Sniffer technical principles and applications, including programming methods and tool usage

Source: Internet
Author: User

Sniffer is a sniffer which is widely used in the current network technology. Sniffer can be used as a network
Diagnostic tools can also be used as tools for hacker sniffing and listening. In the last two years, the network listener (sniffer) technology has emerged
Important features. The traditional sniffer technology passively monitors network communication, user names, and passwords. The new sniffer technology has emerged as the main
The characteristics of dynamic control of communication data extend the sniffer technology to a new field. In addition to the traditional
In addition to network detection management, it is also applied in the field of information security. It can be said that the sniffer technology is a double-edged sword.
Better use of IT, understanding some of its features, will make this technology better convenience for us.
Sniffer programming methods are commonly used in the following ways. 1. winpcap is a common library and I believe it has been used for packet capture.
Most people are familiar with tools. 2.raw socket supports this function in Versions later than 2000. 2000 server has a network monitor based on raw socket 3.tdi, ndis, spi, and hook socket technology, A big difference in this technology is that we can intercept the package instead of just getting a copy of the package. Generally, most of them were in the past.
What I mentioned here is still one-sided, and more needs to be added. The purpose of this topic is to let everyone know about and discuss the sniffer technology, so that more people can get involved and let everyone know that this section can bring things they really want.
Libpcap is a good tool that can be used in linux and windows. Many security systems such as intrusion detection are centered on this. No
I have never used it. I don't know how cross-platform it works?
If you want to use spi, look at the code and books of xfilter, especially the book which speaks well. Unfortunately, it has never been used for anything.
Raw socket writes a lot of sniffer and a lot of online code!
I saw several articles about sniffer on the csdn homepage yesterday. I saved them. I haven't had time to read them yet...
I will talk about the common sniffer tools and their technical implementation tomorrow!

You can see two articles on the csdn homepage. It seems that there are several other articles, which cannot be found yet.


1) winpcap driver Introduction
Winpcap (windows packet capture) is the next free and public network access system on windows. Open

Winpcap is designed to provide win32 applications with the ability to access the underlying network. It provides the following

1> capture original data packets, including data packets sent/received and exchanged between hosts on the shared network;
2> filter out some special data packets according to custom rules before the data packets are sent to the application;
3> send the original datagram on the network;
4> collect statistics during network communication.

Winpcap provides the ability to send and receive raw data packets independently of host protocols such as TCP-IP. That is to say, winp

Cap cannot be blocked. It filters or controls the sending and receiving of other application datagram. It only listens to the datagram transmitted on the shared network. Therefore, it cannot be used by QoS scheduler or personal firewall.

Currently, winpcap is mainly developed for windows NT/2000/XP.

Only a small part of users use windows 95/98/Me, And M $ has abandoned win9x development. Because

The program T-ARP related to this article is also for NT/2000/XP users. In fact, the concept and

NT systems are very similar, but there are some differences in some implementations. For example, 9x only supports ANSI encoding, While NT systems advocate

It is encoded in Unicode.

There is a software called sniffer pro. It can be used as a network management software and has many functions to monitor network running conditions and the data of each machine on the network.

Traffic, which reflects the IP addresses accessed by each machine and the data flow between them in real time. you can capture packets and set filters to facilitate

Only capture the desired package, such as the POP3 package, smtp package, and ftp package, and find the mailbox username and password, as well as the ftp Username and

Password. It can also listen on the network using the vswitch, but you need to install a software on the vswitch.
There is also a simple listening software called Passwordsniffer, which can intercept the mailbox user name and password, as well as the ftp user name and password. It

It can only be used on the HUB network.
Both of the above software can be downloaded to the

The latest version of libpcap is 0.7.2, which is based on linux/unix)
The latest version of winpcap is 3.0.
Winpcap source code here? Sid = 1, 11474
The famous software tcpdump and ids snort are both written based on libpcap, And the Nmap scanner is also based on libpcap to capture

The data packet returned by the target host.
Winpcap provides two different programming interfaces: one is libpcap-based wpcap. dl, and the other is lower-Layer

Packet. dll. For development that is generally compatible with libpcap on unix platforms, the use of pacap. dll is of course the choice.
The following libraries are related to lipcap:
Libnet1.0.2: Construct the packet sending Process
Libnids: implements some ids frameworks.
Libicmp: icmp Packet Processing


Some famous sniffer:
Tcpdump/windump: supports a variety of unix, the latter supports windows. Libpcap-based
Sniffit: unix, windows, libpcap
Ngrep: libpcap, unixwindows. Rule expressions can be used to identify PPP, SLIP, and FDDI data packets.
Sniffer pro/NetXray: A professional protocol analysis tool that is part of the network analysis solution provided by NAI.

Single-purpose Probe
Password sniffing: winsniffer, a typical hacker tool, sniffing and parsing ftp, pop3, http, icq, smtp, telnet, IMAP, NNTP

Password sniffer for NetHackerIII

Dedicated sniffer:
SMB sniffer: L0phtcrack, SMPRelay
TCP connection session sniffer: CommView, Iris, Juggernaut
SSL sniffer: SSLDump-sslv3/tls network protocol analysis tool
RIDIUS sniffing Controller: A udp-based accounting protocol, represented by Radiusniff
PPTP sniffing Controller: Anger, PPTP-sniff (solaris)
SNMP sniffer: Snmpsniff

Switching network sniffer: Ettercap
Comprehensive: Dsniff
Other switching network sniffer:
Snarp, parasite

Sniffing countermeasures .........


GUNIFFER circulating on the network is a basic prototype: ">

Void main (int argc, char ** argv)


Int iErrorCode;

Char RecvBuf [MAX_PACK_LEN] = {0 };

Usage ();

If (get1_line (argc, argv) = pai_param_help) exit (0 );

// Initialize the SOCKET

WSADATA wsaData;

IErrorCode = WSAStartup (MAKEWORD (2, 1), & wsaData );

CheckSockError (iErrorCode, "WSAStartup ");

SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP );

CheckSockError (SockRaw, "socket ");

// Obtain the local IP Address


IErrorCode = gethostname (name, MAX_HOSTNAME_LAN );

CheckSockError (iErrorCode, "gethostname ");

Struct hostent FAR * pHostent; // pay attention to the following three sentences. Here, a block is allocated to pHostent.

PHostent = (struct hostent *) malloc (sizeof (struct hostent ));

// Memory, and then make it equal to the return value of the gethostbyname Function

PHostent = gethostbyname (name); // value, but the gethostbyname function is allocated internally by itself.

Therefore, the last sentence is redundant. After the last sentence is deleted, everything is normal. However, this program is compiled and run with VC6.

Why? Maybe the VC6 Compiler optimization is at work.


Sa. sin_family = AF_INET;

Sa. sin_port = htons (6000 );

Memcpy (& sa. sin_addr.S_un.S_addr, pHostent-> h_addr_list [0], pHostent-> h_length );

Free (pHostent); // because the previously allocated memory statement has been deleted, this statement must also be removed; otherwise, an error occurs. Thank you

You Heyuming found this problem.

IErrorCode = bind (SockRaw, (PSOCKADDR) & sa, sizeof (sa ));

CheckSockError (iErrorCode, "bind ");

// Set SOCK_RAW to SIO_RCVALL to receive all IP Packets

DWORD dwBufferLen [10];

DWORD dwBufferInLen = 1;

DWORD dwBytesReturned = 0;

IErrorCode = WSAIoctl (SockRaw, SIO_RCVALL, & dwBufferInLen,

Sizeof (dwBufferInLen ),

& DwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL );

CheckSockError (iErrorCode, "Ioctl ");

// Listen for IP Packets

While (1)


Memset (RecvBuf, 0, sizeof (RecvBuf ));

IErrorCode = recv (SockRaw, RecvBuf, sizeof (RecvBuf), 0 );

CheckSockError (iErrorCode, "recv ");

IErrorCode = DecodeIpPack (RecvBuf, iErrorCode );

CheckSockError (iErrorCode, "Decode ");



It has two inconveniences:
1) Nic cannot be selected
2) read the data in an endless loop mode. If it is adapted to WINDOWS window mode, it may feel like a crash.

Sevencat ():
I sorted out some information last time, but it was very popular and busy recently. It hasn't continued yet.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.