Teach you how to capture data packets (on) [game series II of data packets]

Http://blog.csdn.net/piggyxp/archive/2004/06/23/24444.aspx

BeforeYan

I often see some people in the forum asking questions about packet interception and analysis. Fortunately, I know a little about this and I have written a lot of sniffer, therefore, I want to write a series of articles to discuss the knowledge about data packets in detail.

I hope that this series of articles will make the knowledge of data packets more popular. Therefore, every article in this series will have a simple and in-depth explanation, detailed analysis, and coding steps, in addition, the source code with detailed comments is attached (I provide the source code of MFC to take care of most of my friends ).

However, because it is also a beginner, we still hope to correct the omissions.

This article embodies the painstaking efforts of the author. If you want to reprint it, please specify the original author and its source. Thank you! Pai_^

OK,. Let's go! Have fun !! Q ^_^ P

Article 2How to capture data packets

Directory:

I. How to capture data packets

2. programming and implementation of packet capture:

1. Implementation of raw socket

2. Implementation of Winpcap

1. Enumerate information of the local Nic
2. Enable the corresponding Nic and set it to hybrid mode
3. Capture data packets and save them as files

 

Author:

Csdn VC/MFC Network Programming moderator piggyxp

I. How to capture data packets :--------------------------------------------------------------------

In general, network communication socket programs can only respond to data frames that match their own hardware addresses or are sent in broadcast format, for other data frames that have arrived at the network interface but are not sent to this address, the network interface will not respond after verifying that the delivery address is not its own address, that is to say, the application cannot receive data packets unrelated to itself.

Therefore, to intercept all data packets flowing through the network device, we must take some special measures:

Set the NICHybrid mode.

In this way, the NIC of the host can capture all data packets and frames flowing through the NIC.

However, it should be noted that this interception is only a copy of the data packet and cannot be truncated. to intercept the network traffic, we must adopt a more underlying approach, not in the scope of this article.

2. programming and implementation of packet capture:

1. raw socket implementation method --------------------------------------------------------------------

Different from the commonly used data stream sockets and datagram sockets, after creating the original socket, you need to use the wsaioctl () function to set it. Its definition is as follows:

Int wsaioctl (

Socket s,

DWORD dwiocontrolcode,

Lpvoid lpvinbuffer,

DWORD cbinbuffer,

Lpvoid lpvoutbuffer,

DWORD cboutbuffer,

Lpdword maid,

Lpwsaoverlapped lpoverlapped,

Lpwsaoverlapped_completion_routine lpcompletionroutine

);

Although there are many parameters at first glance, what we are most concerned about is the second one. What we need to do is to set the second item to sio_rcvall, after talking about so much, what is actually to be done is such a line of code, is it very simple? Pai_^

Of course, we can also specify whether to handle the IP Address Header in person, but this is not necessary.

The complete code is similar to the following. The bold code is different from the common ones:

(To make the code clear at a glance, I removed the error handling, the same below)

# Include "winsock2.h"

# Define sio_rcvall _ wsaiow (ioc_vendor, 1)

Socket sniffersocket

Wsadata;

Iflag = wsastartup (makeword (2, 2), & wsadata); // enable Winsock. dll

Sniffersocket = wsasocket (af_inet, // create raw socket

Sock_raw,Ipproto_ip, null, 0, wsa_flag_overlapped );

Char far name [128]; // obtain the local IP Address

Gethostname (name, sizeof (name ));

Struct hostent far * phostent;

Phostent = gethostbyname (name );

Sockaddr_in SA; // fill in the content of the sockaddr_in Structure

SA. sin_family = af_inet;

SA. sin_port = htons (6000); // you can change the port number at will. Of course, it cannot conflict with the system.

Memcpy (& (SA. sin_addr), phostent-> h_addr, phostent-> h_length );

BIND (sniffersocket, (lpsockaddr) & SA, sizeof (SA); // bind

// Key steps to set IOCTL to receive all network data

DWORD dwbufferlen [10];

DWORD dwbufferinlen = 1;

DWORD dwbytesreturned = 0;

Wsaioctl (sniffersocket, io_rcvall, & dwbufferinlen, izeof (dwbufferinlen ),

& Dwbufferlen, sizeof (dwbufferlen), & dwbytesreturned, null, null );

At this point, we can start to sniff network data packets, and receive data packets is still the same as that of common sockets through the Recv () function, because different Socket models are involved here, and the receiving methods vary greatly, no code is provided here.

2. How to Implement Winpcap :-----------------------------------------------------------------------

Winpcap driver package, is our play packet indispensable good stuff, Winpcap's main function is independent of the host protocol (such as TCP-IP) and send and receive the original datagram, it provides us with four main functions:

Function:
1> capture original data packets, including data packets sent/received and exchanged between hosts on the shared network;
2> filter out some special data packets according to custom rules before the data packets are sent to the application;
3> send the original datagram on the network;
4> collect statistics during network communication

If the environment permits (for example, you are not using a trojan program), I recommend that you use Winpcap to intercept data packets because it is more powerful and more efficient, the only drawback is that before running a program developed with Winpcap, you must first install the Winpcap driver on the host.

In addition, we will find that it is much more powerful than raw socket and works at a lower layer. The most obvious reason is that the packets captured by raw socket do not have Ethernet headers, this is what follows.

For how to install and use it, refer to Series 1 "hands-on instructions for converting ARP packets" in this series, which contains detailed methods for loading the Winpcap driver ^_^

If you don't talk much about it, let's turn to the subject. The following work is required to use Winpcap to intercept data packets:

A. enumerate the information of the local NIC (mainly obtain the NIC name)

The pcap_findalldevs function is used, which is defined in this way.

/*************************************** **********

Int pcap_findalldevs (pcap_if_t ** alldevsp,

Char * errbuf

)

Function:

Enumerate information of all network devices in the system

Parameter: alldevsp: a pointer to a pcap_if_t struct. If the pcap_findalldevs function is successfully executed, a list of available NICS is obtained, and the pointer of the first element is stored in it.

Errbuf: string used to store error messages

Return Value: INT: If 0 is returned, the execution is successful, and-1 is returned.

**************************************** *********/

The complete code for getting the NIC name using this function is as follows:

Pcap_if_t * alldevs;

Pcap_if_t * D;

Char errbuf [pcap_errbuf_size];

Pcap_findalldevs (& alldevs, errbuf); // Obtain the network device pointer

For (D = alldevs; D = D-> next) // enumerate the NIC and add it to ComboBox.

{

D-> name; // D-> name is the name string of the network adapter we need. Save it to your variables as needed.

}

Pcap_freealldevs (alldevs); // release alldev Resources

Please look forward to the following ..... Pai_^