WinPcap grasping the bag principle
WinPcap is a group capture library derived from the Berkeley Group Capture Library, which is The Windows operating platform implements interception filtering for the underlying package. WinPcap is an architecture of the BPF model and the LIBPCAP function library under the Windows Platform for Network packet capture and network state analysis, which is composed of a core packet filter driver, an underlying dynamic connection library Packet.dll and a high-level system-independent function library Libpcap composition. The underlying package capture driver is actually a protocol Network driver that provides a Win95, Win98, WinNT, and Win2000 similar to the capture of Berkeley Packet Filter under UNIX systems through calls to functions in NDIS. The ability to receive and send raw packets. Packet.dll is an API interface for accessing this BPF driver, and it has a set of libraries that conform to the Libpcap interface (a library of capture functions under UNIX).
The WINPCAP consists of three parts: the first module, NPF (Netgroup Packet Filter), is a virtual device driver file. Its function is to filter the packets and pass these packets intact to the user-state module, which includes some operating system-specific code. The second module, Packet.dll, provides a common interface for the Win32 platform. Different versions of Windows systems have their own kernel modules and user-tier modules. Packet.dll is used to resolve these differences. Programs that call Packet.dll can run on different versions of the Windows platform without recompiling. The third module, Wpcap.dll, is not dependent on the operating system. It provides a higher-level, abstract function.
Packet.dll and Wpcap.dll:packet.dll directly map the invocation of the kernel. Wpcap.dll provides a more user-friendly, more powerful function call. The advantages of WINPCAP provide a standard packet capture interface, compatible with LIBPCAP, which enables the rapid migration of network analysis tools from many UNIX platforms to facilitate the development of various network analysis tools, taking into account the various performance and efficiency optimizations, including filter support on the NPF kernel level, A statistical mode that supports the kernel state, providing the ability to send packets.
The principle of network packet capture
Ethernet (Ethernet) has the characteristics of shared media, the information is transmitted in clear text in the network, when the network adapter is set to listen mode (promiscuous mode, promiscuous), because of the use of Ethernet broadcast channel contention, so that the monitoring system and the normal communication network can and And can capture any packet that is transmitted over the same conflict domain. The IEEE802.3 standard Ethernet uses the method of continuous CSMA, precisely because the Ethernet uses this broadcast channel contention way, makes each site can obtain the data which the other site sends. Using this principle enables the information capture system to intercept the information we want, which is the physical basis for capturing the packet.
Ethernet is a bus-type network, logically speaking, by a bus and a number of sites connected to the bus at each site to adopt the above mentioned Csma/cd  The protocol is used for contention and sharing of channels. Each site (this refers specifically to the computer through the interface card) network card to achieve this function. The main work of the network card is to complete the current state of the bus detection, determine whether to transmit data, to determine whether each physical data frame destination is the address of the site, if not match, it is not sent to the site and discard it. If so, receive the data frame, perform a CRC check of the physical data frame, and then submit the data frame to the LLC sublayer. The
Network card has several operating modes:
1) Broadcast mode (Broad Cast model): Its Physical address (MAC) address is 0XFFFFFF frames for broadcast frames, and the network card that works in broadcast mode receives broadcast frames.
2) Multicast transfer (multicast Model): The multicast address as the destination physical address of the frame can be received by the other hosts in the group, while the host outside the group is not received. However, if the network card is set to multicast transfer mode, it can receive all multicast transfer frames, regardless of whether it is a member of the group.
3) Direct mode: The network card that works in direct mode receives only the frame where the address of the target is its own MAC address.
4) Promiscuous mode (promiscuous model): the NIC operating in promiscuous mode receives all the frames that flow through the network card, and the packet capture program is running in this mode. The default working mode of the
network card includes broadcast mode and direct mode, that is, it receives only the broadcast frames and the frames that are sent to itself. In promiscuous mode, a network network card from one site will accept packets sent by all sites within the same network so that it can be reached for the purpose of monitoring the capture of the net information.
WinPcap grasping the packet principle