easypcap

Introduction

easypcap is a simple (<500 lines of code), pure managed-code interface for reading offline pcap files. This allows you to write and distribute applications that read things like Wireshark dump files on machines that do not have Wireshark or WinPcap installed. It was developed against the .NET Framework 4.0, but should work on any .NET Framework version 2.0 or higher. Mono support is assumed, although untested. It is written in C# and supports all mainstream CLR languages (C#, VB.NET, F#, C++/CLI, etc.)

Examples

Reading packets is very easy since PcapFile instances are iterable.

PcapFile dump = new PcapFile("dump.pcap");
foreach (PcapPacket packet in dump)
	Console.WriteLine("{0}.{1}: Packet is {2} bytes", packet.Seconds, packet.Microseconds, packet.Data.Length);

Another option...

PcapFile dump = new PcapFile("dump.pcap");
PcapPacket packet = null;
while ((packet = dump.ReadPacket()) != null)
	Console.WriteLine("{0}.{1}: Packet is {2} bytes", packet.Seconds, packet.Microseconds, packet.Data.Length);

Limitations

License

In the spirit of libpcap, and since the openness of libpcap allowed the managed interface to be easily written, easypcap is released under the BSD license. Other than mapping constants, easypcap shares no code with libpcap.

Updates

Kevin Grover has kindly submitted several bug fixes, which include adding an explicit Close method to PcapFile and a bug fix for reading pcap files with a non-native endian-ness. If you downloaded easypcap before 11/19/11, you should consider downloading this update.

Download

Download easypcap (zip file)

Last updated: 11/19/11

Feedback

Questions or comments about easypcap? Let me know @timpinkawa