I am trying to read packets that are sent from the clients to the server. I am using sharpPcap in C#. How can i understand a packet is TCP CLOSE packet in this event:
private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
{
var time = e.Packet.Timeval.Date;
var len = e.Packet.Data.Length;
var packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
var tcpPacket = PacketDotNet.TcpPacket.GetEncapsulated(packet);
if(tcpPacket != null)
{
var ipPacket = (PacketDotNet.IpPacket)tcpPacket.ParentPacket;
System.Net.IPAddress srcIp = ipPacket.SourceAddress;
System.Net.IPAddress dstIp = ipPacket.DestinationAddress;
int srcPort = tcpPacket.SourcePort;
int dstPort = tcpPacket.DestinationPort;
Console.WriteLine("{0}:{1}:{2},{3} Len={4} {5}:{6} -> {7}:{8}",
time.Hour, time.Minute, time.Second, time.Millisecond, len,
srcIp, srcPort, dstIp, dstPort);
}
}
A TCP close is represented in the TCP protocol by a FIN. There is going to be a 4 way handshaking to close both ends of a TCP connection. Both ends will each send a FIN, and the peer will ack it. You should be able to see this with your capturing fromework.
Perhaps you can find some hints here on how to implement this via the api :http://www.codeproject.com/Articles/12458/SharpPcap-A-Packet-Capture-Framework-for-NET