Oliver_FF
New Member
- Joined
- Oct 15, 2006
- Messages
- 544 (0.08/day)
Processor | Intel q9400 @ stock |
---|---|
Motherboard | Lanparty P45-T2RS |
Cooling | Zalman CNPS-9500 |
Memory | 8GB OCZ PC2-6400 |
Video Card(s) | BFG Nvidia GTX285 OC |
Storage | 1TB, 500GB, 500GB |
Display(s) | 20" Samsung T200HD |
Case | Antec Mini P180 |
Audio Device(s) | Sound Blaster X-Fi Elite Pro |
Power Supply | 700w Hiper |
Software | Ubuntu x64 virtualising Vista |
C/C++/C# Packet Sniffing FAQ and How-To Win32
Foreword: The content of this article is intended for educational purposes only. Yes, there are lots of wierd and malicious things possible with raw sockets - any replies about those things will be ignored.
What is packet sniffing?
Well when you have a computer on a network, all network packets received on your computers network card are decoded by several layers in the network stack, which is managed by your OS, before the data contained inside the packet is delivered to the application it was intended for. Eg, take MSN - when you've typed a message and press Enter, several things happen.
1. The application passes the text to the top network stack along with details of where it should be sent.
2. The data gets wrapped in a TCP header containing data on what IP address the target computer has, what port the data is going to and a load of other stuff that guarantees delivery of the data.
3. This data then gets wrapped in an IP header containing yet more information.
4. This then gets wrapped in an Ethernet header containing, yes, more information.
5. The final bundle of information, the Packet, is then sent out to your network, when a (large) sequence of bridges, hubs and routers deliver it to it's destination.
6. At the destination the packet gets unwrapped back up through the network stack (no.2-4) and finally the OS delivers the packet to the intended application.
[joke]So never complain about poor latencies in FPS multiplayer games ever again XD[/jokes]
So packet sniffing is where you can instruct the OS to deliver all incoming packets to your machine to ALSO appear on another port giving you an overview of ALL network traffic hitting your computer. More info about the network stack etc is on wikipedia, I could spend an entire article writing about it and i'm sure you're not that bothered XD
This is the most popular one: http://en.wikipedia.org/wiki/TCP/IP_model
How could that be useful/interesting?
Well it lets you view all incoming data to your machine, everything from the IP header and upwards for every packet. Ever wondered how MSN works? or Firefox? or how the TCP layer works? Have you ever thought to yourself "Now I've blocked application XXX in my firewall... I wonder if it's really stopped it". You can also troubleshoot networking problems because you can view all packets, corrupt packets and all. Well wonder no more
Getting Started
This uses Sockets!
I won't bother repeating myself, you can find out how to make and use sockets in C/C++ in my other article here: http://forums.techpowerup.com/showthread.php?t=56901
Creating a raw socket
C/C++
C#
notice this time that we are not after a TCP connection, we are after a Raw socket.
Next up, bind the socket to your local IP address using port 0.
Setting up the raw socket
So we've got a raw socket, but at the moment it won't do anything for you because at the moment it's pretty much a regular socket on the Windows platform.
Receiving IP headers of incoming packets
C/C++
C#
Receiving incoming traffic on all ports
C/C++
C#
Using the raw socket
Now what? Well, now you start listening on the socket. The next network packet to reach your computer will appear on your socket. From there you have to decode all of the headers to extract the useful information. Wikipedia is your friend on this front - i'll only provide a snippet of code to get you started:
So what now?
Well that's up to you. I've written two different sniffers to date, one in C# that covered some really snazzy things. It examined all the packets, put them in order for each connection that was in use and allowed you to browse through the connections at will. You've gotta be careful doing this though because you rapidly run out of free memory - especially if your using a lot of internet when sniffing. I had to implement a kind of garbage collection thing to go around and clean up neglected connections and wipe data to stop the app eating up all of my ram XD Notice how there's all kinds of possibilities for analyzing the data you get
I've also written one in pure C which spews out packets on a first-come-first-served basis which provides quite the entertainment, it's kinda like watching an ant farm as packets arrive just before their effects appear in your applications.
Here you can see two packets I just pulled out of my C version. The first is a HTTP response from www.techpowerup.com and the second is one my friends saying "techpowerup roxxors" over MSN haha
Oh, Yes the windows firewall does work, and yes this definitely helped me in my University exams this year.
Foreword: The content of this article is intended for educational purposes only. Yes, there are lots of wierd and malicious things possible with raw sockets - any replies about those things will be ignored.
What is packet sniffing?
Well when you have a computer on a network, all network packets received on your computers network card are decoded by several layers in the network stack, which is managed by your OS, before the data contained inside the packet is delivered to the application it was intended for. Eg, take MSN - when you've typed a message and press Enter, several things happen.
1. The application passes the text to the top network stack along with details of where it should be sent.
2. The data gets wrapped in a TCP header containing data on what IP address the target computer has, what port the data is going to and a load of other stuff that guarantees delivery of the data.
3. This data then gets wrapped in an IP header containing yet more information.
4. This then gets wrapped in an Ethernet header containing, yes, more information.
5. The final bundle of information, the Packet, is then sent out to your network, when a (large) sequence of bridges, hubs and routers deliver it to it's destination.
6. At the destination the packet gets unwrapped back up through the network stack (no.2-4) and finally the OS delivers the packet to the intended application.
[joke]So never complain about poor latencies in FPS multiplayer games ever again XD[/jokes]
So packet sniffing is where you can instruct the OS to deliver all incoming packets to your machine to ALSO appear on another port giving you an overview of ALL network traffic hitting your computer. More info about the network stack etc is on wikipedia, I could spend an entire article writing about it and i'm sure you're not that bothered XD
This is the most popular one: http://en.wikipedia.org/wiki/TCP/IP_model
How could that be useful/interesting?
Well it lets you view all incoming data to your machine, everything from the IP header and upwards for every packet. Ever wondered how MSN works? or Firefox? or how the TCP layer works? Have you ever thought to yourself "Now I've blocked application XXX in my firewall... I wonder if it's really stopped it". You can also troubleshoot networking problems because you can view all packets, corrupt packets and all. Well wonder no more
Getting Started
This uses Sockets!
I won't bother repeating myself, you can find out how to make and use sockets in C/C++ in my other article here: http://forums.techpowerup.com/showthread.php?t=56901
Creating a raw socket
C/C++
Code:
thisSocket = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
Code:
listeningSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Unspecified);
Next up, bind the socket to your local IP address using port 0.
Setting up the raw socket
So we've got a raw socket, but at the moment it won't do anything for you because at the moment it's pretty much a regular socket on the Windows platform.
Receiving IP headers of incoming packets
C/C++
Code:
int optVal=1;
setsockopt(thisSocket, IPPROTO_IP, 2, (char *)&optVal, sizeof(optVal))
Code:
listeningSocket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
Receiving incoming traffic on all ports
C/C++
Code:
int inn=1, outt;
long rett;
WSAIoctl(thisSocket, 0x98000001, &inn, sizeof(inn), &outt, sizeof(outt),&rett,0,0)
Code:
byte[] inn = new byte[4] { 1, 0, 0, 0 };
byte[] outt = new byte[4];
listeningSocket.IOControl(IOControlCode.ReceiveAll, inn, outt);
Using the raw socket
Now what? Well, now you start listening on the socket. The next network packet to reach your computer will appear on your socket. From there you have to decode all of the headers to extract the useful information. Wikipedia is your friend on this front - i'll only provide a snippet of code to get you started:
Code:
void printIpPacket(unsigned char *data, int length)
{
printf("-----------------Packet Begins-----------------\n");
printf("IP Version: %i, Packet Size: %ibytes, Id: %i\n",
(data[0]>>4), (data[2]*256)+data[3], (data[4]*256)+data[5]);
printf("Fragment: %i, TTL: %i, HL: %iwds, Protocol: %i\n",
((int)(data[6]>>4)*256)+data[7], data[8], ((char)(data[0]<<4))>>4, data[9]);
printf("Source: %i.%i.%i.%i, Destination: %i.%i.%i.%i\n",
data[12], data[13], data[14], data[15],
data[16], data[17], data[18], data[19]);
//the data inside the packet starts at --> data+(((char)(data[0]<<4))>>2)
//new data length --> length-(((char)(data[0]<<4))>>2)
//continue printing the rest of the headers :o
printf("\n------------------Packet Ends------------------\n");
}
So what now?
Well that's up to you. I've written two different sniffers to date, one in C# that covered some really snazzy things. It examined all the packets, put them in order for each connection that was in use and allowed you to browse through the connections at will. You've gotta be careful doing this though because you rapidly run out of free memory - especially if your using a lot of internet when sniffing. I had to implement a kind of garbage collection thing to go around and clean up neglected connections and wipe data to stop the app eating up all of my ram XD Notice how there's all kinds of possibilities for analyzing the data you get
I've also written one in pure C which spews out packets on a first-come-first-served basis which provides quite the entertainment, it's kinda like watching an ant farm as packets arrive just before their effects appear in your applications.
Here you can see two packets I just pulled out of my C version. The first is a HTTP response from www.techpowerup.com and the second is one my friends saying "techpowerup roxxors" over MSN haha
Oh, Yes the windows firewall does work, and yes this definitely helped me in my University exams this year.
Attachments
Last edited: