Retrieve just the packet data

[Trevor Reed]

Hello all,

I'm trying to retrieve only the data of a packet that I've received. The packet can come in on a loopback adapter or Ethernet adapter. Here's an example of a packet that I want to get the data from viewed in Wireshark:

The data layer is highlighted.

I can't seem to find a way to strip the other layers out and just get to the underlying data. At first I tried removing this header with a hard-coded number. This worked fine whenever I receive packets on my wifi adapter, like in the example above where the header is 42 bytes long. But then, if I try using the same code to receive on the loopback adapter for debugging, the header's size is different, so I end up truncating part of the data that I need. 

I've tried poking around the different layers and datagrams and such, and I've come up short. I can't seem to find a single, distinct way to know exactly how long the headers/layers before the data are so I can strip them off. 

I did stumble across an internal member, "StartOffset", when watching a local Datagram variable while debugging in Visual Studio which seems to have what I need. By getting the payload datagram via:

Datagram payloadDgram = packet.IpV4.Udp.Payload;

Inspecting payloadDgram shows this StartOffset member, and it appears to be the length that I need to cut off of Data to get what I want. But both StartOffset and the Data are not accessible members, so I'm confused how they even exist...

Anyway, how can I go about doing this?

[Trevor Reed]

I've determined that each layer in the packet before the data has a certain byte length. I can determine how much to shave off my message if I know each layer present in the packet. For example, in the example given in my first message, there are three layers: ethernet, IPv4, and UDP. They are 14 bytes, 20 bytes, and 8 bytes long, respectively. This gives us a total length of 42 bytes for the headers/layers until I can get to my data. Here's an example of a packet I'm trying to receive on my loopback adapter:

This packet has a null/loopback layer, IPv4, and UDP. They are 4 bytes, 20 bytes, and 8 bytes long, respectively, for a total of 32 bytes.

It seems the byte-length of every layer is pre-defined, so if I can know exactly what layers the packet I've received is made up of, then I can know exactly how many bytes to strip off the front of the payload.

Is there a way to know this without assuming? It's safe to say I can know the first layer, ethernet or loopback, based on the adapter I'm listening on. But how can I be sure that the message I'm receiving is UDP or TCP? Or even IPv4 or IPv6? What if there are other layers I don't foresee?

[Trevor Reed]

Also, as a side thing, why does checking the DataKind of a Null/loopback adapter throw an exception?? Why not just return some default value or something? It's tedious to rely on try-catch for a single case when checking the datalink type.