dotpcap / sharppcap Goto Github PK

So, I want to use sharppcap in a school project and write a packet sniffer.
I recently came across two missing method declarations, which are used by @chmorgan in this tutorial:
https://www.codeproject.com/Articles/12458/SharpPcap-A-Packet-Capture-Framework-for-NET

These are the RawInput.Extract() and the tcpPacket.SourceAdress() method.
For me, they don't show up, nor are they seem to be valid. I get a generic "Missing method" error in vs 2017 with .Net framework 4.5.1.
Hoping to find some help here.
Best wishes,
Script

I occasionally see TcpPacket throw an ArgumentException "Source array was not long enough. Check the source index, length, and the array's lower bounds." when I attempt to access the PayloadData property. Interestingly, when I look at the packets that have been received I can tell something went wonky because I suddenly see the AckNumber of the previous few packets showing in the SequenceNumber of the one that ultimately blows up. Any idea what the cause of this issue could be or what I can look at to get you more information to help me work through it?

In sharppcap/SharpPcap/PosixTimeval.cs, line 271: method sb.Append(MicroSeconds); is incorrect for values of MicroSeconds < 100000. For example, for seconds = 1 and Microseconds = 12345, resulting value returned by ToString() is 1.12345. It should be 1.012345.

Solution is to replace line 271
sb.Append(MicroSeconds);
with
sb.AppendFormat("{0:000000}",MicroSeconds);

Hello!

I've just updated from version 4.4.0 to 4.5.0, and I've got this build error:

<path>/Program.cs(39,39): Error CS0012: The type 'ReadOnlyCollection<>' is defined in an assembly that is not referenced. You must add a reference to assembly 'netstandard, Version=2.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. (CS0012) (NetworkMidiConverter)

After I try to open device I get an error.

_device?.Open(DeviceMode.Promiscuous, 1000);

PcapException: Unable to activate the adapter (rpcap://\Device\NPF_{34BF6DC1-DD25-4C19-8E90-0DFB48B1529C}). Return code: -1

I am using npcap 0.995 and SharpPcap v4.6.1

http://sourceforge.net/p/sharppcap/support-requests/9/

Wireshark and other similar services allow decrypting of https responses by installing a certificate on the browser. Is there a way to do it with SharpPCap?

I've tried the ARP resolve example and it works for resolving the IP of other devices on the network. It fails to resolve the IP of the computer that's running the code/program.
Windows 10 64bit, using npcap 0.82.
Any ideas?

Currently the current implementation is fast enough, however there is a bit of overhead and GC thrashing due to the use of Marshal.Copy on every packet.
This is related to #65, the change would be a breaking change, but I think the performance benefit is worth it.
See https://docs.microsoft.com/en-us/dotnet/api/system.span-1?view=netstandard-2.1

I have installed the Npcap driver, because I want to monitor the windows loopback traffic. However the Npcap Loopback Adapter is not in the SharpPcap CaptureDeviceList.

I can see the Npcap Loopback Adapter in Wireshark and Wireshark is able to monitor the loopback traffic through it based on: https://wiki.wireshark.org/CaptureSetup/Loopback

What should I do to monitor the Npcap Loopback Adapter using SharpPcap?

http://stackoverflow.com/questions/42131550/how-to-monitor-the-windows-loopback-adapter-using-sharppcap-and-npcap

Hey

I'm trying to run a project I've built in Ubuntu but SharpPcap can't find libpcap for some reason.
I've installed libpcap & libpcap-dev. I even tried adding a SharpPcap.config.dll like specified in #33 but it didn't help.

What am I doing wrong?

Unhandled Exception: System.DllNotFoundException: Unable to load DLL 'wpcap': The specified module or one of its dependencies could not be found. (Exception from HRESULT: 0x8007007E) at SharpPcap.LibPcap.LibPcapSafeNativeMethods.pcap_findalldevs(IntPtr& alldevs, StringBuilder errbuf) at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices() at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh() at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor() at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance() at SharpPcap.CaptureDeviceList..ctor() at SharpPcap.CaptureDeviceList.get_Instance() at PaddingTest.Program.Main(String[] args) in C:\Users\George\Documents\Visual Studio 2017\Projects\PaddingTest\PaddingTest\Program.cs:line 28 Aborted (core dumped)

EDIT: Forgot to mention I'm using this under .NET Core

I try winPcap.Open(SharpPcap.WinPcap.OpenFlags.DataTransferUdp | SharpPcap.WinPcap.OpenFlags.NoCaptureLocal, readTimeoutMilliseconds);

in
method "device_OnPacketArrival"
line:

var tcpPacket = (PacketDotNet.TcpPacket)packet.Extract(typeof(PacketDotNet.TcpPacket));

I've been using sharppcap in an application for some time with great success but I've recently hit an issue where retrieving PayloadData in a UdpPacket only returns the data in the first fragment.

My usage is pretty simple:

void device_OnPacketArrival(object sender, CaptureEventArgs e)
{
    var ipPacket = (IpPacket)e.Packet.Extract(typeof(IpPacket));
    if (ipPacket != null)
    {
         var udpPacket = (UdpPacket)packet.Extract(typeof(UdpPacket));
         if (udpPacket != null)
         {
             var bytes = udpPacket.PayloadData;
             var text = Encoding.ASCII.GetString(bytes, 0, bytes.Length);

When I look at the packets in wireshark I see the reconstructed text, but my code only sees what is in the first fragment. Is there some setting to ensure the data has been reconstructed? I don't see any fragment flag in IpPacket.

EDIT 01/19/2017: I guess I should have posted this on the PacketDotNet site because these are PacketDotNet classes and as it turns out the fragmentation fields are in IPv4Packet (not IpPacket). I'll still have to reconstruct the fragmented packet but I have the data necessary to do so.

Cannot run in Linux because some functions are only exported in windows:

Unhandled Exception: System.EntryPointNotFoundException: Unable to find an entry point named 'pcap_findalldevs_ex' in DLL 'wpcap'.
at SharpPcap.WinPcap.SafeNativeMethods.pcap_findalldevs_ex(String source, IntPtr auth, IntPtr& alldevs, StringBuilder errbuf)
at SharpPcap.WinPcap.WinPcapDeviceList.Devices(String rpcapString, RemoteAuthentication remoteAuthentication)
at SharpPcap.WinPcap.WinPcapDeviceList.GetDevices()
at SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at SharpPcap.WinPcap.WinPcapDeviceList..ctor()
at SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()

Here the full list:
https://www.winpcap.org/docs/docs_40_2/html/group__wpcapfunc.html

In addition the native library wpcap need to be change to pcap in order to match Linux OS.

Thanks,
Amos.

I've tried without much success to run Example 11, in all cases when I run the sample after selecting an input I get;

Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
at Example11.WinPcapStatisticsMode.Main (System.String[] args) [0x000d7] in <679e31d55ef4414fae6e8c0290da3a8b>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
at Example11.WinPcapStatisticsMode.Main (System.String[] args) [0x000d7] in <679e31d55ef4414fae6e8c0290da3a8b>:0

When i used in windows server 2012 r2 x64, it throws exception"No mapping for the Unicode character exists in the target multi-byte code page".
First, i checked .net framework and vc 2010 redistribution, they were all installed well.
At last, i found it was caused by my Chinese language driver because when i replace my network adapter driver by English version, it works well. the network adapter's description is in Chinese if i install Chinese language driver.
if anyone knows any other methods to support interface with Chinese driver?
my network adapter: Intel® Ethernet Server Adapter X520-DA2

A Stackoverflow user complains this issue here: http://stackoverflow.com/questions/42131550/how-to-monitor-the-windows-loopback-adapter-using-sharppcap-and-npcap

However when I now run SharpPcap Example6 I get the exception "LinkLayer of Null is not implemented" on line 86. PacketDotNet.Packet.ParsePacket raises this exception because e.Packet.LinkLayerType == null. Any idea how to construct a (tcp) packet is this case?

This is because by default, Npcap provides the data link layer header in DLT_NULL instead of Ethernet. And the PacketDotNet library SharpPcap uses doesn't support DLT_NULL. DLT_NULL is the standard interface for a loopback device on Linux. This is why Npcap also adopts it as the 2nd layer encapsulation for Npcap Loopback Adapter. The details can be found here:

http://www.tcpdump.org/linktypes.html
https://github.com/nmap/nmap/issues/200

So the best solution seems to implement DLT_NULL for PacketDotNet. The exception seems to be triggered here: https://github.com/chmorgan/packetnet/blob/master/PacketDotNet/Packet.cs#L327

The implementation should be very simple: DLT_NULL only contains 4 bytes:

1. 0x02, 0x00, 0x00, 0x00 for IPv4 payload and
2. 0x18, 0x00, 0x00, 0x00 for IPv6 payload, both in network order.

In fact, Nmap, Wireshark and Libpcap have a discussion about the IPv6 value and finally agree on 0x18 on Windows platform. The discussion archive is here: http://seclists.org/wireshark/2015/Aug/182

https://dev.azure.com/lextudio/lextudio/_build/results?buildId=49

As the log shows, on Linux and Mac, the IntPtr to uint conversion can fail with OverflowException.

Should consider changing the data type from uint to long or ulong.

NuGet package version 4.2.0

pcap version can't be identified, you are either using an older version, or pcap is not installed.

My ASP.NET Core 2 solution blows up when I try to add this nuget. I know that it supports Mono, but are there any plans to support .NET Core?

I am a heavy Linq and LinqPad user, I repeatedly find my self needing a simple IEnumerable wrapper for CaptureFileReaderDevice().

Would the maintainers be interested in seeing either:

1. A pull request for such an enhancement
2. Examples of why this can be so helpful, and sometimes powerful for Linq users ?

Thanks,
Cameron
PS, I am a light Github user, so if there is a better protocol for submitting these types of questions, please forgive me, and let me know how to submit questions or pull requests in the future.

Hey, I'm trying to generate and send an ICMP packet with SharpPcap under .NET Core
It looks like the checksum doesn't get calculated for some reason and is always 0.

George

I tried the examples at first on Windows after installing WinPcap and it worked fine.
After that I installed libpcap-dev on my RaspberryPi3 and it didnt work.

It throws in LibPcapLiveDeviceList.cs a dllNotFoundException for wpcap.

Any reasons for that?

My runtime env. is kali-linux 2.x with mono, I'm currently making sure everything is up to date prior to leave this open, if you see it open I did not manage to solve it.

I mean I could map the function to the correct one inside libpcap.so but I don't know the right one and did not found relevant documentation on it.

Got the error by trying the code

var devices = AirPcapDeviceList.Instance;

Everytime I step over this line exception is thrown, I have winpcap lib referenced

System.EntryPointNotFoundException: pcap_findalldevs_ex at at (wrapper managed-to-native) SharpPcap.WinPcap.SafeNativeMethods.pcap_findalldevs_ex(string,intptr,intptr&,System.Text.StringBuilder) at SharpPcap.WinPcap.WinPcapDeviceList.Devices (System.String rpcapString, SharpPcap.WinPcap.RemoteAuthentication remoteAuthentication) [0x00031] in /root/_repo/sharppcap/SharpPcap/WinPcap/WinPcapDeviceList.cs:123 at SharpPcap.WinPcap.WinPcapDeviceList.GetDevices () [0x00007] in /root/_repo/sharppcap/SharpPcap/WinPcap/WinPcapDeviceList.cs:170 at SharpPcap.WinPcap.WinPcapDeviceList.Refresh () [0x0000f] in /root/_repo/sharppcap/SharpPcap/WinPcap/WinPcapDeviceList.cs:181 at SharpPcap.WinPcap.WinPcapDeviceList..ctor () [0x0000d] in /root/_repo/sharppcap/SharpPcap/WinPcap/WinPcapDeviceList.cs:77 at SharpPcap.WinPcap.WinPcapDeviceList.get_Instance () [0x0000e] in /root/_repo/sharppcap/SharpPcap/WinPcap/WinPcapDeviceList.cs:51 at SharpPcap.AirPcap.AirPcapDeviceList.Refresh () [0x0000f] in /root/_repo/sharppcap/SharpPcap/AirPcap/AirPcapDeviceList.cs:106 at SharpPcap.AirPcap.AirPcapDeviceList..ctor () [0x0000d] in /root/_repo/sharppcap/SharpPcap/AirPcap/AirPcapDeviceList.cs:72 at SharpPcap.AirPcap.AirPcapDeviceList.get_Instance () [0x0000e] in /root/_repo/sharppcap/SharpPcap/AirPcap/AirPcapDeviceList.cs:45 at mitmp.MainClass.Main (System.String[] args) [0x00001] in /root/_repo/mitmp/Program.cs:14

Downloaded the zip file today. Loading SharpPcap.sln in VS 2015 loads all the example projects, but the SharpPcap project load fails. Looking at that csproj file, it is only 27 lines and appears to be lacking 95% of what should be in there.
(Also, the sln file says that the minimum VS version is 10, but none of the projects will load in VS version 10.)

I catch a accessviolationexception while calling CaptureDeviceList.Instance ,here are part of exception message

at System.Runtime.InteropServices.Marshal.PtrToStructureHelper(IntPtr ptr, Object structure, Boolean allowValueClasses)
at System.Runtime.InteropServices.Marshal.PtrToStructure(IntPtr ptr, Type structureType)
at SharpPcap.WinPcap.WinPcapDeviceList.Devices(String rpcapString, RemoteAuthentication remoteAuthentication)
at SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at SharpPcap.WinPcap.WinPcapDeviceList..ctor()
at SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()
at SharpPcap.CaptureDeviceList..ctor()
at SharpPcap.CaptureDeviceList.get_Instance()

how can I solve it?

When a connection is bridged using Windows' built in virtual bridge SharpPcap won't populate the 'FriendlyName' property of the PcapInterface object.
This is probably not an issue with WinPcap since both Wireshark and TShark are able to get the friendly name even when the connection is bridge.

How to reproduce (Windows 10, 64x):

1. Open the 'Network Connection' window
2. Select a pair of Ethernet connections (if none/one exists, a loopback connection works as well create it with hdwwiz.exe)
3. Right click one of the connection
4. Select 'Bridge Connections'. Uner the Connections' names it should say "Enabled, Bridged"
5. Get CaptureDeviceList.Instance in the code and see the Interface property of the device has FriendlyName set to NULL

Here's a shot of me debugging the same connection - once when bridged and a second time when it isn't

Hello

I'm trying to send 1600 bytes packet size , but no luck

I'll be delighted to hear from you soon

regards

Hello,

I am trying to install a Nuget package to a console application and I am getting the following error:

SharpPcap 4.5.0'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.6.2'

I saw in another post that it must be a minimum of 4.5.1, so, this version should work in theory.

Thanks in advance!

Severity Code Description Project File Line Suppression State
Error Could not install package 'SharpPcap 4.5.0'. You are trying to install this package into a project that targets '.NETFramework,Version=v3.5', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author. 0

I'm attempting to write a tool to split a larger PCAP file into smaller files by host pairs. I'm opening a file and stepping through packet by packet, identifying the host pair, and then writing that packet to the appropriate file.

I'm running into an issue when I get over 508 open files:
Error opening dump file 'C:\PCAPOUT\20160623-010218_10.1.129.57_17.172.238.221.pcap: Too many open files'.

It seems like this is an arbitrary limit. I've written similar tools in Python and have had no issues with over 32,000 simultaneous open files. Is this something that can be fixed/modified?

Could you please publish nuget packages for the new SharpPcap and Packet.Net releases?

Thank you!

1>------ Build started: Project: FlowInterceptor, Configuration: Debug Any CPU ------
1>FlowInterceptor -> C:\Users*\Documents\Visual Studio 2017\Projects\InjectorDemo\FlowInterceptor\bin\Debug\netstandard2.0\FlowInterceptor.dll
2>------ Build started: Project: FlowInjector, Configuration: Debug Any CPU ------
2>CSC : error CS2015: 'C:\Users**.nuget\packages\sharppcap.standard\4.4.0\contentFiles\any\netstandard2.0\App.ico' is a binary file instead of a text file
2>Done building project "FlowInjector.csproj" -- FAILED.
========== Build: 1 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

Is App.ico needed to be removed from the package?

Thanks,
Amos.

Hello again! I've found another issue.

In a different project to the one in my last issue (#33), I've just installed _SharpPcap - and I've hit upon an error - I'm attaching the stack trace to the bottom of this issue.

Looking around, I can't find a sharppcap.dll.config file anywhere.

I would have thought that on Linux I wouldn't need wpcap?

Stack Trace

Unhandled Exception:
System.DllNotFoundException: wpcap
  at (wrapper managed-to-native) SharpPcap.LibPcap.LibPcapSafeNativeMethods.pcap_findalldevs(intptr&,System.Text.StringBuilder)
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices () [0x00017] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh () [0x0000c] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor () [0x0000b] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance () [0x00007] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.CaptureDeviceList..ctor () [0x00032] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.CaptureDeviceList.get_Instance () [0x00007] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SomeProject.PacketCapturer+<EnumerateAvailableDevices>d__13.MoveNext () [0x00026] in <f1e5d62f4a874c329b34965ead8a0115>:0 
  at SomeProject.PacketCapturer.LogDeviceList () [0x00033] in <f1e5d62f4a874c329b34965ead8a0115>:0 
  at SomeProjectGUI.MainClass.Main (System.String[] args) [0x00092] in <3cdaac40bfd14c7cb2e859040ad39640>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: wpcap
  at (wrapper managed-to-native) SharpPcap.LibPcap.LibPcapSafeNativeMethods.pcap_findalldevs(intptr&,System.Text.StringBuilder)
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices () [0x00017] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh () [0x0000c] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor () [0x0000b] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance () [0x00007] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.CaptureDeviceList..ctor () [0x00032] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SharpPcap.CaptureDeviceList.get_Instance () [0x00007] in <dc338158b63443d1985e66f367bc0c3c>:0 
  at SomeProject.PacketCapturer+<EnumerateAvailableDevices>d__13.MoveNext () [0x00026] in <f1e5d62f4a874c329b34965ead8a0115>:0 
  at SomeProject.PacketCapturer.LogDeviceList () [0x00033] in <f1e5d62f4a874c329b34965ead8a0115>:0 
  at SomeProjectGUI.MainClass.Main (System.String[] args) [0x00092] in <3cdaac40bfd14c7cb2e859040ad39640>:0 

System Details

• uname -a: Linux some_pc_name 4.14.69-1-lts #1 SMP Mon Sep 10 16:35:35 UTC 2018 x86_64 GNU/Linux
• Distribution: Artix Linux

When I build the project and use it in Ubuntu 14.04/Mono,I get the following mistake:

Error CS0246: The type or namespace name `LivePcapDevice' could not be found. Are you missing an assembly reference? (CS0246)

Would you be so kind as to tell me how to fix this error?Or am I doing it in a wrong way,if so,please point out.

I need to save the captured packets like wireshark so that I can use them under other circumstances. I work in Windows with Visual Studio 2015. How to do?
It would be grate if you send me an email: [email protected].

• make the reference to SourceForge a link
• add a reference to Packet.Net

BTW, I'm really happy to see this project still alive and transitioning to GitHub Chris. Let me know if you need any help navigating the ins/outs of GH.

It doesn't raise OnCaptureStopped or any other type of event to indicate it's got to the EOF (and so consequently no more packets are coming).

This means that when exposing capture device streams as IObservable (via RX), even 'canned' streams like those coming from file, appear to run 'forever'. This is problematic, and can lead to poor usability (confuses the user, who naturally expects stream-from-file to complete at some point).

In my case I've special-cased, and for CaptureFileReaderDevices I build the IObservable based on enumerating device.GetNextPacket(), however it'd be preferable to be able to use the asynchronous (event-based) approach consistently across both live and canned captures, without knowing about the implementation.

Seems like CaptureFileReaderDevice, when started with StartCapture() should itself call StopCapture() when the end of the file is reached (so the event is raised).

Attached file can be opened using Wireshark but not with SharpPCap.
Exception is thrown as in subject line. Is there any workaround?

Thanks.

Tested on Raspberry Pi (Linux ARM)

When a device stop its capture (SharpPcap.LibPcap.PcapDevice.StopCapture() , line 208), the capture Thread is joined with a timeout and then aborted if not join, however Thread abort is not supported on dotnet core.

The code I'm running is similar to Example3.BasicCap

It seems to work on Windows in dotnet core, maybe because the Raspberry isn't powerful enough to join the thread quickly ?

The PcapInteface currently only stores a single gateway address. It will be very helpful to get a list of all the gateway addresses for a given network interface.

Hi Guys,

I'm trying to run example 9 - sendpacket. But i'm getting stuck on:

System.DllNotFoundException has been thrown wpcap

So as far as i understand i need to do some kind of dynamic library mapping in a sharppcap .config file to define the location of libpcap? But i can't find any example on how to do this.

Can anybody please help me?

Thank you very much!
Bastiaan

Hello,

I've hit upon an exception when trying to use this library:

Unhandled Exception:
System.DllNotFoundException: libpcap.so
  at (wrapper managed-to-native) SharpPcap.LibPcap.LibPcapSafeNativeMethods:pcap_findalldevs (intptr&,System.Text.StringBuilder)
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices () [0x00017] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh () [0x0000c] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor () [0x0000b] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance () [0x00007] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.CaptureDeviceList..ctor () [0x00032] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.CaptureDeviceList.get_Instance () [0x00007] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at PacketCaptureMIDIDemo.PacketCapturer.LogDeviceList () [0x00002] in <426db04d9d0e45fe85d32d6e40196029>:0 
  at PacketCaptureMIDIDemo.MainClass.Main (System.String[] args) [0x00007] in <426db04d9d0e45fe85d32d6e40196029>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: libpcap.so
  at (wrapper managed-to-native) SharpPcap.LibPcap.LibPcapSafeNativeMethods:pcap_findalldevs (intptr&,System.Text.StringBuilder)
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices () [0x00017] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh () [0x0000c] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor () [0x0000b] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance () [0x00007] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.CaptureDeviceList..ctor () [0x00032] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at SharpPcap.CaptureDeviceList.get_Instance () [0x00007] in <6f754ff0acd74248b20ed8bbfa5b7c57>:0 
  at PacketCaptureMIDIDemo.PacketCapturer.LogDeviceList () [0x00002] in <426db04d9d0e45fe85d32d6e40196029>:0 
  at PacketCaptureMIDIDemo.MainClass.Main (System.String[] args) [0x00007] in <426db04d9d0e45fe85d32d6e40196029>:0 

SendCaptureStoppedEvent should be marked as virtual just like SendPacketArrivalEvent

Hi,

When capturing asynchronous events, the status param of OnCaptureStopped() sometimes contains CaptureStoppedEventStatus.CompletedWithoutError when Device.LastError contains "read error: PacketReceivePacket failed". Please find attached a patch to fix the status value in this case.

Regards,
Pedro

sharppcap_patch.diff.txt

Hi,
I have created a basic .NET Core 2.0 application using the VS template for a ".NET Core ASP.NET Core Web Application".

Code

using System;
using SharpPcap.LibPcap;

namespace SharpTest
{
    class Program
    {
        static void Main()
        {
            // Retrieve the device list
            var devices = LibPcapLiveDeviceList.Instance;

            // Print out the devices
            int i = 0;
            foreach (var dev in devices)
            {
                /* Description */
                Console.WriteLine("Device {0}: {1} | {2}", i, dev.Name, dev.Description);
                i++;
            }

            Console.ReadLine();
        }
    }
}

Dependencies

(from current sharppcap revision 4.5.0)

• PacketDotNet.dll
• SharpPcap.dll

Target Framework

.NET Core 2.0 (added "netcoreapp2.0" for the "TargetFramework" property in the .csproj-file)

Steps (Linux Ubuntu 16.04)

Copied to Linux, started with: $ dotnet SharpTest.dll

Error

Unhandled Exception: System.DllNotFoundException: Unable to load DLL 'wpcap': The specified module or one of its dependencies could not be found.
(Exception from HRESULT: 0x8007007E)
at SharpPcap.LibPcap.LibPcapSafeNativeMethods.pcap_findalldevs(IntPtr& alldevs, StringBuilder errbuf)
at SharpPcap.LibPcap.LibPcapLiveDeviceList.GetDevices()
at SharpPcap.LibPcap.LibPcapLiveDeviceList.Refresh()
at SharpPcap.LibPcap.LibPcapLiveDeviceList..ctor()
at SharpPcap.LibPcap.LibPcapLiveDeviceList.get_Instance()
at SharpTest.Program.Main() in C:\Users\Username\source\repos\SharpTest\SharpTest\Program.cs:line 11

when run var devices = AirPcapDeviceList.Instance;
throw System.Runtime.InteropServices.SEHException

The SharpPcap.LibPcap.LibPcapLiveDevice is throwing the "Unable to activate the adapter" following:

var activationResult = LibPcapSafeNativeMethods.pcap_activate(PcapHandle);

using Windows 10 and Npcap 0.995 attempting MonitorMode = Active following:

winPcap.Open(DeviceMode.Promiscuous, readTimeoutMilliseconds, MonitorMode.Active);

The monitor mode works fine when using the Adapter with Wireshark.

Hello,

It would be great if SharpPcap allowed you to set monitor mode.

The pcap_set_rfmon api must be applied after an adapter is created, but before it is activated. Unfortunately, SharpPcap uses the pcap_open_live api that performs pcap_create and pcap_activate in one shot, which means there's no opportunity to call pcap_set_rfmon.

I see two obvious ways to solve this. The least invasive in terms of API would be to add another Open overload which doesn't use pcap_open_live and allows setting of monitor mode, something like this:

public override void Open(DeviceMode mode, int read_timeout, Boolean monitor_mode)
        {
            if ( !Opened )
            {
                StringBuilder errbuf = new StringBuilder( Pcap.PCAP_ERRBUF_SIZE ); //will hold errors

                // set the StopCaptureTimeout value to twice the read timeout to ensure that
                // we wait long enough before considering the capture thread to be stuck when stopping
                // a background capture via StopCapture()
                //
                // NOTE: Doesn't affect Mono if unix poll is available, doesn't affect Linux because
                //       Linux devices have no timeout, they always block. Only affects Windows devices.
                StopCaptureTimeout = new TimeSpan(0, 0, 0, 0, read_timeout * 2);

                PcapHandle = LibPcapSafeNativeMethods.pcap_create(
                    Name, // name of the device
                    errbuf); // error buffer                

                if ( PcapHandle == IntPtr.Zero)
                {
                    string err = "Unable to open the adapter ("+Name+"). "+errbuf.ToString();
                    throw new PcapException( err );
                }

                LibPcapSafeNativeMethods.pcap_set_snaplen(PcapHandle, Pcap.MAX_PACKET_SIZE);
                LibPcapSafeNativeMethods.pcap_set_rfmon(PcapHandle, monitor_mode ? 1 : 0);
                LibPcapSafeNativeMethods.pcap_set_promisc(PcapHandle, mode == DeviceMode.Promiscuous ? 1 : 0);
                LibPcapSafeNativeMethods.pcap_set_timeout(PcapHandle, read_timeout);

                var activationResult = LibPcapSafeNativeMethods.pcap_activate(PcapHandle);
                if (activationResult < 0)
                {
                    string err = "Unable to activate the adapter (" + Name + "). Return code: " + activationResult.ToString();
                    throw new PcapException(err);
                }
                PcapHandle = PcapHandle;
            }
        }

The second, more invasive way, would be to expose API to do the pcap_create, all of the pcap_set_ methods, and pcap_activate, but that seems way too leaky to me.

Is this something you'd be interested in supporting? I'm happy to submit a PR if we can agree on an API.

NoExceptionsWithJustStatisticsHandler test fails with exception

SharpPcap.DeviceNotReadyException
No delegates assigned to OnPacketArrival or OnPcapStatistics, no where for captured packets to go.

Reason

The test is to make sure no exception is thrown if OnPcapStatistics event is assigned but you forget to assign the handler so NoExceptionsWithJustStatisticsHandler and DeviceNotReadyExceptionWhenStartingACaptureWithoutAddingDelegateToOnPacketArrivalAndOnPcapStatistics are essentially the same.

Remedy

just add this line Here

devices[0].OnPcapStatistics += (sender, args) => { };

Note

I have configured AppVeyor with my Fork Here and fixed all the build, test and reference issues. You can check the build status here.
PS: If you want I can send a pull request with those fixes