Wrapping WinPCap

Hi,

I'm a bit of a novice at this but i'm running into a few problems
trying to wrap winpcap in C#. I know I can use a special socket flag
to pick up all packets across an interface but this solution needs to
work w/o an IP bound to the socket so winpcap is the only way to go
(and so I can get it working in mono). I have imported the following
functions.

[DllImport("wpcap.dll")]
public static unsafe extern IntPtr pcap_open_live(char* source, int
snaplen, int flags, int read_timeout, char* errbuf);
[DllImport("wpcap.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr pcap_open_live(string source, int snaplen, int
flags, int read_timeout, StringBuffer errbuf);

Call like this:
const int PCAP_ERRBUF_SIZE = ...; // check the header files
StringBuilder errbuf = new StringBuilder(PCAP_ERRBUF_SIZE);
IntPtr handle = pcap_open_live (...,...,...,...,errbuf);
if (handle == IntPtr.Zero) Console.WriteLine( errbuf.ToString() );

[DllImport("wpcap.dll")]
public static unsafe extern char* pcap_lookupdev(char* errbuff);
[DllImport("wpcap.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr pcap_lookupdev(StringBuilder errbuf);

Call like this:
StringBuilder errbuf = new StringBuilder(PCAP_ERRBUF_SIZE);
IntPtr pDev = pcap_lookupdev(errbuf);
string dev;
if (pDev != IntPtr.Zero) dev = Marshal.PtrToStringAnsi(pDev);
else Console.WriteLine ( errbuf.ToString() );

[DllImport("wpcap.dll")]
public static extern int pcap_next_ex(IntPtr p, ref pcap_pkthdr
pkt_header, StringBuilder pkt_data);
ref pcap_pkthdr means that the function can change it, but it doesn't want
to, it wants to set a pointer to a pcap_pkthdr. To be able to do that, give
a IntPtr as ref...

[DllImport("wpcap.dll")]
public static extern int pcap_next_ex(IntPtr handle, ref IntPtr pHeader, ref
IntPtr pData );

Call like this:
IntPtr pHeader = IntPtr.Zero; // pointer to header, will be set by function
IntPtr pData = IntPtr.Zero; // pointer will be set by function

int ret = pcap_next_ex( handle, ref pHeader, ref pData );
byte [] data;
pcap_pkthdr header;
if ( ret >=0 )
{
// copy structure pointed by pHeader to managed structure
Marshal.PtrToStruct ( pHeader, header );

// copy data pointed by pData to managed byte array
data = new byte[ header.len ];
Marshal.Copy ( pData, data, 0, header.len );
}

with the structs:

[StructLayout( LayoutKind.Sequential )]
public struct pcap_pkthdr
{
public timeval test;
public uint caplen;
public uint len;
}

long in c = int in c# (32bits)
[StructLayout( LayoutKind.Sequential )]
public struct timeval
{
public long tv_sec; should be public int tv_sec;
public long tv_usec; should be public int tv_usec;
}
HTH,
greetings

The problem is twofold: first my pcap_pkthdr struct comes back all out
of whack (ie, everything is zero but tv_sec which is filled with a
huge garbage number. And the string returned seems to just be junk
(around five bytes worth). I am a floundering undergrad but this is my
first attempt at interop with unmanaged code and I was wondering if
anyone sees anything I'm doing. I sincerely appriciate any help anyone
can offer.

Respectfully,
CDT Shaun Baker
sh*********@usma.edu

Thank you for your help, that short amount of code really did teach me a lot of what I was doing adn what I was doing wrong. My biggest source of confusionwas the pkt_hdr** passing. I thought I needed to declare the pkt_hdr and I
didn't quite realize that the function did the malloc'ing for me. Other than ainspection of the code, should the fact that it wanted a pointer to a pointer tipme off that it was going to handle the allocation and instantiation of the
actual datastructure?
Yes. But the best way to know is looking at c examples that use pcap
functions. The problem with signatures like pkt_hdr** is that you still
don't know who owns the memory. In case of pcap it seems that pcap always
owns the memory hence we don't free memory ourselfs...
I would assume otherwise it would just request a pointer
to it instead of a pointer-to-a-pointer. Thank you for your time, the long timein ada,c# and java has really rustied up my C skills.
Funny you mention java, because the first prototype I gave, there is a
stringbuffer which ofcourse should be a stringbuilder :)

hth,
greetings

Respectfully,
Shaun Baker

Thank you very much for your help. I got it working perfectly now. I just wanted to post a few changes that I did to get it working just in case
someone has the same problem and is reading this post later.
1. Stringbuffer = StringBuilder yes, I think it's java that's got a stringbuffer
2. In the usage of pcap_next_ex, to convert the pHeader IntPtr to a usable instance of a header I had to use the object =
Marshal.PtrToStructure(IntPtr,Type) call or I would receiver a value type
exception, by doing Pcap_PktHeader header =
(Pcap_PktHeader)Marshal.PtrToStructure(pHeader,typ eof(Pcap_PktHeader)); this
problem went away.
3. When using pcap_lookupdev(...), when trying to use Marshal.PtrToAnsiString, I kept getting a bad dev string b/c after each
letter it had a '\0' null character in the middle, very odd and I'm not sure
why that happened. Insetad I just passed the returned pointer to
pcap_open_live call

If there is a \0 after each character then this would indicate the string is
unicode. Try using PtrToStringUni, nevertheless it might be a good idea to
pass the pointer you got from open_live to lookup_dev.

Thank you agian for your help.
Glad I could help,
greetings


Respectfully,
Shaun Baker

I promise this is my last question but when i try and
You may ask as much as you want. Offcourse we won't always be able to help.
And it's a good idea to search google newsgroup archive first.
do the pcap_loop (pcap_next_ex works great) it will work a couple times
and then return with an "object reference not set to an instance" exception.
I have defined the pcap_loop function as:

[DllImport("wpcap.dll",CharSet=CharSet.Ansi)]
public static extern void pcap_loop(IntPtr p, int cnt,pcap_callback theCallback, StringBuilder user);
where the original was
int pcap_loop (pcap_t *p, int cnt, pcap_handler callback, u_char *user)

and my callback pcap_handler is:
public delegate void pcap_callback(IntPtr user, IntPtr pkt_header, IntPtr pkt_data);
where the original was
typedef void(* pcap_handler )(u_char *user, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data)
I tried to use StringBuilder instead of IntPtr but the pkt_data that I got back(when I >got it didn't crash, was just a null reference), so I changed the
You should use an IntPtr because the framework has no idea that the size of
the data is inside header.len. It can't pin or copy by itself.
u_char* to IntPtr and the allocate a byte array of header.len size and convertthat to a string. I can't seem to figure out why it would work sometimes, it almostseems as if it's randomly screwing up the callback pointer. Thank you very muchfor the continued help, I am learning quite a bit about how this all works.
You don't tell us how you use the pcap_loop function. The only reason I
know this could happen is because you create a delegate instance inside the
function call. The managed code should keep a reference otherwise the GC
will cleanup the delegate instance...

pcap_loop (...., ..., new pcap_callback(...), ...); // bad

// pcap_callback_del would be a class variable or static variable
pcap_callback_del = new pcap_callback(...);
pcap_loop (...,..., pcap_callback_del, ..., ..);

HTH,
greetings

Respectfully,
CDT Shaun Baker