search

dotpcap / sharppcap

Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
1.31k stars 267 forks source link

CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet #174

Open twa89 opened 3 years ago

twa89 commented 3 years ago

I am opening a wireshark capture of a BACnet MSTP cap file, then trying to write the packet back out using CaptureFileWriterDevice.Write() method. When it writes the packet out, it does not preserve the link layer byte that was in the original packet that was read in.

BACnet MSTP is link layer 165, I see this byte in the source file, but in the one written out is was replaced with 0.

I looked at PacketDotNet and it seems to have an enum for link layer that doesn't have this value (165). I would think if a packet is read in, it could be written back as read. Here is a sample file with just 1 mstp packet.

onemstp.zip

kayoub5 commented 3 years ago

@twa89 the link layer is determined through the constructor of CaptureFileWriterDevice, not through the Write method (the link layer of the RawCapture is simply ignored)

How did you create the CaptureFileWriterDevice ?

twa89 commented 3 years ago

I created it just with the wireshark file. The constructor that takes only a filename.

From: Ayoub Kaanich notifications@github.com Sent: Sunday, December 6, 2020 5:07 AM To: chmorgan/sharppcap sharppcap@noreply.github.com Cc: Anderson Jr, Thomas (SI BP AM R&D SW DCC) thomasanderson@siemens.com; Mention mention@noreply.github.com Subject: Re: [chmorgan/sharppcap] CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet (#174)

@twa89https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftwa89&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301964005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jRNLEaIv7wRn3bKACMDnjfZWOdhOOty%2BC4wX%2FqAfnqA%3D&reserved=0 the link layer is determined through the constructor of CaptureFileWriterDevice, not through the Write method (the link layer of the RawCapture is simply ignored)

How did you create the CaptureFileWriterDevice ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fissues%2F174%23issuecomment-739487155&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301973963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pBJBp4lIFRwXnEbGdrf%2B%2FnM9Msp6Ou3N2Udl6%2BzbNAU%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG7MZW7H3AMSYSNDKNTZUX3STNQVTANCNFSM4UO3HS5Q&data=04%7C01%7CthomasAnderson%40siemens.com%7Ccde289741d5b484a758008d899d71340%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637428496301973963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WrUvQ3WTgPtRR4oQSlika%2FvpRwvQuH%2B6cS4ef%2F9zyFE%3D&reserved=0.

kayoub5 commented 3 years ago

@twa89 use the constructor where you can specify the LinkLayer, the one that only accepts file name uses link layer Ethernet.

See https://github.com/chmorgan/sharppcap/blob/de6d35505b9f22f9678272e431e2bce960375b94/SharpPcap/LibPcap/CaptureFileWriterDevice.cs#L160-L163

twa89 commented 3 years ago

Linklayer 165 is not a choice in the enum. I will try casting it.

From: Ayoub Kaanich notifications@github.com Sent: Monday, December 7, 2020 1:08 AM To: chmorgan/sharppcap sharppcap@noreply.github.com Cc: Anderson Jr, Thomas (SI BP AM R&D SW DCC) thomasanderson@siemens.com; Mention mention@noreply.github.com Subject: Re: [chmorgan/sharppcap] CaptureFileWriterDevice.Write((RawCapture p) writes incorrect LinkLayerType if its not known to PacketDotNet (#174)

@twa89https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftwa89&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756473776%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gQGBQP8qbxLwZb0RGjdF5tSTYAcEEjjtE7pmxvKuYUE%3D&reserved=0 use the constructor where you can specify the LinkLayer, the one that only accepts file name uses link layer Ethernet.

See https://github.com/chmorgan/sharppcap/blob/de6d35505b9f22f9678272e431e2bce960375b94/SharpPcap/LibPcap/CaptureFileWriterDevice.cs#L160https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fblob%2Fde6d35505b9f22f9678272e431e2bce960375b94%2FSharpPcap%2FLibPcap%2FCaptureFileWriterDevice.cs%23L160&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756473776%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HiWR8ruYKLbdLJFoYs%2FGd4I58wbJf10XLvE%2BaJDpYjQ%3D&reserved=0

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fchmorgan%2Fsharppcap%2Fissues%2F174%23issuecomment-739718023&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756483767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZPyX8R1b3FXxrZRAifsgJtzCjtmMxEhv%2B49OSBCUiN8%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG7MZW2GG5NHJQVZDIRFX7DSTR5MPANCNFSM4UO3HS5Q&data=04%7C01%7CthomasAnderson%40siemens.com%7C2e855d17fe684b5c87de08d89a7ed1ab%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637429216756483767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sBa2BSnY1pU77f3erkG3DbYiBj08dA4GAnql4hwvQd4%3D&reserved=0.

twa89 commented 3 years ago

I tried using the constructor like this and it still writes the packet as ethernet.

         FileWriter = new CaptureFileWriterDevice((PacketDotNet.LinkLayers)165,100000,CaptureFile,FileMode.Open);
twa89 commented 3 years ago

If I open that onemstp.cap file attached above in wireshark, it shows it correctly as MSTP. I then open that file with CaptureFileWriterDevice and then write the packet to a new file. The new file opened in wireshark is now ethernet and not decoded correctly.

twa89 commented 3 years ago

I did get this working with this signature, it was throwing an exception on the size I was passing in above too.
FileWriter = new CaptureFileWriterDevice((PacketDotNet.LinkLayers)165,65535,CaptureFile,FileMode.Open); This is kind of a kluge with the casting, but does save the packet correctly now.