This project is read-only.

Easiest way to determine highest level protocol

Mar 9, 2014 at 10:58 PM
Hello,

I am reading packets out of tcpdump files using PCAP.NET.
I guess I have 2 questions. But they are both related.

Lets narrow this down to IpV4Datagram objects (They are EtherType.IpV4). It seems to be the case that I have IpV4Datagram.Tcp.Http and IpV4Datagram.Udp.Dns both not null in the same PcapDotNet.Packets.Packet object.
So question 1 would be:
1)Can a packet be both UDP and TCP? (I didn't think this was possible)

This is making it kind of confusing for me to interpret the packet (but of course I'm sure there is a good reason for this).

2) Is there an easy way to determine the highest level protocol available in a PcapDotNet.Packets.Packet object?

For instance what is the easiest way to tell if it is Http, Dns, or maybe even EtherType.Arp?
Having Http and Dns objects not being null is making this rather confusing for me and I am hoping someone could clear this up for me?

Thanks!
-Andrew
Mar 11, 2014 at 9:19 PM
1.) No, a packet can't "be" UDP and TCP. To check if an IP packet encapsulates an UDP or TCP packet, you do:
if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Tcp)
{
    ...
}
else if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Udp)
{
    ...
}
You probably need a better understanding of network encapsulation and OSI model.

2.) With a series of nested ifs that covers all protocols of your interest.
if (packet.Ethernet.EtherType == EthernetType.IpV4)
{
    if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Tcp)
    {
        if (packet.Ethernet.IpV4.Tcp.DestinationPort == 80) //HTTP
            ...
        else if (packet.Ethernet.IpV4.Tcp.DestinationPort == 21) //FTP
            ...
    }
    else if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Udp)
    {
        if (packet.Ethernet.IpV4.Udp.DestinationPort == 53) //DNS
            ...
        else if (packet.Ethernet.IpV4.Udp.DestinationPort == 69) //TFTP
            ...
    }
}
else if (packet.Ethernet.EtherType == EthernetType.IpV6)
{
    ...
}
else if (packet.Ethernet.EtherType == EthernetType.Arp)
{
    ...
}
http://en.wikipedia.org/wiki/Encapsulation_%28networking%29
http://en.wikipedia.org/wiki/OSI_model
http://users.lmi.net/canepa/subdir/encasulation_chart.pdf
Marked as answer by atwhelan on 3/15/2014 at 11:03 AM
Mar 15, 2014 at 7:06 PM
Edited Mar 15, 2014 at 7:06 PM
if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Tcp)

if (packet.Ethernet.IpV4.Udp.DestinationPort == 53) //DNS


That is exactly what I was looking for! I needed to know which data structures were the right ones to use to determine these things.

Very much appreciated expert_vision!