[英]XML C# XPath - Network Packets
我目前正在嘗試使用XML C#和XPath進行數據包篩選。 目的是繪制每個唯一的IP源地址,並查看它一直在與哪些IP目標進行通信。
目的是使用表單使用列表框或屬性網格查看源和目標列表。
public void LoadPackets()
{
var xmlDoc2 = new XmlDocument();
xmlDoc2.Load("Packets.xml");
foreach (XmlNode packet in xmlDoc2.DocumentElement)
{
var node = xmlDoc2.SelectSingleNode("pdml/packet/proto/field[@name='ip.src']/@show");
ipsrc = node.Value;
var node2 = xmlDoc2.SelectSingleNode("pdml/packet/proto/field[@name='ip.dst']/@show");
string ipdst = node2.Value;
list.Items.Add(ipsrc);
list.Items.Add(ipdst);
}
}
當前可以找到IP源和目標,但是在將其添加到列表框中時重復相同的IP源和目標。 有不同的IP源和未添加的目標。
每個數據包在XML中如下所示:
<packet>
<proto name="geninfo" pos="0" showname="General information" size="54">
<field name="num" pos="0" show="1" showname="Number" value="1" size="54"/>
<field name="len" pos="0" show="54" showname="Frame Length" value="36" size="54"/>
<field name="caplen" pos="0" show="54" showname="Captured Length" value="36" size="54"/>
<field name="timestamp" pos="0" show="Aug 4, 2014 14:18:24.053628000 GMT Daylight Time" showname="Captured Time" value="1407158304.053628000" size="54"/>
</proto>
<proto name="frame" showname="Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0" size="54" pos="0">
<field name="frame.interface_id" showname="Interface id: 0 (\Device\NPF_{F1D229D2-3ADA-4820-85D2-FCE7FB5D24E5})" size="0" pos="0" show="0"/>
<field name="frame.encap_type" showname="Encapsulation type: Ethernet (1)" size="0" pos="0" show="1"/>
<field name="frame.time" showname="Arrival Time: Aug 4, 2014 14:18:24.053628000 GMT Daylight Time" size="0" pos="0" show=""Aug 4, 2014 14:18:24.053628000 GMT Daylight Time""/>
<field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_epoch" showname="Epoch Time: 1407158304.053628000 seconds" size="0" pos="0" show="1407158304.053628000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.len" showname="Frame Length: 54 bytes (432 bits)" size="0" pos="0" show="54"/>
<field name="frame.cap_len" showname="Capture Length: 54 bytes (432 bits)" size="0" pos="0" show="54"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: eth:ethertype:ip:tcp" size="0" pos="0" show="eth:ethertype:ip:tcp"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83), Dst: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="14" pos="0">
<field name="eth.dst" showname="Destination: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070">
<field name="eth.dst_resolved" showname="Destination (resolved): 98:8b:5d:b9:50:70" hide="yes" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
<field name="eth.addr" showname="Address: 98:8b:5d:b9:50:70 (98:8b:5d:b9:50:70)" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
<field name="eth.addr_resolved" showname="Address (resolved): 98:8b:5d:b9:50:70" hide="yes" size="6" pos="0" show="98:8b:5d:b9:50:70" value="988b5db95070"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="988b5d"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="988b5d"/>
</field>
<field name="eth.src" showname="Source: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83)" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83">
<field name="eth.src_resolved" showname="Source (resolved): 78:e4:00:f9:ea:83" hide="yes" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
<field name="eth.addr" showname="Address: 78:e4:00:f9:ea:83 (78:e4:00:f9:ea:83)" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
<field name="eth.addr_resolved" showname="Address (resolved): 78:e4:00:f9:ea:83" hide="yes" size="6" pos="6" show="78:e4:00:f9:ea:83" value="78e400f9ea83"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="78e400"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="78e400"/>
</field>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="2048" value="0800"/>
</proto>
<proto name="ip" showname="Internet Protocol Version 4, Src: 192.168.1.204 (192.168.1.204), Dst: 162.159.242.165 (162.159.242.165)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header Length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.len" showname="Total Length: 40" size="2" pos="16" show="40" value="0028"/>
<field name="ip.id" showname="Identification: 0x1cf1 (7409)" size="2" pos="18" show="7409" value="1cf1"/>
<field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="20" show="2" value="40">
<field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="20" show="0" value="40"/>
<field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="20" show="1" value="40"/>
<field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="20" show="0" value="40"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="4000"/>
<field name="ip.ttl" showname="Time to live: 128" size="1" pos="22" show="128" value="80"/>
<field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="23" show="6" value="06"/>
<field name="ip.checksum" showname="Header checksum: 0x8625 [validation disabled]" size="2" pos="24" show="34341" value="8625">
<field name="ip.checksum_good" showname="Good: False" size="2" pos="24" show="0" value="8625"/>
<field name="ip.checksum_bad" showname="Bad: False" size="2" pos="24" show="0" value="8625"/>
</field>
<field name="ip.src" showname="Source: 192.168.1.204 (192.168.1.204)" size="4" pos="26" show="192.168.1.204" value="c0a801cc"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.1.204 (192.168.1.204)" hide="yes" size="4" pos="26" show="192.168.1.204" value="c0a801cc"/>
<field name="ip.src_host" showname="Source Host: 192.168.1.204" hide="yes" size="4" pos="26" show="192.168.1.204" value="c0a801cc"/>
<field name="ip.host" showname="Source or Destination Host: 192.168.1.204" hide="yes" size="4" pos="26" show="192.168.1.204" value="c0a801cc"/>
<field name="ip.dst" showname="Destination: 162.159.242.165 (162.159.242.165)" size="4" pos="30" show="162.159.242.165" value="a29ff2a5"/>
<field name="ip.addr" showname="Source or Destination Address: 162.159.242.165 (162.159.242.165)" hide="yes" size="4" pos="30" show="162.159.242.165" value="a29ff2a5"/>
<field name="ip.dst_host" showname="Destination Host: 162.159.242.165" hide="yes" size="4" pos="30" show="162.159.242.165" value="a29ff2a5"/>
<field name="ip.host" showname="Source or Destination Host: 162.159.242.165" hide="yes" size="4" pos="30" show="162.159.242.165" value="a29ff2a5"/>
<field name="" show="Source GeoIP: Unknown" size="4" pos="26" value="c0a801cc"/>
<field name="" show="Destination GeoIP: Unknown" size="4" pos="30" value="a29ff2a5"/>
</proto>
<proto name="tcp" showname="Transmission Control Protocol, Src Port: 6287 (6287), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 0" size="20" pos="34">
<field name="tcp.srcport" showname="Source Port: 6287 (6287)" size="2" pos="34" show="6287" value="188f"/>
<field name="tcp.dstport" showname="Destination Port: 443 (443)" size="2" pos="36" show="443" value="01bb"/>
<field name="tcp.port" showname="Source or Destination Port: 6287" hide="yes" size="2" pos="34" show="6287" value="188f"/>
<field name="tcp.port" showname="Source or Destination Port: 443" hide="yes" size="2" pos="36" show="443" value="01bb"/>
<field name="tcp.stream" showname="Stream index: 0" size="0" pos="34" show="0"/>
<field name="tcp.len" showname="TCP Segment Len: 0" size="1" pos="46" show="0" value="50"/>
<field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="38" show="1" value="b99b3a34"/>
<field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="42" show="1" value="bd9a09d0"/>
<field name="tcp.hdr_len" showname="Header Length: 20 bytes" size="1" pos="46" show="20" value="50"/>
<field name="tcp.flags" showname=".... 0000 0001 0000 = Flags: 0x010 (ACK)" size="2" pos="46" show="16" value="10" unmaskedvalue="5010">
<field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="50"/>
<field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="50"/>
<field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="10"/>
<field name="tcp.flags.push" showname=".... .... 0... = Push: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
<field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="10"/>
</field>
<field name="tcp.window_size_value" showname="Window size value: 67" size="2" pos="48" show="67" value="0043"/>
<field name="tcp.window_size" showname="Calculated window size: 67" size="2" pos="48" show="67" value="0043"/>
<field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -1 (unknown)" size="2" pos="48" show="-1" value="0043"/>
<field name="tcp.checksum" showname="Checksum: 0x8253 [validation disabled]" size="2" pos="50" show="33363" value="8253">
<field name="tcp.checksum_good" showname="Good Checksum: False" size="2" pos="50" show="0" value="8253"/>
<field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="50" show="0" value="8253"/>
</field>
<field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="52" show="0" value="0000"/>
</proto>
</packet>
我知道它很長,但這就是它的格式。將IP源添加為列表的同時,使IP源成為唯一標識符的最佳方法是什么。 它需要能夠對文件中的每個數據包執行此操作。
謝謝,湯姆。
我認為<field>的@name在所有數據包中都是唯一的,因此我在xpath之后應用
XmlNode node = xmlDoc2.DocumentElement;
var results = node.SelectNodes("//field[@name='ip.src']");
foreach (XmlNode result in results)
{
Console.WriteLine(result.Attributes["show"].Value);
}
--SJ
使用C#:XPath或XDocument解析XML格式的網絡數據包
[英]Parsing Network Packets in XML format using C#: XPath or XDocument
最佳實踐:為C#中的已知協議生成和解析網絡數據包?
[英]Best Practice: generating and parsing network packets for a known protocol in C#?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.