在.NET中创建有效的数据包嗅探器 [英] Creating an effective packet sniffer in .NET
问题描述
尽管该定义可能有点不准确,但我正在寻求创建所谓的代理.
I'm looking to create what I call a proxy, although that definition is probably somewhat inaccurate.
通常,您会遇到类似这样的事情:
Typically, you have something like this:
Client --------- Server
我想做的是引入一个没有新层的代理,像这样:
What I want to do is introduce a proxy, without a new layer, like this:
Client ----+---- Server
|
Proxy
我不想要这个:
Client---Proxy---Server
我知道WinPCap可以做到这一点,但据我所知,这是一个文献不足的主题.
I understand that WinPCap does something similar to this, but it's an under documented subject as far as I can see.
到目前为止,我已经尝试了一些方法,最值得注意的是,在与客户端相同的端口上侦听消息.这导致的结果仅是从随机应用程序接收到大量的垃圾数据包(尽管在特定端口上进行侦听).尽管我相信经过一些小的修改,现在我发现了正确的数据,但我找不到很多建议可以说明我正在读取正确的数据.
So far I've tried a few things, most notably listening on the same port as the client for messages. This resulted in little more than receiving a load of crap packets from random applications (in spite of listening on a specific port). I couldn't find a lot to suggest I was reading the correct data, although I believe I have found that now, after making some minor modifications.
有人知道反对使用此方法的任何原因吗?还是有一些更可持续的方式做到这一点?
Does anyone know of any reason against using this method? Or is there some more sustainable way of doing it?
推荐答案
您需要所谓的Raw Socket访问(并使用可将所有数据包发送到网络适配器的集线器或交换机).您还希望网卡处于所谓的混杂模式",在这种模式下,它可以接收所有数据包,而无需在MAC地址上进行过滤.
You want what is called Raw Socket access (and use a hub or a switch that can send all the packets to your network adapter). You also want your network card in what is called "promiscuous mode", where it takes in all packets without filtering on MAC-address.
当您都通过网络获取流量并且网络适配器将其未经过滤地接收时,您的程序将获取与网络上发送的数据包完全相同的所有数据包(尽管您必须确保操作系统的TCP-UDP/IP堆栈不会潜入您想听的TCP数据包中,但是如果您针对其他两台计算机进行配置,那将不是问题.
When you both get the traffic on the wire and your network adapter takes them in unfiltered, your program will get all the packets exactly as they are sent on the network (although you have to make sure you OS's TCP-UDP/IP stack doesn't sneak in an pick up TCP packets you would want to listen to, but if you target two other computers configuration that would not be a problem.
我不确定Windows能否做到这一点,但是无论如何.
I'm not sure how well windows does this, but anyway.
获取数据包时,必须读取以太网标头(并且可以基于目标mac地址进行过滤),然后必须选择IP数据包以及TCP/UDP数据包并放置它们以从流量中获得合理的收益.并不是很轻松,但是也很不可能.
When you get the packets, you have to read the ethernet headers (and you can filter based on the targets mac addresses), and then you have to pick out the IP-packets, as well as the TCP/UDP-packets and put them in order to get something reasonable out of the traffic. Not super-easy, but far from impossible either.
这篇关于在.NET中创建有效的数据包嗅探器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
