Looking For A Packet Description Language (Preferably With A C# Implementation) [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 10 years ago.

I am in the process of developing a special-purpose network tool with some packet sniffing and decoding capabilities. I am looking for languages designed to assist in the dissection/decoding of arbitrary packet formats. Idealy, the solution should be based on open standards. There are related questions on SO, but most deal with the full lifecycle of packet sniffing (I don't care so much about the capture, there are other libraries that do that well).

In general, what I'm looking for is a language and supporting framework for the declaritive definition of packet formats and corresponding run-time decoding. Because this problem can be generalized to any non-network binary data, a solution that does this for arbitrary binary streams would also be in scope. I am a little surprised no such standard currently exists in a mature and robust state (at least that I could find) - though there seem to be a lot of interesting but not-quite-right and almost-there projects (see below). Perhaps that speaks to the difficulty of the problem, or maybe to a lack of demand.

By way of example, I'm interested in technologies and ideas similar to the following (in no particular order):

• Packet.Net - Does the job of converting from binary packet representations to structures, but the dissectors are all hard-coded and it doesn't appear to be able to handle more complex formats.
• DFDL - I've been following this one for a while and was even participating in teleconferences a year or so ago. The standard seems to be reaching maturity, but implementation appears to be challenging. Not that I mind getting my hands dirty, but I'm not sure I've got the resources on this project to implement such a wide-ranging standard from scratch for this purpose.
• Network Monitor Open Source Parsers - This project describes packets using a C-like syntax for use by Microsoft Network Monitor. It has a lot of packets already defined and the language appears robust enough to support complex structures. Unfortunately, the only implemention of an execution engine is in NetMon and while the grammar for the language could probably be reverse-engineered, implementing a processing engine might be very difficult. I also worry that because of the explicit tie between the parser language and the NetMon tool there are non-general aspects to the language that would make it inappropriate for uses in other tools.
• NetPDL - This one looks very interesting, but development seems to have languished. It's also not totally clear how to make use of the execution engine outside of their own environment.
• Wireshark Dissectors - I've thought about wrapping/using native Wireshark Dissectors for this purpose, but they are tied pretty closely to Wireshark itself. The dissectors also use code to perform most of the decoding, which is a little counter to what I'm looking for - I'd prefer something that's a little more declaritive (though obviously there's a balance since complex packet structures often require switching and other logic to determine the final makeup).
• BSDL - An academic language similar in concept to DFDL (see above). Interesting and in the right direction, but outside of a couple papers nothing else seems to exist.

I'm not necessarily looking for a complete solution here (though if someone knows of one I haven't covered, that would be great). I'm more interested in comments or anecdotes about the technologies I've indicated above as well as pointers or ideas for routes I 开发者_JAVA技巧haven't thought of or covered.

---

Wireshark dissector framework is very powerful. Please read a description here -

http://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html#ChDissectWorks

I had to solve a similar problem to yours. For me too the protocol had to be agnostic of the actual medium of transit (mainly it would be udo or top) but during test it would be just in memory ipc.

So I defined a protocol in a structured manner using protobuf -

http://code.google.com/p/protobuf/

And then defined a dissector myself something like but not exactly like - http://code.google.com/p/protobuf-wireshark/

So I could analyse using direct in memory analysis dissection when in test and wireshark dissection when on wire. There was a lot of code reuse between memory dissector and wireshark dissector of course as the protocol was defined agnostically using protobuf.

---

Try the Winsock2 interface in windows. In Windows XP (prior to SP2), or Windows Server variants you do not have any limitations as far as creating raw sockets, inspecting the contents of packets, etc...