A A

Operator ==

A A A

Operator !=

A A A

Read a pcap capture file

A The name of the capture file Description of the device Number of bytes in the capture file

The underlying pcap file name

Retrieves pcap statistics

Open the device

Create or write to a pcap capture file NOTE: Appending to a capture file is not currently supported

Constructor

A A

Constructor

A A

Constructor

A A A

Constructor

A A A A

Handle to an open dump file, not equal to IntPtr.Zero if a dump file is open

Whether dump file is open or not

A The name of the capture file Description of the device

Retrieves pcap statistics

Close the capture file

Open the device

Writes a packet to the pcap dump file associated with this device.

The packet to write

Writes a packet to the pcap dump file associated with this device.

The packet to write

Thrown when a method not supported on a capture file

string constructor