嗅探本地网络上 android 设备的 TCP 数据包
Sniffing TCP packets of an android device on local network
我正在使用 C# 和 PcapDotNet 编写数据包嗅探器,我已经成功实现了该功能并且能够从我的笔记本电脑捕获所有 TCP 数据包,问题是如果我瞄准我的 android 设备我根本没有收到任何数据包,
我是网络初学者,所以我想我可能遗漏了一些东西。
这是我的数据包处理程序代码,我正在使用带有模型对象的 ObjectListView,其中包含我想要列出的所有信息,而且我的网络适配器处于混杂模式,带有 Berkeley 过滤器以仅获取 TCP端口号为 443 和 80 的数据包,其中包含来自特定 Mac 地址
的数据(无 SYN、FIN、仅 ACK 数据包)
代码:
private void PacketHandler(PcapDotNet.Packets.Packet packet)
{
if (packet == null) { return; }
if (packet.Ethernet == null) { return; }
if (packet.Ethernet.IpV4 == null) { return; }
if (packet.Ethernet.IpV4.Tcp == null) { return; }
if (packet.Ethernet.IpV4.Tcp.Http == null) { return; }
var acpacket = new AcceptedPacket(); //Model Object
acpacket.Packet = packet;
try
{
HttpDatagram http = packet.Ethernet.IpV4.Tcp.Http;
if (packet.Ethernet.Source.ToString() == targetmac)
{
if (http.IsRequest && http.IsValid)
{
if (materialListView1.InvokeRequired)
{
materialListView1.BeginInvoke(new Action(() => {
materialListView1.AddObject(acpacket); }));
}
else
{
materialListView1.AddObject(acpacket);
}
ListofAcceptedPackets.Add(acpacket);
}
}
}
catch (Exception ex)
{
MetroMessageBox.Show(this, ex.Message, "Error",
MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
这就是我打开适配器的方式:
using (communicator =
selectedDevice.Open(65536,PacketDeviceOpenAttributes.Promiscuous,
1000))
{
if (communicator.DataLink.Kind !=
DataLinkKind.Ethernet)
{
if (MetroMessageBox.Show(this, "Only Ethernet is supported in this operation!","Error", MessageBoxButtons.OK,MessageBoxIcon.Error) == DialogResult.OK)
{
return;
}
}
using (BerkeleyPacketFilter filter = communicator.CreateFilter($"tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()} or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()}"))
{
communicator.SetFilter(filter);
}
flag = true;
Packet packet;
do
{
PacketCommunicatorReceiveResult result =
communicator.ReceivePacket(out packet);
switch (result)
{
case
PacketCommunicatorReceiveResult.Timeout:
continue;
case
PacketCommunicatorReceiveResult.Ok:
{
PacketHandler(packet);
}
break;
default:
break;
}
} while (flag);
}
我也尝试过不使用任何过滤器,但无法到达 android 设备数据包。
那么除了我自己的设备之外,是否可以从网络上的其他设备捕获TCP数据包?或者我的实现有问题?
编辑: 尝试更多后,我能够从 android 设备成功获取 TCP 数据包,但仅在同时实施 ARP 缓存中毒时因为设备认为我是网关。所以我的问题是,这是否可以在没有 ARP 缓存中毒的情况下完成,因为我认为这对数据包嗅探器来说有点激进。
我终于能够通过应用 ARP 缓存投毒来使其工作,而下面的代码能够将任何设备的数据包重定向到它们的目的地,这样你就可以专门为网络上的任何设备捕获数据包而不会丢失此设备的互联网访问权限。
代码:
private void StartSniffer()
{
RawCapture rawCapture;
do
{
if ((rawCapture = capturedevice.GetNextPacket()) != null)
{
EthernetPacket Packet = PacketDotNet.Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data) as EthernetPacket;
if (Packet == null) { return; }
AcceptedPacket acPacket = new AcceptedPacket();
acPacket.Packet = Packet;
if (Packet.SourceHwAddress.Equals(TargetMAC))
{
Packet.SourceHwAddress = capturedevice.MacAddress;
Packet.DestinationHwAddress = GatewayMAC;
capturedevice.SendPacket(Packet);
if (acPacket.TCPPacket != null &&
((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
(acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
{
materialListView1.BeginInvoke(new Action(() =>
{
materialListView1.AddObject(acPacket);
if (materialListView1.Items.Count > 15 && !ResizeDone)
{
olvColumn8.MaximumWidth = 65;
olvColumn8.MinimumWidth = 65;
olvColumn8.Width = 65;
ResizeDone = true;
}
ListofAcceptedPackets.Add(acPacket);
}));
}
}
else if (Packet.SourceHwAddress.Equals(GatewayMAC))
{
IPv4Packet IPV4 = Packet.Extract(typeof(IPv4Packet)) as IPv4Packet;
if (IPV4.DestinationAddress.Equals(Target))
{
Packet.SourceHwAddress = capturedevice.MacAddress;
Packet.DestinationHwAddress = TargetMAC;
capturedevice.SendPacket(Packet);
}
if (Properties.Settings.Default.PacketDirection == "Inbound")
{
if (acPacket.TCPPacket != null &&
((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
(acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
{
materialListView1.BeginInvoke(new Action(() =>
{
materialListView1.AddObject(acPacket);
if (materialListView1.Items.Count > 15 && !ResizeDone)
{
olvColumn8.MaximumWidth = 65;
olvColumn8.MinimumWidth = 65;
olvColumn8.Width = 65;
ResizeDone = true;
}
ListofAcceptedPackets.Add(acPacket);
}));
}
}
}
}
} while (snifferStarted);
这是捕获设备设置:
try
{
snifferStarted = true;
if (capturedevice != null)
{
capturedevice.Open(DeviceMode.Promiscuous, 1000);
capturedevice.Filter = $"(ip and ether src {targetmac.ToLower()}) or (ip and ether src {gatewayMAC.ToLower()} and dst net {Target})";
new Thread(() => { StartSniffer(); }).Start();
}
else
{
MetroMessageBox.Show(this, "No Capture Device is selected!", "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
catch (Exception exception)
{
MetroMessageBox.Show(this, exception.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
注意:这是使用 Packet.Net 而非 PcapDotNet 完成的。
我正在使用 C# 和 PcapDotNet 编写数据包嗅探器,我已经成功实现了该功能并且能够从我的笔记本电脑捕获所有 TCP 数据包,问题是如果我瞄准我的 android 设备我根本没有收到任何数据包, 我是网络初学者,所以我想我可能遗漏了一些东西。
这是我的数据包处理程序代码,我正在使用带有模型对象的 ObjectListView,其中包含我想要列出的所有信息,而且我的网络适配器处于混杂模式,带有 Berkeley 过滤器以仅获取 TCP端口号为 443 和 80 的数据包,其中包含来自特定 Mac 地址
的数据(无 SYN、FIN、仅 ACK 数据包)代码:
private void PacketHandler(PcapDotNet.Packets.Packet packet)
{
if (packet == null) { return; }
if (packet.Ethernet == null) { return; }
if (packet.Ethernet.IpV4 == null) { return; }
if (packet.Ethernet.IpV4.Tcp == null) { return; }
if (packet.Ethernet.IpV4.Tcp.Http == null) { return; }
var acpacket = new AcceptedPacket(); //Model Object
acpacket.Packet = packet;
try
{
HttpDatagram http = packet.Ethernet.IpV4.Tcp.Http;
if (packet.Ethernet.Source.ToString() == targetmac)
{
if (http.IsRequest && http.IsValid)
{
if (materialListView1.InvokeRequired)
{
materialListView1.BeginInvoke(new Action(() => {
materialListView1.AddObject(acpacket); }));
}
else
{
materialListView1.AddObject(acpacket);
}
ListofAcceptedPackets.Add(acpacket);
}
}
}
catch (Exception ex)
{
MetroMessageBox.Show(this, ex.Message, "Error",
MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
这就是我打开适配器的方式:
using (communicator =
selectedDevice.Open(65536,PacketDeviceOpenAttributes.Promiscuous,
1000))
{
if (communicator.DataLink.Kind !=
DataLinkKind.Ethernet)
{
if (MetroMessageBox.Show(this, "Only Ethernet is supported in this operation!","Error", MessageBoxButtons.OK,MessageBoxIcon.Error) == DialogResult.OK)
{
return;
}
}
using (BerkeleyPacketFilter filter = communicator.CreateFilter($"tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()} or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()}"))
{
communicator.SetFilter(filter);
}
flag = true;
Packet packet;
do
{
PacketCommunicatorReceiveResult result =
communicator.ReceivePacket(out packet);
switch (result)
{
case
PacketCommunicatorReceiveResult.Timeout:
continue;
case
PacketCommunicatorReceiveResult.Ok:
{
PacketHandler(packet);
}
break;
default:
break;
}
} while (flag);
}
我也尝试过不使用任何过滤器,但无法到达 android 设备数据包。 那么除了我自己的设备之外,是否可以从网络上的其他设备捕获TCP数据包?或者我的实现有问题?
编辑: 尝试更多后,我能够从 android 设备成功获取 TCP 数据包,但仅在同时实施 ARP 缓存中毒时因为设备认为我是网关。所以我的问题是,这是否可以在没有 ARP 缓存中毒的情况下完成,因为我认为这对数据包嗅探器来说有点激进。
我终于能够通过应用 ARP 缓存投毒来使其工作,而下面的代码能够将任何设备的数据包重定向到它们的目的地,这样你就可以专门为网络上的任何设备捕获数据包而不会丢失此设备的互联网访问权限。
代码:
private void StartSniffer()
{
RawCapture rawCapture;
do
{
if ((rawCapture = capturedevice.GetNextPacket()) != null)
{
EthernetPacket Packet = PacketDotNet.Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data) as EthernetPacket;
if (Packet == null) { return; }
AcceptedPacket acPacket = new AcceptedPacket();
acPacket.Packet = Packet;
if (Packet.SourceHwAddress.Equals(TargetMAC))
{
Packet.SourceHwAddress = capturedevice.MacAddress;
Packet.DestinationHwAddress = GatewayMAC;
capturedevice.SendPacket(Packet);
if (acPacket.TCPPacket != null &&
((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
(acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
{
materialListView1.BeginInvoke(new Action(() =>
{
materialListView1.AddObject(acPacket);
if (materialListView1.Items.Count > 15 && !ResizeDone)
{
olvColumn8.MaximumWidth = 65;
olvColumn8.MinimumWidth = 65;
olvColumn8.Width = 65;
ResizeDone = true;
}
ListofAcceptedPackets.Add(acPacket);
}));
}
}
else if (Packet.SourceHwAddress.Equals(GatewayMAC))
{
IPv4Packet IPV4 = Packet.Extract(typeof(IPv4Packet)) as IPv4Packet;
if (IPV4.DestinationAddress.Equals(Target))
{
Packet.SourceHwAddress = capturedevice.MacAddress;
Packet.DestinationHwAddress = TargetMAC;
capturedevice.SendPacket(Packet);
}
if (Properties.Settings.Default.PacketDirection == "Inbound")
{
if (acPacket.TCPPacket != null &&
((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
(acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
{
materialListView1.BeginInvoke(new Action(() =>
{
materialListView1.AddObject(acPacket);
if (materialListView1.Items.Count > 15 && !ResizeDone)
{
olvColumn8.MaximumWidth = 65;
olvColumn8.MinimumWidth = 65;
olvColumn8.Width = 65;
ResizeDone = true;
}
ListofAcceptedPackets.Add(acPacket);
}));
}
}
}
}
} while (snifferStarted);
这是捕获设备设置:
try
{
snifferStarted = true;
if (capturedevice != null)
{
capturedevice.Open(DeviceMode.Promiscuous, 1000);
capturedevice.Filter = $"(ip and ether src {targetmac.ToLower()}) or (ip and ether src {gatewayMAC.ToLower()} and dst net {Target})";
new Thread(() => { StartSniffer(); }).Start();
}
else
{
MetroMessageBox.Show(this, "No Capture Device is selected!", "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}
catch (Exception exception)
{
MetroMessageBox.Show(this, exception.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
注意:这是使用 Packet.Net 而非 PcapDotNet 完成的。