The TrafficHandler class

The TrafficHandler class is the main class in the network library. All networking functions from the interface to the HTTP monitor rely on this class. Traffic handlers are like modules in a network application.

General Operation

The TrafficHandler class provides you with a lot of important capabilities:
  • It has it's own working thread and implements ISynchronizeInvoke, so it ensures Thread Safety.
  • It provides methods for protocol parsing, which means, you don't have to worry about parsing IP frames, TCP frames and so on at your own, if you want to implement you own traffic handler.
  • Each traffic handler can have a OutputHandler by default. All traffic which is handled by a traffic handler is pushed forward to the output handler.
  • Frames which are received by a handler are pushed into a queue and handled one after one, so that only one traffic handler at a time is able to modify a frame. Also, a traffic handler can only have one output handler by default. This is necessary to eliminate concurrency issues.

This means that all classes in the network library can be linked together to a graph which performs networking operations. This linking operation is abstracted by the NLML, which uses ports to link together handlers.


This is a lot easier to understand if you tried it by using the NetLab first, because with the net lab you can see your graph and edit it in real time.

Special Handlers

In the network library, there are also some base classes which derive from TrafficHandler and provide additional functionality, like capability for simultaneous analysis, or the interfaces, which support any number of output handlers.


The IPInterface class provides an abstract base for interface implementations like the Ethernet interface. Interfaces are not supposed to use the OutputHandler, instead they provide a PacketCaptured event. When this event is invoked, each event handler receives a separate copy of the captured frame. This means, multiple handlers of the type DirectInterfaceIO can be attached to an IPInterface.


The DirectInterfaceIO class is supposed to directly connect to interfaces. By default, this class has methods to add any number of interfaces and one output handler. Traffic is received from all interfaces and pushed to the output handler, and incoming traffic is pushed to all connected interfaces. This class is the base for handlers like routers or attacks which need direct access to network interfaces.


This class provides the capability of simultaneously analyzing traffic. TrafficAnalyzers must not edit frames and they do not support output handlers. If you implement a class which does sole analysis (examples are the LibPcap Dumper or the Network Map), you can use this class for a performance boost.


The traffic splitter is a support class for traffic analyzers. If you insert a traffic splitter into your network compilation, you can add analyzers to the splitter. All analyzers will receive the same copy of the frame simultaneously, which will have a positive impact on performance.

Notice: For information about all handlers provided by the NLML or the NetLab, check the NetLab Wiki on

Further reading

Last edited Apr 25, 2011 at 10:49 AM by emiswelt, version 15


No comments yet.