Getting Started with SharpPcap: A Beginner’s Guide to Packet Capture in C#
Packet capture is a core skill for network engineering, cybersecurity analytics, and diagnostic tool development. In the .NET ecosystem, SharpPcap stands out as the premier open-source framework for capturing, injecting, and analyzing network packets. This guide walks you through setting up SharpPcap and writing your very first packet sniffer. What is SharpPcap?
SharpPcap is a C# wrapper for native packet capture libraries. It bridges the gap between managed .NET code and low-level network interfaces by interfacing directly with WinPcap, Npcap (Windows), or libpcap (Linux/Mac). It allows developers to: List physical and virtual network interfaces. Capture live network traffic in real time. Filter traffic using Berkeley Packet Filter (BPF) syntax. Analyze protocol headers (Ethernet, IPv4, IPv6, TCP, UDP). Inject custom packets back into the network. Prerequisites
Before writing any C# code, your environment requires a native packet capture driver to interact with your network hardware.
Install Npcap (Windows): Download and install Npcap. During installation, make sure to check the option for “Install Npcap in WinPcap API-compatible Mode” if you want maximum compatibility.
Install libpcap (Linux/Mac): Use your package manager (e.g., sudo apt-get install libpcap-dev on Ubuntu).
IDE: Visual Studio 2022 or VS Code with the .NET 8.0 SDK (or later) installed. Setting Up Your Project
Create a new C# Console Application and add the required library via the NuGet Package Manager. Using dotnet CLI:
dotnet new console -n PacketSnifferApp cd PacketSnifferApp dotnet add package SharpPcap Use code with caution. Using Visual Studio Package Manager Console: powershell Install-Package SharpPcap Use code with caution. Step-by-Step Implementation
Because packet capture interfaces with hardware, always run your compiled application with Administrator privileges (or root access on Linux). Otherwise, the operating system will block access to the network adapters. 1. Listing Available Network Interfaces
The first step is identifying which network adapter to monitor. SharpPcap provides a device list collection for this purpose.
using System; using SharpPcap; class Program { static void Main(string[] args) { // Retrieve the list of available network devices var devices = CaptureDeviceList.Instance; if (devices.Count < 1) { Console.WriteLine(“No devices found. Make sure Npcap/libpcap is installed.”); return; } Console.WriteLine(“Available Network Devices:”); int i = 0; foreach (var dev in devices) { Console.WriteLine(\("[{i}] {dev.Name} - {dev.Description}"); i++; } } } </code> Use code with caution. 2. Opening a Device and Capturing Packets</p> <p>Once you locate your active network adapter index (usually your Wi-Fi or Ethernet card), you can open it in <strong>Promiscuous Mode</strong>. This mode allows the adapter to intercept all traffic on the network segment, not just traffic directed to your local machine.</p> <p><code>using System; using SharpPcap; class Program { static void Main(string[] args) { var devices = CaptureDeviceList.Instance; // Select the first device for this example var device = devices[0]; // Register the event handler for arriving packets device.OnPacketArrival += new PacketArrivalEventHandler(Device_OnPacketArrival); // Open the device in Promiscuous Mode with a 1000ms read timeout int readTimeoutMilliseconds = 1000; device.Open(DeviceModes.Promiscuous, readTimeoutMilliseconds); Console.WriteLine(\)”– Listening on {device.Description}…“); // Start the asynchronous capture process device.StartCapture(); Console.WriteLine(“Press Enter to stop capturing…”); Console.ReadLine(); // Clean up and close the device safely device.StopCapture(); device.Close(); } // This function executes automatically whenever a packet is intercepted private static void Device_OnPacketArrival(object sender, PacketCapture e) { var rawPacket = e.GetPacket(); // Extract basic metrics DateTime time = rawPacket.Timeval.Date; int len = rawPacket.Data.Length; Console.WriteLine(\("[{time.ToLongTimeString()}] Captured {len} bytes of raw data."); } } </code> Use code with caution. 3. Parsing Packet Data</p> <p>Raw byte counts are useful, but analyzing the actual protocols inside the packet provides real insight. While you can manually parse byte arrays, using a companion library like <strong>PacketDotNet</strong> simplifies header extraction. Install it via NuGet: <code>dotnet add package PacketDotNet </code> Use code with caution.</p> <p>Update your <code>Device_OnPacketArrival</code> method to safely parse Ethernet and IP layers:</p> <p><code>private static void Device_OnPacketArrival(object sender, PacketCapture e) { var rawPacket = e.GetPacket(); // Parse the raw bytes into an Ethernet Packet object var packet = PacketDotNet.Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data); // Extract the IP layer var ipPacket = packet.Extract<PacketDotNet.IPPacket>(); if (ipPacket != null) { System.Net.IPAddress srcIp = ipPacket.SourceAddress; System.Net.IPAddress dstIp = ipPacket.DestinationAddress; PacketDotNet.IPProtocolType protocol = ipPacket.Protocol; Console.WriteLine(\)”{srcIp} -> {dstIp} | Protocol: {protocol}“); } } Use code with caution. Best Practices for Beginners
Use Filtering Early: Capturing everything on a busy gigabit network will quickly overwhelm application memory. Use device.Filter = “tcp port 80”; right after opening a device to drop unwanted traffic at the kernel level.
Keep Event Handlers Fast: The OnPacketArrival event fires synchronously for incoming buffers. Heavy processing, disk writing, or UI rendering inside this method will drop subsequent packets. Offload your packet objects to a thread-safe queue (ConcurrentQueue) for background parsing.
Manage Permissions: If your code fails silently or returns an empty list, verify that your IDE or console window is explicitly running with admin rights. Next Steps
Now that you can capture and parse incoming network traffic, you can expand this foundation to build complex applications. Try modifying your code to log specific traffic patterns to a text file, count protocol distributions, or implement a basic alert system that flags unexpected inbound connections.
To learn more about tailoring this setup to your specific network architecture, let me know:
What operating system (Windows, Linux, or macOS) will host your final application?
Which specific protocols (HTTP, TCP, DNS, MQTT, etc.) do you want to track?
Leave a Reply