0

I managed to capture the content of the file trafficked across the network, however I am unable to capture the file name.

class Program
{
    static void Main(string[] args)
    {
        // Retrieve the device list
        CaptureDeviceList devices = CaptureDeviceList.Instance;

        // Print out the available network devices
        foreach (ICaptureDevice dev in devices)
        {
            // Extract a device from the list
            ICaptureDevice device = dev;

            // Register our handler function to the
            // 'packet arrival' event
            device.OnPacketArrival += device_OnPacketArrival;

            // Open the device for capturing
            const int readTimeoutMilliseconds = 1000;
            device.Open(DeviceMode.Promiscuous, readTimeoutMilliseconds);

            // Start the capturing process
            device.StartCapture();

        }

        Console.ReadKey();

        foreach (var dev in CaptureDeviceList.Instance)
        {
            dev.StopCapture();
            dev.Close();
        }
    }


    private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
    {
        var data = Encoding.ASCII.GetString(e.Packet.Data);
        //HERE! When it exists, I need get the file name that was trafficked (eg. FileName.docx).
    }
}

How can i get the file name with Sharpcap when intercepting file access protocols (NFS | SMB | AFP) ?

Vinicius Gonçalves
  • 2,514
  • 1
  • 29
  • 54

1 Answers1

1

Where are the file name in the packets?

It depends on the protocol used to transfer the file.

If it's HTTP, it'll probably be in the GET request to fetch the file or the PUT or POST to send it, but there's no guarantee of that.

If it's FTP, it'll be in the STOR or RETR command to send or fetch the file.

If it's a file access protocol such as NFS or SMB or AFP, it'll be in the request used to look up or open the file for reading or writing.

Note also that the raw packet data has a whole bunch of stuff in it that's not file contents. A program to get file names and contents from a network trace will probably have at least 100 times the amount of code you wrote above; it will not be an easy program to write.

That program will have to interpret the link-layer, IP, and TCP or UDP headers in the packet data, as well as the ONC RPC headers for NFS, NetBIOS-over-TCP or SMB-over-TCP headers for SMB, DSI headers for AFP, and the protocol headers for NFS, SMB, and AFP. It will then have to recognize the lookup or open requests for files and figure out which read and write requests are on which files, and reassemble the data being read or written, based on the file offsets in the read and write requests, to get the file data.