Windows core programming code analysis based on Visual C ++ (37) Practical information security risk monitoring-sniffing

The sniffer can intercept packets flowing through the network. A network composed of hub is based on the sharing principle. All computers in the LAN receive the same data packet, the NIC constructs a hardware "filter" to filter out irrelevant information by recognizing the MAC address. The sniffer program only needs to disable this filter, when you set the NIC to "mixed mode", you can perform sniffing. The network established by switch is based on the "switching" principle. The switch does not send data packets to all ports, the port that is sent to the destination Nic.

Sniffing sniff. The sniffer can intercept packets flowing through the network. A network composed of hub is based on the sharing principle. All computers in the LAN receive the same data packet, the NIC constructs a hardware "filter" to filter out irrelevant information by recognizing the MAC address. The sniffer program only needs to disable this filter, when you set the NIC to "mixed mode", you can perform sniffing. The network established by switch is based on the "switching" principle. The switch does not send data packets to all ports, the port that is sent to the destination Nic. In this way, sniffing will be troublesome. The sniffing program generally uses the "ARP spoofing" method to trick the switch into sending packets to itself by changing the MAC address, and then forwards the packets after the sniffing analysis is complete.

Let's build a sniffer to monitor whether our software communication information may be eavesdropped.

 

 

# Include <stdio. h> # include <winsock2.h> # include <ws2tcpip. h> # pragma comment (Lib, "ws2_32.lib") # define sio_rcvall _ wsaiow (ioc_vendor, 1) struct iphead {unsigned char h_len: 4; // 4-bit Header Length + 4-bit IP version unsigned char Ver: 4; unsigned char TOS; // 8-bit service type TOS unsigned short total_len; // 16-bit total length (in bytes) unsigned short ident; // 16-bit unsigned short frag_and_flags; // 3-bit unsigned char TTL; // 8-bit TTL unsigned char proto; // 8-bit Protocol (TCP, UDP, or other) unsigned short checksum; // 16-bit IP header checksum and unsigned int sourceip; // 32-bit source IP address unsigned int destip; // 32-bit destination IP address }; struct tcphead // defines the TCP Header {ushort th_sport; // 16-bit source port ushort th_dport; // 16-bit destination port unsigned int th_seq; // 32-bit serial number unsigned int th_ack; // 32-bit validation No. unsigned char th_lenres; // 4-bit header length/6-bit reserved characters unsigned char th_flag; // 6-Bit Flag ushort th_win; // 16-bit window size ushort th_sum; // 16-bit checksum ushort th_urp; // 16-bit emergency data offset}; ch Ar * phostlist [10]; // lists the DWORD _ stdcall listen (void * P) {socket s; struct sockaddr_in ADDR; int itimeout = 1000; int ret; char cbuf [1500]; // receives the data buffer struct iphead * piphd; // defines the IP header structure struct tcphead * ptcphd; // defines the TCP Header structure S = socket (af_inet, sock_raw, ipproto_raw); // create an original socket setsockopt (S, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout); memset (& ADDR, 0, sizeof (ADDR); ADDR. sin_family = af_inet; ADDR. si N_addr.s_un.s_addr = inet_addr (char *) P); ADDR. sin_port = htons (6000); // set the local port number BIND (S, (struct sockaddr *) & ADDR, sizeof (ADDR )); // bind the port // set sock_raw to sio_rcvall to receive all IP packets DWORD dwin = 1; DWORD dwout [10]; DWORD dwret; wsaioctl (S, sio_rcvall, & dwin, sizeof (dwin), & dwout, sizeof (dwout), & dwret, null, null); For (;) {ret = Recv (S, cbuf, sizeof (cbuf ), 0); // receive data if (ret = socket_error) {If (wsagetlasterror () = wsaetimedout) con Tinue; closesocket (s); Return 0;} piphd = (struct iphead *) cbuf; // ip address int iiphlen = sizeof (unsigned long) * (piphd-> h_len & 0xf); ptcphd = (struct tcphead *) (cbuf + iiphlen); // obtain the address printf ("from: % s \ t port % d \ t ", inet_ntoa (* (struct in_addr *) & piphd-> sourceip), ntohs (ptcphd-> th_sport); printf (": % s \ t port % d ", inet_ntoa (* (struct in_addr *) & piphd-> destip), ntohs (ptcphd-> th_dport); Switch (P Iphd-> PROTO) // determine the packet protocol type based on the IP header Protocol {Case 1: printf ("ICMP \ n"); break; Case 2: printf ("IGMP \ n"); break; Case 6: printf ("Tcp \ n"); break; Case 17: printf ("UDP \ n"); break; default: printf ("unknow: % d \ n", piphd-> PROTO);} return 1;} void main () {// initialize sock wsadata WSA; int I = 0; DWORD dwtid; char chname [128]; hostent * Host; wsastartup (makeword (), & WSA); gethostname (chname, sizeof (chname )); host = gethostbyname (Chname); While (host-> h_addr_list [I]! = NULL) // obtain the serial numbers of all NICs and enable a listening thread {phostlist [I] = (char *) malloc (16); sprintf (phostlist [I], "% s", inet_ntoa (* (struct in_addr *) Host-> h_addr_list [I]); printf ("bind to % s \ n", phostlist [I]); createthread (null, 0, listen, phostlist [I], 0, & dwtid); I ++;} (;;) // create a listening thread for each Nic and use a loop to prevent the main thread from exiting {sleep (10 );}}