我正在使用最新版本的 pcap.net 来捕获本地 pc 以太网卡上的网络流量。我正在使用以下代码来捕获与特定 mac 地址关联的所有流量。
private void bwCapture_DoWork(object sender, DoWorkEventArgs e)
{
capture = true;
IList<LivePacketDevice> allDevices = LivePacketDevice.AllLocalMachine;
if (allDevices.Count == 0)
{
MessageBox.Show("No interfaces found!");
return;
}
if (capture)
{
// Print the list
for (int i = 0; i != allDevices.Count; ++i)
{
LivePacketDevice device = allDevices[i];
this.BeginInvoke((Action)delegate () { cmbNetworkDevice.Items.Add((i + 1) + ". " + device.Name); });
}
// Take the selected adapter
PacketDevice selectedDevice = allDevices[deviceSelected];
// Open the device
using (PacketCommunicator communicator = selectedDevice.Open(65536, // portion of the packet to capture
PacketDeviceOpenAttributes.Promiscuous, // promiscuous mode
50)) // read timeout
{
this.BeginInvoke((Action)delegate () { rtbCaptured.Text = "Listening on " + selectedDevice.Description + Environment.NewLine; });
// Retrieve the packets
Packet packet;
while (capture)
{
try
{
BerkeleyPacketFilter filter = communicator.CreateFilter("ether host <<MAC ADDRESS>> and tcp port 2000");
communicator.SetFilter(filter);
PacketCommunicatorReceiveResult result = communicator.ReceivePacket(out packet);
switch (result)
{
case PacketCommunicatorReceiveResult.Timeout:
// Timeout elapsed
continue;
case PacketCommunicatorReceiveResult.Ok:
this.BeginInvoke((Action)delegate ()
{
IpV4Datagram ip = packet.Ethernet.IpV4;
TcpDatagram tcp = ip.Tcp;
if (tcp != null && ip != null)
{
string IPCheck = ip.Source.ToString();
int PortCheck = tcp.DestinationPort;
dgvIncomingPackets.Rows.Add(packet.Timestamp.ToString("MM-dd-yyyy hh:mm:ss"), packet.Length, tcp.SequenceNumber , ip.IpV4.Protocol, ip.Source, tcp.SourcePort, ip.Destination, tcp.DestinationPort);
rtbPacketDeconstruct.Text = WordWrap(ProcessString(packet.BytesSequenceToHexadecimalString()),47);
string convertThis = ProcessString(packet.BytesSequenceToHexadecimalString());
dgvIncomingPackets.FirstDisplayedScrollingRowIndex = dgvIncomingPackets.RowCount - 1;
}
else
{
rtbCaptured.Text += "Error : TCP Null Value" + Environment.NewLine;
}
});
break;
default:
throw new InvalidOperationException("The result " + result + " should never be reached here");
}
}
catch (Exception ex)
{
this.BeginInvoke((Action)delegate ()
{ rtbCaptured.Text += "Exception : " + ex; });
}
}
}
}
}
上面的代码有效,但是它没有检测到所有的瘦事件。使用 WireShark 查看网络流量时,我可以看到 Cisco 7960 IP 电话的状况变化,包括摘机、指示灯消息、显示通知消息。
虽然这些数据包是在我的 PC 上的 Wireshark 中注册的,但它们似乎没有使用上面的代码被捕获。
我的理解是,skinny 使用 tcp 端口 2000 和 49828 进行 CUCM 和设备之间的通信。我的代码确实看到了 TCP ACK 和 WHOAMI 数据包。Cisco IP 电话中正在监控的 MAC 地址。我的电脑通过设备上的内置集线器连接到此设备(这不是问题,因为 WireShark 正在我的电脑上显示我的代码没有的事件)
我在这里想念什么。我是在这里即时编程和学习的新手。(因此我知道我的代码不是最干净或写得很好)
谢谢,