Implementation of sniffer for original socket dialysis

Article title: sniffer for original socket dialysis. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As you know, Ethernet adopts the broadcast mechanism. all workstations connected to the network can see the data transmitted over the network. Check the target address included in the frame to determine whether to receive or discard it. If it proves that the data is indeed sent to itself, the workstation will receive the data and pass it to the high-level protocol for processing. However, if you place the NIC in Promiscuous mode, the NIC will not identify the MAC address of the frame, but will receive it all.

　　

The Ethernet frame format is provided. The NIC is identified by the MAC address in the figure. The legendary sniffer refers to letting the network adapter enter the hybrid mode to receive all packets being sent on the local network bus. Why can we sniff all packets on the LAN? the reason is that the IEEE 802.3-based Ethernet uses broadcast to send frames on the MAC layer. Therefore, theoretically, we can write a hacker program to listen to all information on the LAN. The QQ and MSN listening software is based on this mechanism. it can listen to QQ and MSN chat records of all users on the LAN.

To implement sniffer, we should first enable the NIC to enter the hybrid mode and establish and set the original socket to handle the header in person:

// Initialize the SOCKET

WSADATA wsaData;

IErrorCode = WSAStartup (MAKEWORD (2, 1), & wsaData );

CheckSockError (iErrorCode, "WSAStartup ");

SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP );

CheckSockError (SockRaw, "socket ");

// Obtain the local IP address

Char name [MAX_HOSTNAME_LAN];

IErrorCode = gethostname (name, MAX_HOSTNAME_LAN );

CheckSockError (iErrorCode, "gethostname ");

Struct hostent * pHostent;

PHostent = (struct hostent *) malloc (sizeof (struct hostent ));

PHostent = gethostbyname (name );

SOCKADDR_IN sa;

Sa. sin_family = AF_INET;

Sa. sin_port = htons (6000 );

Memcpy (& sa. sin_addr.S_un.S_addr, pHostent-> h_addr_list [0], pHostent-> h_length );

IErrorCode = bind (SockRaw, (PSOCKADDR) & sa, sizeof (sa ));

CheckSockError (iErrorCode, "bind ");

// Set SOCK_RAW to SIO_RCVALL to receive all IP packets

DWORD dwBufferLen [10];

DWORD dwBufferInLen = 1;

DWORD dwBytesReturned = 0;

IErrorCode = WSAIoctl (SockRaw, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen)

, & DwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL );

CheckSockError (iErrorCode, "Ioctl ");

You can receive and process IP packets as follows:

// Listen for IP packets

While (1)

{

Memset (RecvBuf, 0, sizeof (RecvBuf ));

IErrorCode = recv (SockRaw, RecvBuf, sizeof (RecvBuf), 0 );

CheckSockError (iErrorCode, "recv ");

IErrorCode = DecodeIpPack (RecvBuf, iErrorCode );

CheckSockError (iErrorCode, "Decode ");

}

After the Sniffer program receives the packet, it can call the corresponding program to analyze the specific packet.

What we have to say about sniffer is that simply placing the NIC in a hybrid mode does not ensure that we can sniff all frames on the switched Lan, because the switched Lan is no longer broadcast/bus transmission, to sniff frames on a switched Lan, we need to adopt another technique, ARP spoofing.