views:

34

answers:

2

how can I parse a UDP packet in .NET?

I'm using PCap.Net to capture packets, in this case UDP packets, which I can access from the PCap.net object via (PcapDotNet.packets.Ethernet.IpV4.Udp).

How can I take the results, the Udp packet, and parse this? In particular to unbundle DNS requests and responses that occur that are housed within a UDP packet.

Is there a library that could help here?

EDIT: To be more specific what I want to be able to do is extract the IP address from the DNS response, and based on examination using Wireshark it would be by:

(a) Input: Payload of a UDP packet that is a DNS response

(b) Processing: Parse out the DNS response portion of the UDP packet. Find the Answers portion, within this find the answer record for which the type is A (Host Address) [not a CNAME record], then with this answer record get the IP address.

(c) Return: The IP address from the DNS response.

A: 

From PCAP.Net:

Pcap.Net.DevelopersPack.0.7.0.46671.x64\src\InterpretingThePackets\Program.cs

            // Compile the filter
            using (BerkeleyPacketFilter filter = communicator.CreateFilter("ip and udp"))
            {
                // Set the filter
                communicator.SetFilter(filter);
            }

            Console.WriteLine("Listening on " + selectedDevice.Description + "...");

            // start the capture
            communicator.ReceivePackets(0, PacketHandler);
    }


    // Callback function invoked by libpcap for every incoming packet
    private static void PacketHandler(Packet packet)
    {
        // print timestamp and length of the packet
        Console.WriteLine(packet.Timestamp.ToString("yyyy-MM-dd hh:mm:ss.fff") + " length:" + packet.Length);

        IpV4Datagram ip = packet.Ethernet.IpV4;
        UdpDatagram udp = ip.Udp;

        // print ip addresses and udp ports
        Console.WriteLine(ip.Source + ":" + udp.SourcePort+ " -> " + ip.Destination + ":" + udp.DestinationPort);
    }

Isn't it enough?

Vasiliy Borovyak
@Vasiliy - I'm ok getting down to the UDP packet with PCap.Net, but it's parsing the detail of a UDP packet that is carrying DNS responses I'm interested in. Basically want to be able to have a DNS response UDP packet, then parse it to obtain the IP address(es?) within the Answer records of the DNS packet which are Type A (not Type CNAME). So basically being able to parse out the DNS portion of a UDP/DNS packet.
Greg
Now the question is more clear. Well, several years ago I was able to extract IPs from DNS packets. All I used is some RFCs. Try this: http://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__PARSING.htm
Vasiliy Borovyak
A: 

I found the following project which had the code to do this

http://www.codeproject.com/KB/IP/dnslookupdotnet.aspx

The Response.cs class in particular. Also note there is a bug in the code but the comments on the page highlight where this is.

Greg