在本地网络上嗅探安卓设备的 TCP 数据包

Question

我正在使用 C# 和 PcapDotNet 编写数据包嗅探器，我已经成功实现了该功能，并且能够从我的笔记本电脑捕获所有 TCP 数据包，问题是如果我针对我的 android 设备，我根本没有收到任何数据包, 我是网络初学者，所以我想我可能遗漏了一些东西。

这是我的数据包处理程序代码，我正在使用带有模型对象的 ObjectListView，该模型对象包含我想要列出的所有信息，而且我的网络适配器处于混杂模式，带有 Berkeley 过滤器，仅获取 TCP 数据包端口号 443 和 80，包含来自特定 Mac 地址的数据（无 SYN、FIN、仅 ACK 数据包）

代码：

        private void PacketHandler(PcapDotNet.Packets.Packet packet)
        {
            if (packet == null) { return; }
            if (packet.Ethernet == null) { return; }
            if (packet.Ethernet.IpV4 == null) { return; }
            if (packet.Ethernet.IpV4.Tcp == null) { return; }
            if (packet.Ethernet.IpV4.Tcp.Http == null) { return; }

            var acpacket = new AcceptedPacket(); //Model Object
            acpacket.Packet = packet;
            try
            {
                HttpDatagram http = packet.Ethernet.IpV4.Tcp.Http;
                if (packet.Ethernet.Source.ToString() == targetmac)
                {
                    if (http.IsRequest && http.IsValid)
                    {
                        if (materialListView1.InvokeRequired)
                        {
                            materialListView1.BeginInvoke(new Action(() => { 
                            materialListView1.AddObject(acpacket); }));
                        }
                        else
                        {
                            materialListView1.AddObject(acpacket);
                        }
                        ListofAcceptedPackets.Add(acpacket);
                    }
                }
            }
            catch (Exception ex)
            {
                MetroMessageBox.Show(this, ex.Message, "Error", 
                MessageBoxButtons.OK,
                        MessageBoxIcon.Error);
            }
        }

这就是我打开适配器的方式：

    using (communicator =
  selectedDevice.Open(65536,PacketDeviceOpenAttributes.Promiscuous,
   1000))
    {
        if (communicator.DataLink.Kind != 
        DataLinkKind.Ethernet)
        {
            if (MetroMessageBox.Show(this, "Only Ethernet is supported in this operation!","Error", MessageBoxButtons.OK,MessageBoxIcon.Error) == DialogResult.OK)
                    {
                    return;
                    }
        }

        using (BerkeleyPacketFilter filter = communicator.CreateFilter($"tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()} or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) and ether src {targetmac.ToLower()}"))
        {
        communicator.SetFilter(filter);
        }

        flag = true;


        Packet packet;
        do
        {
            PacketCommunicatorReceiveResult result = 
            communicator.ReceivePacket(out packet);
            switch (result)
            {
                case 
                PacketCommunicatorReceiveResult.Timeout:
                continue;

                case 
                PacketCommunicatorReceiveResult.Ok:
                {
                    PacketHandler(packet);
                }
                    break;

                default:
                    break;
            }
        } while (flag);

}     

我也尝试不使用任何过滤器，但无法访问 android 设备数据包。 那么除了我自己的设备之外，是否可以从网络上的其他设备捕获 TCP 数据包？还是我的实现有问题？

编辑： 在尝试了更多之后，我能够成功地从 android 设备获取 TCP 数据包，但只能同时实施 ARP 缓存中毒，因为设备认为我是网关.所以我的问题是，这可以在没有 ARP 缓存中毒的情况下完成吗，因为我认为这对于数据包嗅探器来说有点激进。

Answer 1

我终于能够通过应用 ARP 缓存中毒使其工作，而下面的代码能够将任何设备的数据包重定向到它们的目的地，这样你就可以捕获网络上任何设备的数据包，而不会丢失互联网访问用于此设备。

代码：

   private void StartSniffer()
        {

            RawCapture rawCapture;
            do
            {
                if ((rawCapture = capturedevice.GetNextPacket()) != null)
                {
                    EthernetPacket Packet = PacketDotNet.Packet.ParsePacket(rawCapture.LinkLayerType, rawCapture.Data) as EthernetPacket;
                    if (Packet == null) { return; }

                    AcceptedPacket acPacket = new AcceptedPacket();
                    acPacket.Packet = Packet;

                    if (Packet.SourceHwAddress.Equals(TargetMAC))
                    {
                        Packet.SourceHwAddress = capturedevice.MacAddress;
                        Packet.DestinationHwAddress = GatewayMAC;
                        capturedevice.SendPacket(Packet);

                        if (acPacket.TCPPacket != null &&
                            ((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
                             (acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
                        {

                            materialListView1.BeginInvoke(new Action(() =>
                            {
                                materialListView1.AddObject(acPacket);

                                if (materialListView1.Items.Count > 15 && !ResizeDone)
                                {
                                    olvColumn8.MaximumWidth = 65;
                                    olvColumn8.MinimumWidth = 65;
                                    olvColumn8.Width = 65;
                                    ResizeDone = true;
                                }

                                ListofAcceptedPackets.Add(acPacket);

                            }));

                        }
                    }

                    else if (Packet.SourceHwAddress.Equals(GatewayMAC))
                    {
                        IPv4Packet IPV4 = Packet.Extract(typeof(IPv4Packet)) as IPv4Packet;

                        if (IPV4.DestinationAddress.Equals(Target))
                        {
                            Packet.SourceHwAddress = capturedevice.MacAddress;
                            Packet.DestinationHwAddress = TargetMAC;
                            capturedevice.SendPacket(Packet);
                        }

                        if (Properties.Settings.Default.PacketDirection == "Inbound")
                        {
                            if (acPacket.TCPPacket != null &&
                                ((acPacket.Type.Equals("HTTPS") && acPacket.TCPPacket.PayloadData != null) ||
                                 (acPacket.Type.Equals("HTTP") && acPacket.TCPPacket.PayloadData != null)))
                            {
                                materialListView1.BeginInvoke(new Action(() =>
                                {
                                    materialListView1.AddObject(acPacket);

                                    if (materialListView1.Items.Count > 15 && !ResizeDone)
                                    {
                                        olvColumn8.MaximumWidth = 65;
                                        olvColumn8.MinimumWidth = 65;
                                        olvColumn8.Width = 65;
                                        ResizeDone = true;
                                    }

                                    ListofAcceptedPackets.Add(acPacket);


                                }));
                            }
                        }
                    }
                }

            } while (snifferStarted);

这是捕获设备设置：

 try
    {
        snifferStarted = true;
        if (capturedevice != null)
        {
            capturedevice.Open(DeviceMode.Promiscuous, 1000);

                capturedevice.Filter = $"(ip and ether src {targetmac.ToLower()}) or (ip and ether src {gatewayMAC.ToLower()} and dst net {Target})";

            new Thread(() => { StartSniffer(); }).Start();
        }
        else
        {
            MetroMessageBox.Show(this, "No Capture Device is selected!", "Error", MessageBoxButtons.OK,
                MessageBoxIcon.Error);
        }
    }
    catch (Exception exception)
    {
        MetroMessageBox.Show(this, exception.Message, "Error", MessageBoxButtons.OK,
            MessageBoxIcon.Error);
    }

注意：这是使用 Packet.Net 而不是 PcapDotNet 完成的。