Use the "Listen-Forward" program to decrypt the Network Management Protocol

SubmittedIcebergOn 2004, October 9, am.C/C ++

I. Development Purpose and Principle ---- During product development, the company needs to study the internal network management information structure of multiple Ethernet switches (also known as smart hubs). Therefore, it is necessary to compile a program for "eavesdropping, record the communication content of the network management program and the switch for analysis. In Visual C ++ 6.0, I used the MFC socket class to compile the program, successfully achieving the above purpose. ---- Currently, most network management programs and network devices supporting network management use standard Simple Network Management Protocol (SNMP) for communication. SNMP is a high-level protocol built on UDP/IP. Communication parties transmit various network management information and control information according to the SNMP format, and can report events or generate alarms in real time, so that the network administrator can conveniently and timely control the current running status of the network. ---- The network management information is widely used, such as network traffic and connection status. Because the managed devices are different, the manufacturer can also customize the network management information of their own products in accordance with relevant international standards. Network Management Information is centrally defined in the management information library (MIB). The entire system is a scalable tree structure. Each piece of Network Management Information is packaged in an SNMP protocol package, then transmitted to the transport layer, converted into a UDP packet, and then sent out through the socket mechanism. ---- The basic principle of this program is: plug in to the network management program and the managed device, "cheat up and down", impersonate the managed device when communicating with the network management program; impersonate the network management program when communicating with the managed device, make the two programs "talk nothing"; this program secretly and orderly records the conversation content, and then "upload and release" to forward the received content to the real recipient, so that the conversation continues. Ii. Programming ideas and specific processes ---- This program does not require a complex graphic interface. Therefore, you only need to use Project Wizard to open an MFC Application Supporting socket and dialog box. The Class Name of the dialog box is cchatdlg, and then a button is added to the dialog box with the text "listen ". All received information will be displayed in the output window of the Visual C ++ integrated environment using the trace statement. The purpose of this operation is to conveniently and timely view various data. Of course, other methods are also available. In this program, the client refers to the Network Management Program, and the server refers to the switch. ---- Add two classes to the project, which are derived from csocket and can be generated using classwizard. Cclientsocket is used to receive UDP data from the network management program, while cserversocket is used to receive UDP data from the switch. The two classes are defined as follows: Class cclientsocket: Public csocket { // Attributes Public: // Operations Public: Cclientsocket (cchatdlg * pdlg ); Virtual ~ Cclientsocket (); // Overrides Public: Bool m_bfirst; Cchatdlg * pdlg; // Classwizard generated virtual Function overrides // {Afx_virtual (cclientsocket) Public: Virtual void onreceive (INT nerrorcode ); //} Afx_virtual // Generated message map Functions // {Afx_msg (cclientsocket) // Note-The classwizard will Add and remove member functions here. //} Afx_msg // Implementation Protected: }; M_bfirst and pdlg are custom members of two categories, The functions are described below. Class cserversocket: Public csocket { // Attributes Public: // Operations Public: Cserversocket (cchatdlg * pdlg ); Virtual ~ Cserversocket (); // Overrides Public: Cchatdlg * pdlg; // Classwizard generated virtual function overrides // {Afx_virtual (cserversocket) Public: Virtual void onreceive (INT nerrorcode ); //} Afx_virtual // Generated message map Functions // {Afx_msg (cserversocket) // Note-The classwizard will add And remove member functions here. //} Afx_msg // Implementation Protected: }; Then, add The listen processing function is as follows: Void cchatdlg: onlisten () { Pclientsocket = new cclientsocket (this ); If (pclientsocket! = NULL) { If (! Pclientsocket-> Create (snmp_socket_port, Sock_dgram )) Afxmessagebox ("can not create clientsocket! "); Else : Enablewindow (getdlgitem (idc_listen)-> M_hwnd, false ); } Else { Afxmessagebox ("can not new clientsocket! "); } } Note: The value of snmp_socket_port should be 161. Then, add the cclientsocket Implementation content of the onreceive virtual function: Void cclientsocket: onreceive (INT nerrorcode) { Csocket: onreceive (nerrorcode ); Unsigned char TMP [maxtmpsize]; // Maxtmpsize is a custom macro, which can be 1024; Int I; Int recnum; Uint clientport; Cstring clientaddress; If (m_bfirst) { M_bfirst = false; Recnum = receivefrom (TMP, maxtmpsize, Clientaddress, clientport ); If (recnum> 0) { Trace ("received from client, % d Bytes:/N", recnum ); For (I = 0; I <recnum; I ++) { If (I % 10 = 0) Trace ("/n % 5d,", TMP); Else Trace ("% 5d,", TMP); } Trace ("/n "); Pdlg-> createserversocket (clientaddress, clientport ); Pdlg-> send (true, TMP, recnum ); } Else Afxmessagebox ("error: fail to receive from Client the first time! "); } Else { Recnum = receive (TMP, maxtmpsize ); If (recnum> 0) { Trace ("received from client, % d Bytes:/N", recnum ); For (I = 0; I <recnum; I ++) { If (I % 10 = 0) Trace ("/n % 5d,", TMP); Else Trace ("% 5d,", TMP); } Trace ("/n "); Pdlg-> send (true, TMP, recnum ); } Else Afxmessagebox ("error: fail to receive from client! "); } If (recnum <= 0) { Afxmessagebox ("error: fail to receive from client! "); Return; } } ---- The general meaning of this program is: if this program receives a UDP packet from the network management program for the first time, it should record its socket port number and IP address, this is one of the most critical aspects of the program. The reason for this is that at the beginning of network management communication, the network management program usually first sends an SNMP request packet, so it must first respond to the network management program; the other purpose is to obtain the socket port number and IP address listened by an unknown network administrator, and then let the cchatdlg create a cserversocket. Then, call the send function of cchatdlg to forward the received UDP packet to the switch, and display the received data in the output window in 10 formats per line. ---- The send and createserversocket functions of cchatdlg in the previous program are as follows: Void cchatdlg: createserversocket (Cstring address, uint port) { M_clientaddress = address; M_clientport = port; Pserversocket = new cserversocket (this ); If (pserversocket! = NULL) { If (! Pserversocket-> Create (m_clientport, Sock_dgram )) Afxmessagebox ("can not create serversocket! "); } Else Afxmessagebox ("can not new serversocket! "); } Void cchatdlg: Send (bool toserver, Unsigned char * Buf, int buf_len) { If (toserver) { If (pserversocket! = NULL) { If (pserversocket-> sendto (BUF, buf_len, Snmp_socket_port, M_serveraddress) = socket_error) Afxmessagebox ("error: fail to send data Server! "); } } Else { If (pclientsocket! = NULL) { If (pclientsocket-> sendto (BUF, buf_len, m_clientport, M_clientaddress) = socket_error) Afxmessagebox ("error: fail to send data to client! "); } } } ---- Note: m_serveraddress is the IP address of the switch. It must be set in the oninitdialog function of cchatdlg or elsewhere. ---- Finally, process the received UDP packet from the switch and display the data in the output window in the format of 10 in each line, then, call the send function of cchatdlg to forward it to the network administrator program. This is implemented in the onreceive virtual function of the cserversocket class: Void cserversocket: onreceive (INT nerrorcode) { Csocket: onreceive (nerrorcode ); Unsigned char TMP [maxtmpsize]; Int I; Int recnum; Recnum = receive (TMP, maxtmpsize ); If (recnum> 0) { Trace ("received from server, % d Bytes:/N", recnum ); For (I = 0; I <recnum; I ++) { If (I % 10 = 0) Trace ("/n % 5d,", TMP); Else Trace ("% 5d,", TMP); } Trace ("/n "); Pdlg-> send (false, TMP, recnum ); } Else { I = getlasterror (); Trace ("recnum = % d, Getlasterror () = % d/N ", recnum, I ); Afxmessagebox ("error: fail to receive from server! "); } } ---- The above is the main functional part of the program. Some of the variables are not explained in detail for space reasons, but do not affect the understanding of the program. Iii. Running Process ---- Install the program and the network management program on the two machines respectively, connect them to the switch, run the program first, click the listen button, and then run the network management program. When running a program, you need to set the IP address of the managed device. In this case, you need to set it as the IP address of the machine where the program is located, send all SNMP packets to the program. ---- The next two programs should be able to run correctly (if not, the above process may have to be repeated several times .), In the output window, you can see that the data is continuously displayed. This is a real record of the network management process! When the data volume is sufficient, end the program. The network administrator interface displays "the device is disconnected !" . Then, you can copy the data in the output window to a text file and perform detailed analysis based on the SNMP format and encoding rules. The Network Management Protocol is gradually cracked. ---- The above programs are compiled and run successfully in Visual C ++ 6.0, and the practice is very effective.