0

I am using the latest version of pcap.net to capture network traffic on my local pc ethernet card. I am using the following code to capture all traffic associated with a specific mac address.

private void bwCapture_DoWork(object sender, DoWorkEventArgs e)
        {
                capture = true;
                IList<LivePacketDevice> allDevices = LivePacketDevice.AllLocalMachine;

                if (allDevices.Count == 0)
                {
                    MessageBox.Show("No interfaces found!");
                    return;
                }

                if (capture)
                {
                    // Print the list
                    for (int i = 0; i != allDevices.Count; ++i)
                    {
                        LivePacketDevice device = allDevices[i];
                        this.BeginInvoke((Action)delegate () { cmbNetworkDevice.Items.Add((i + 1) + ". " + device.Name); });
                    }

                    // Take the selected adapter
                    PacketDevice selectedDevice = allDevices[deviceSelected];

                    // Open the device
                    using (PacketCommunicator communicator = selectedDevice.Open(65536, // portion of the packet to capture
                                            PacketDeviceOpenAttributes.Promiscuous, // promiscuous mode
                                            50))                                  // read timeout
                    {
                        this.BeginInvoke((Action)delegate () { rtbCaptured.Text = "Listening on " + selectedDevice.Description + Environment.NewLine; });
                        // Retrieve the packets
                        Packet packet;
                    while (capture)
                    {
                        try
                        {
                            BerkeleyPacketFilter filter = communicator.CreateFilter("ether host <<MAC ADDRESS>> and tcp port 2000");
                            communicator.SetFilter(filter);
                            PacketCommunicatorReceiveResult result = communicator.ReceivePacket(out packet);

                            switch (result)
                            {
                                case PacketCommunicatorReceiveResult.Timeout:
                                    // Timeout elapsed
                                    continue;
                                case PacketCommunicatorReceiveResult.Ok:
                                    this.BeginInvoke((Action)delegate ()
                                    {
                                        IpV4Datagram ip = packet.Ethernet.IpV4;
                                        TcpDatagram tcp = ip.Tcp;
                                        if (tcp != null && ip != null)
                                        {
                                            string IPCheck = ip.Source.ToString();
                                            int PortCheck = tcp.DestinationPort;
                                            dgvIncomingPackets.Rows.Add(packet.Timestamp.ToString("MM-dd-yyyy hh:mm:ss"), packet.Length, tcp.SequenceNumber , ip.IpV4.Protocol, ip.Source, tcp.SourcePort, ip.Destination, tcp.DestinationPort);
                                            rtbPacketDeconstruct.Text = WordWrap(ProcessString(packet.BytesSequenceToHexadecimalString()),47);
                                            string convertThis = ProcessString(packet.BytesSequenceToHexadecimalString());
                                                                                            dgvIncomingPackets.FirstDisplayedScrollingRowIndex = dgvIncomingPackets.RowCount - 1;
                                        }
                                        else
                                        {
                                            rtbCaptured.Text += "Error : TCP Null Value" + Environment.NewLine;
                                        }
                                    });
                                    break;
                                default:
                                    throw new InvalidOperationException("The result " + result + " should never be reached here");
                            }
                        }
                        catch (Exception ex)
                        {
                            this.BeginInvoke((Action)delegate ()
                            { rtbCaptured.Text += "Exception : " + ex; });
                        }
                    }
                    }
                }
        }

The code above works however it is not detecting all of the skinny events. When viewing the network traffic with WireShark I am able to see the condition changes in a Cisco 7960 IP Phone including off hook, lamp messages, displaynotification messages.

While these packets are registered in Wireshark on my PC they appear not to be captured using the code above.

My understanding is that skinny uses tcp ports 2000 and 49828 for communication between CUCM and the device. My code does see the TCP ACK and WHOAMI packets.The MAC address being monitored in the Cisco IP Phone. My PC is connected to this device through the built in hub on the device(This isn't the issue because WireShark is showing the events on my PC where my code is not)

WireShark Capture of Incoming Call My Programs Capture of Incoming Call

What am I missing here. I am a novice to programming and learning on the fly here. (As such I am aware my code isn't the cleanest or well written)

Thanks,

Deadphoenix
  • 88
  • 11
  • Since skinny is a proprietary protocol from Cisco, unless an expert on the field pass in the neighboroud I'm afraid you'll be on your own here. Even wireshark support is [partial](https://wiki.wireshark.org/SKINNY), and they do not have a sample trace as a reference that we may look at. – jbm Sep 09 '15 at 15:40
  • ...on the other hand, by looking at the dissector source code, I see that [they also use port 2443](https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-skinny.c;h=bc6bdeac1d56f34afbda77625b13cdf7b568b351;hb=HEAD#l61) I'd try to add that to your filter. Other than that, I'd suggest you patiently look at the details of your wireshark trace to understand why/what your filter does not match. – jbm Sep 09 '15 at 15:41
  • I will open that up and see if I capture more information. – Deadphoenix Sep 09 '15 at 15:52
  • Nothing additional showing up while adding port 2443. Regardless of the proprietary nature shouldn't I at least see a packet/frame for the skinny protocol when listening in promiscuous mode to that network adapter like in Wireshark? – Deadphoenix Sep 09 '15 at 16:28
  • You stated in your question: "The code above works however it is not detecting all of the skinny events." I understood you captured something, something partial, but something. But now you say, "shouldn't I at least see a packet/frame", I understand you see nothing. Please be consistent and precise. – jbm Sep 09 '15 at 16:40
  • What I would do: remove the filtering (communicator.CreateFilter() and communicator.SetFilter()). If you don't see anything: there's something you're doing wrong with Pcap.Net API, and I can't help you there. If you do see something: there's something wrong with your filter: as I suggested, carefully inspect the wireshark trace to understand the criterion on which they decide it's SKINNY, whereas you don't. – jbm Sep 09 '15 at 16:40
  • I actually just removed the filter as I deduced that is were the information was being filtered out. I am now seeing additional events. However I am still not seeing specific events. I am going to do as you suggest and inspect the Wireshark trace further. – Deadphoenix Sep 09 '15 at 16:49

0 Answers0