SharpPcap - capture from standard output

0
votes

I'm interesting in making a C# program that could be able to capture network traffic from Android device. Using ADB, I'm able to forward traffic from device to windows standard output. Then, the output will be forwarded to Wireshark which is pre-configured to listen to standard output.

Below is commands I'm using, just in case someone else needs

In the first CMD window

adb shell "tcpdump -n -s 0 -w - | nc -l 11233"

In the second CMD window

adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 | wireshark -k -S -i -

Here is my question.

I'm using SharpPcap to capture network traffic in my program. Currently, I'm able to get packet from my network adapter, i.e. Ethernet or WiFi. But as you can see, network traffic is forwarded from Android device to standard output after this command

adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233

And output of this command will be input of the following one as Wireshark is configured to listen to standard output by "-i -"

Each time 2 above commands are executed, one instance of Wireshark window will be opened to capture packets. This could not be applied to my program.

The idea is to open a form using SharpPcap to capture packets from standard output

Does anyone know how to do this? Any other idea is also welcome.

Thanks a lot!!!

1
wiresharkredirectstandardoutputsharppcap
I'm the author of sharppcap. Do you know what format is used for the stdout passed to wireshark? If you did you could make a c# application that would receive those and pass those along to PacketDotNet for parsing.Chris Morgan
Hi Chris. The packet format is totally the same with the case you capture traffic from your LAN. As you can see, stdout is passed directly to wireshark and can be decoded and displayed in wireshark as normal network traffic. If I can get one packet at a time, I guess PacketDotNet could help to parse. But in this situation, I couldn't use ICaptureDevice from SharpPcap to have RawCapture using GetNextPacket() since there's no device here but capturing from STDOUT. Do you have any suggestion? Thanks.Viet-Anh Dinh
@ChrisMorgan: I'm having a byte array containing all packets read from STDOUT. I checked several times and my byte array has the same format with pcap log. I guess it could be decoded by using PacketDotNet. Any advice?Viet-Anh Dinh
I don't see a good way to get data coming in from stdin routed to pcap. It doesn't look like doing a pcap_open_offline() would accept the file descriptor for stdin. Looking at github.com/wireshark/wireshark/blob/… it looks like that file parses the pcap format manually. I also don't see anything in the pcap man page that looks like it could work here. Thoughts?Chris Morgan
Hi. I found my way to capture packets from stdout. 1. Save all output in stdout into a Queue<byte>. 2. Extract byte from that queue, convert to Hex, decode time of arrival, length & payload of a packet from Hex. 3. Then use Packet.Net to do the rest. I have tried but there are some exceptions of handling queue. Will post my code here when exceptions are fixedViet-Anh Dinh

1 Answers

0
votes

Can you create a fifo using mkfifo and have nc write to the fifo instead of to stdout? Then just have wireshark read from the fifo instead of from stdin? Something like: 

mkfifo sharkfin
wireshark -k -S -i sharkfin &
adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 > sharkfin

In case wireshark stops capturing and you don't want it to, you can also issue the following command just after launching wireshark to ensure that wireshark never receives EOF.

cat > sharkfin &