The Winpcap library is an excellent method of reading and writing data packet, but it is not so easy to interface to from .NET. Thus this design tip uses a code wrapper from the Code Project [Click here]. The solution and demo of this example is at:

and uses the following code:

using System;
using Tamir.IPLib;
using Tamir.IPLib.Packets;
namespace NapierCapture
public class CapturePackets
public static void Main (string[] args)
PcapDeviceList getNetConnections = SharpPcap.GetAllDevices();
// network connection 1 (change as required)
NetworkDevice netConn = (NetworkDevice)getNetConnections[1];
PcapDevice device = netConn;
// Define packet handler
device.PcapOnPacketArrival += new SharpPcap.PacketArrivalEvent(device_PcapOnPacketArrival);
//Open the device for capturing
//true -- means promiscuous mode
//1000 -- means a read wait of 1000ms
device.PcapOpen( true , 1000);
Console.WriteLine("Network connection: {0}", device.PcapDescription);
//Start the capturing process
Console.Write("Press any <RETURN> to exit");
Console.Read(); device.PcapStopCapture();
private static void device_PcapOnPacketArrival( object sender, Packet packet)
DateTime time = packet.PcapHeader.Date;
int len = packet.PcapHeader.PacketLength;
Console.WriteLine("{0}:{1}:{2},{3} Len={4}",time.Hour, time.Minute,
time.Second, time.Millisecond, len);

A sample run shows data packets and their lengths:

13:17:56,990 Len=695
13:17:57,66 Len=288
13:17:57,68 Len=694
13:18:4,363 Len=319
13:18:4,364 Len=373
13:18:4,364 Len=371
13:18:4,365 Len=375
13:18:4,366 Len=367

Most of the captured traffic, in this case is backgroun traffic with small data packets. If we want to capture only IP and TCP then a filter can be setup:

device.PcapOpen( true , 1000); 
Console.WriteLine("Network connection: {0}", device.PcapDescription);
string filter = "ip and tcp";
//Associate the filter with this capture
device.PcapSetFilter( filter );
//Start the capturing process

To capture just ICMP packet (such as from PING and TRACERT) we can modify the filter with:

string filter = "icmp";

Thus when we ping a node, such as:


The result is something like:

13:40:47,761 Len=74
13:40:48,756 Len=74
13:40:48,759 Len=74
13:40:49,757 Len=74
13:40:49,760 Len=74
13:40:50,757 Len=74
13:40:50,760 Len=74