|
I'm having the very same problem. Did you find a solution? In fact I'm in search for a method to capture every URL the user is browsing...
|
|
|
|
|
Not all packet data is ASCII text. In fact, the data's meaning is only useful if you know how to interpret it. For example, each byte of the packet data is 8 bits. How you interpret those 8 bits (signed, unsigned, bitfield, ASCII character, etc.) is a matter of knowing what you are looking at. If you are filtering specific packets (e.g. DNS, DHCP), try looking at the RFCs to detrmine the packet layouts.
In addition, not all bytes are meaningful on their own. Often, a series of bytes in a packet will need to be "reassembled" to form a DWORD (32-bit) or WORD (16-bit) value...
|
|
|
|
|
If it's a TCP type packet, the first 20 bytes of message buffer are the TCP header.
Byte layout follows
0-1 = Source Port
2-3 = Dest port
4-7 = sequence numb.
8-11 = ack numb.
12 = dataoffset ( upper 4 bits only )
13 = flags ( 0x01 = fin , 0x10 = ack, etc etc etc )
14-15 short
16-17 short
18-19 short
Don't recall off the top of my head what the last 3 shorts were for, but just do a google and you'll find a document that describes this in much more detail. This should be enough to at least get your pointed in the correct direction.
|
|
|
|
|
To see examples of decoding see http://www.tamos.com/products/commview/
|
|
|
|
|
Hi,
I was testing this application with a small test I am doing. I have a client/server application using SQL Server 2000 to populate a table in a client.
I use netstat to count the number of packets. Netstat reports 65 packets, when I use this program I get 10 .. and the funny thing is that the number of packets changes, it's not constant.
Any ideas what's going on?
P.S. The client is just a DataReader retrieving data from an SQL Server. Nothing fancy about it.
|
|
|
|
|
How hard would it be to convert or use the RawSocket class to perform network address translation? It seems that I could set the IP binding for receiving to the 'Local Network Address' and then set up a sending IP. Then for each packet coming in to the receiving IP if it is destined for an external subnet, it will forward the packet on to the 'sending IP'.
Does this make sense or have I lost my mind?
David
|
|
|
|
|
Have the same problem, as target i see only local router.
|
|
|
|
|
could you please explain in your own words what this does, i understand everything but this one section.
string IPString="10.10.10.10";
IPHostEntry HosyEntry = Dns.Resolve(Dns.GetHostName());
if(HosyEntry.AddressList.Length > 0)
{
foreach(IPAddress ip in HosyEntry.AddressList)
{
IPString=ip.ToString();
}
}
Thankyou for making sutch a simple example, but why the lack of comments?
Grizz
|
|
|
|
|
It has been a while, but it looks like it does this:
1. Sets the string IPString to a initial value of "10.10.10.10"
2. Finds all IP addresses on your machine as a list. (like 192.168.0.1,192.168.0.2....)
3. It keeps assigning the next IP address to that string IPString so that the very last value of IPString is the last IP Address of your machine....in this example that I have given IPString would equal 102.168.0.2 after the loop is done.
Grizz, I just don't like adding confusing comments when the code is easier for me to read without them. OK?
|
|
|
|
|
Hi
I am working on something similar, but trying to send UDP packets out rather than back in.
I do it as follows -
<br />
Socket sender=new Socket(AddressFamily.InterNetwork,SocketType.Raw,ProtocolType.Raw);<br />
sender.SetSocketOption(SocketOptionLevel.IP,SocketOptionName.HeaderIncluded,1);<br />
sender.SetSocketOption(SocketOptionLevel.IP,SocketOptionName.MulticastInterface,(int)IPAddress.Parse(dest_ip).Address);<br />
sender.Connect(new IPEndPoint(IPAddress.Parse(mcast_addr),0));<br />
then I send the data out using
sender.Send(b,0,len,SocketFlags.None);
Where b is the buffer and is exactly the same as the incoming buffer used in the example in this article.
However, my output data seems to be a larger packet than my input data! Why is this????
Regards,
Gary
|
|
|
|
|
If you want to send 3 bytes of UDP data out to somewhere, then after UDP headers, etc. are added the total byte count will definitely be more than 3 bytes. There is some overhead added by the UDP protocol.
|
|
|
|
|
Anonymous wrote:
If you want to send 3 bytes of UDP data out to somewhere, then after UDP headers, etc. are added the total byte count will definitely be more than 3 bytes. There is some overhead added by the UDP protocol.
Why would there be UDP headers added to the message if I have HeaderIncluded set to true?
|
|
|
|
|
hi!
Anybody converted this great class or something similar to VB(.net)? if anybody has something pls mail me!
|
|
|
|
|
Hi,
I've tried to use your class to monitor my internet connection, i tried downloading a 808kb file but I don't seem to get it right, I end up reporting a size of 383kb.
I'm just adding the size of all incoming packets and I imagine the total length should at least be the size of the file.
Any idea? Have I got it totally wrong ? Or maybe that class should be used for that?
Thanks for your help.
|
|
|
|
|
I created a test program and found the same results. My totals were about half of what they should have been.
I think the packet sniffer is reporting the correct byte count on what it receives, but that it is only receiving about half the packets. The packet sniffer, since it is running on the same machine as the app that is really receiving the packets, is not in sync with the incoming data. I think if you put your sniffer on a fast machine on the same hub (not a switch) so it can listen to all incoming traffic and can easily keep up, it will count the proper number of incoming bytes.
Problems occur when you are sniffing data coming to the same machine.
Let me know if anyone can prove the above. My network is on switches now and I can only receive broadcast traffic on my sniffer.
Lyle.
|
|
|
|
|
Thanks for the details Lyle.
I've notice something I found weird myself, the longest packet length I ever received was 1480, when I download that file I had almost only packets with 1480 bytes. Is that normal, I mean I would expect something more like 4096 bytes/packet.
What do you think ?
Pyt
|
|
|
|
|
The packet length on my machine was the same (1480.) I assumed that was normal (the packet sniffer doesn't control that.) I would have to check out a tcpip book to see what controls the packet length.
Lyle.
|
|
|
|
|
MTU for ethernet (Maximum TRansmission Unit) is 1536 bytes per packet (or something similar, I should know off the top of my head but sleep depervation has a habit of muddling my head this is the Ethernet spec, RFC xxxxx
I just dl'd the source and haven't had a chance to thoroughly look through it but...
MTU is controlled via ICMP messages exchanged between hosts / intermediate routers and the actual value is determined by the mediums and transports used.
I.E. a hardware ipsec VPN (like a Cisco Router to Router NEtwork to Network VPN) encrypts a packet and encapsulates it in another - total packet size must still be less than 1536 - so - native MTU ends up being 1536 - vpn overhead (effectively the size of the packet header, the original packet is encrypted and becomes the "Data payload" of the new packet) or 1480 or so (PPPoE for dsl is also an encapsulation mechanism, requireing a lower MTU to avoid packet fragmentation...)
|
|
|
|
|
Is there a bug with SIO_RCVALL? The program works for all INCOMING information. But the program doesn't seem to catch all OUTGOING information. For instance, when testing with AOL IM, it caught all incoming information, but not the outgoing messages from me.
Any ideas about this?
|
|
|
|
|
I don't know how to catch outgoing packets as well as incoming.
I have a C sniffer and a .NET sniffer and they both work the same way....they only capture incoming packets. You could put the sniffer on another machine of course and then capture your AOL IM packets from your machine.
Lyle Brown
|
|
|
|
|
I am having a problem with using this SIO_RCVALL. please if you can send me the code of using this function of wsaioctl Api also please if you can tell me why do we use raw sockets for capturing packets.
sorry i am not been able to answer your question rather I have put my own.
Please help me, I am relatively new to Vc++.
Reply me soon
|
|
|
|
|
There is C code examples at:
http://www.56chevy.com/web/DownLoads.html
This has full source to a c sniffer.
Lyle.
|
|
|
|
|
optval = SIO_RCVALL;
if (WSAIoctl(s, dwIoControlCode, &optval, sizeof(optval),
NULL, 0, &dwBytesRet, NULL, NULL) == SOCKET_ERROR)
{
printf("WSAIotcl(%d) failed; %d\n", dwIoControlCode,
WSAGetLastError());
return -1;
}
And Yes Microsoft has a bug. It might happen that sometimes you would not see outgoing ip packets.
First i was altering in all ways WSAIoctl it didnt happened and then i wfound out that it happened when i altered my winsock providers layers (i use sporder.exe to confirm this.).. but i didnt get deep enough to tell exactly what is causing it .. anyway from that time i stoped using raw socket as they are not reliable .. back to device drivers?
|
|
|
|
|
Love to see a version in C++. Just haven't had time to dig into C# yet.
|
|
|
|
|
There used to be a nice article and code for a raw IP sniffer in the Internet section that I cannot see right now. ?
Anyway maybe you'd find the tcpip library at www.komodia.com useful. I know I did!
#define MOSTLY_LEAN_AND_MEAN
|
|
|
|