将网卡设为混杂模式可以接收通过本地网卡的所有数据包,利用Raw Socket可以实现简单的网络监听
1.先要定义几个IP数据包头的结构
/// <summary>
/// IP数据包头结构
/// </summary>
public struct ip_hdr
{
/// <summary>
/// 4位首部长度+4位IP版本号
/// </summary>
public byte h_lenver;
/// <summary>
/// 8位服务类型TOS
/// </summary>
public byte tos;
/// <summary>
/// 16位总长度(字节)
/// </summary>
public ushort total_len;
/// <summary>
/// 16位标识
/// </summary>
public ushort ident;
/// <summary>
/// 3位标志位
/// </summary>
public ushort frag_and_flags;
/// <summary>
/// 8位生存时间 TTL
/// </summary>
public byte ttl;
/// <summary>
/// 8位协议 (TCP, UDP 或其他)
/// </summary>
public byte proto;
/// <summary>
/// 16位IP首部校验和
/// </summary>
public ushort checksum;
/// <summary>
/// 32位源IP地址
/// </summary>
public uint sourceip;
/// <summary>
/// 32位目的IP地址
/// </summary>
public uint destip;
}
/// <summary>
/// TCP数据包头结构
/// </summary>
public struct tcp_hdr
{
/// <summary>
/// 16位源端口
/// </summary>
public ushort th_sport;
/// <summary>
/// 16位目的端口
/// </summary>
public ushort th_dport;
/// <summary>
/// 32位序列号
/// </summary>
public uint th_seq;
/// <summary>
/// 32位确认号
/// </summary>
public uint th_ack;
/// <summary>
/// 4位首部长度/6位保留字
/// </summary>
public byte th_lenres;
/// <summary>
/// 6位标志位
/// </summary>
public byte th_flag;
/// <summary>
/// 16位窗口大小
/// </summary>
public ushort th_win;
/// <summary>
/// 16位校验和
/// </summary>
public ushort th_sum;
/// <summary>
/// 16位紧急数据偏移量
/// </summary>
public ushort th_urp;
}
/// <summary>
/// UDP数据包头结构
/// </summary>
public struct udp_hdr
{
/// <summary>
/// 16位源端口
/// </summary>
public ushort uh_sport;
/// <summary>
/// 16位目的端口
/// </summary>
public ushort uh_dport;
/// <summary>
/// 16位长度
/// </summary>
public ushort uh_len;
/// <summary>
/// 16位校验和
/// </summary>
public ushort uh_sum;
}
/// <summary>
/// ICMP数据包头结构
/// </summary>
public struct icmp_hdr
{
/// <summary>
/// 8位类型
/// </summary>
public byte i_type;
/// <summary>
/// 8位代码
/// </summary>
public byte i_code;
/// <summary>
/// 16位校验和
/// </summary>
public ushort i_cksum;
/// <summary>
/// 识别号(一般用进程号作为识别号)
/// </summary>
public ushort i_id;
/// <summary>
/// 报文序列号
/// </summary>
public ushort i_seq;
/// <summary>
/// 时间戳
/// </summary>
public uint i_timestamp;
}
2.创建用于监听的Raw Socket,并绑定到本地端口(必须是指定网络连接的IP地址)
IPAddress[] ipaddrs = Dns.GetHostAddresses(Environment.MachineName);
if (ipaddrs.Length <= 0)
return false;
raw = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
IPEndPoint local = new IPEndPoint(ipaddrs[0], _port);
raw.Bind(local);
3.设置Socket的参数,设置接收所有数据并包含IP头
raw.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReuseAddress, true);
raw.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
byte[] inValue = new byte[] { 1, 0, 0, 0 };
byte[] outValue = BitConverter.GetBytes(false);
raw.IOControl(IOControlCode.ReceiveAll, inValue, outValue);
4.开始接收数据
ReadStateObject state = new ReadStateObject();
state.handler = raw;
raw.BeginReceive(state.buffer,
0,
ReadStateObject.MAX_PACKET_SIZE,
SocketFlags.None,
new AsyncCallback(ReadCallback),
state);
ReadStateObject 的定义如下
/// <summary>
/// 接收网络数据的状态对象
/// </summary>
class ReadStateObject
{
/// <summary>
/// 基础网络套接字
/// </summary>
public Socket handler;
/// <summary>
/// 数据缓冲区大小
/// </summary>
public const int MAX_PACKET_SIZE = 65535;
/// <summary>
/// 接收数据的缓冲区
/// </summary>
public byte[] buffer = new byte[MAX_PACKET_SIZE];
}
5.将网络端口号由网络字节顺序转换为主机字节顺序
public static ushort ntohs(ushort netshort)
{
return (ushort)System.Net.IPAddress.NetworkToHostOrder((short)netshort);
}