How can I recognize ICMP/ARP packets in pcap.net/SharpPcap?

Question

So this is really strange. I've tried multiple expressions but I have not yet found a proper boolean expression to recognize if a packet is an ICMP or ARP packet. I've tried

packet.ipv4.icmp != null

which resulted in the program entering the block even though the packet is not ICMP I've also tried

packet.ipv4.Protocol == IpV4Protocol.InternetControlMessageProtocol

but then the program never enters the block even though the packet is ICMP any ideas?

score 0 · Accepted Answer · answered Oct 24 '15 at 09:03

Assuming we talk about ARP over Ethernet packet vs. ICMP over IPv4 over Ethernet packet:

1) Check if the packet is Ethernet.

if (packet.DataLink.Kind == DataLinkKind.Ethernet) {

2) Check if the Ethernet packet is ARP or IPv4:

if (packet.Ethernet.EtherType == EthernetType.IpV4) {

if (packet.Ethernet.EtherType == EthernetType.Arp) {

3) If this is IPv4, check if it is ICMP:

if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.InternetControlMessageProtocol) {

You might want to check before doing all of the above if the packet is valid.

if (packet.IsValid) {

Which should guarantee that you won't get null references while evaluating the above.

How can I recognize ICMP/ARP packets in pcap.net/SharpPcap?

1 Answers1