/// / / / Guniffer for win2k by shotgun /// //////////////////////////////////////////////////////////////////////// HomePage: ////.com /// [http://it.xici.net] //// [http://www.patching.net] /// / //// # include
#include
#include
#include
#include "mstcpip.h"
#pragma comment (Lib, "WS2_32.LIB")
#define status_failed 0xfffFFFF // Define Unusual Error Code #define Max_Pack_LEN 65535 // Received maximum IP packet #define max_addr_len 16 // points Detail address The maximum length #define max_proto_text_len 16 // Sub protocol Name (such as "TCP") Maximum length #define max_proto_num 12 // Sub-protocol quantity #define max_hostname_lan 255 // Maximum host name length #define cmd_param_help True
Typedef struct _iphdr {unsigned char h_lenver; // 4 top length 4-bit IP version number UNSigned char TOS; // 8 bit service type TOS unsigned short total_len; // 16-bit total length (byte) unsigned short ide; / / 16-bit identifier unsigned short frame_and_flags; // 3-bit flag bit unsigned char TTL; // 8-bit survival time TTL unsigned char proto; // 8-bit protocol (TCP, UDP or other) Unsigned Short Checksum; // 16 ip IP The header verification and unsigned int sourceip; // 32 bitsource IP address unsigned int desip; // 32 bit ip address} ip_header;
TYPEDEF STRUCT _TCPHDR / / Define TCP header {ushort th_sport; // 16-bit source port Ushort TH_DPORT; / / 16-bit destination port unsigned int th_seq; // 32-bit serial number UNSIGNED INT TH_ACK; / / 32 bit confirmation number UNSIGNED CHAR TH_LENRES (// 4 top length / 6 position reserved word unsigned char th_flag; // 6 bit flag bit Ushort TH_WIN; // 16-bit window size ushort th_sum; // 16 bit checks and ushort th_urp; // 16 position emergency data Offset} TCP_HEADER;
TYPEF STRUCT _UDPHDR / / Define UDP header {UNSIGNED SHORT UH_SPORT; / / 16-bit source port unsigned short uh_dport; // 16-bit destination port unsigned short uh_len; // 16 length UNSIGNED SHORT UH_SUM; // 16 bit checksum} UDP_HEADER;
Typedef struct _ICMphdr // Defines the ICMP header {byte i_type; // 8-bit type BYTE I_CODE; / / 8-bit code ushort i_cksum; // 16-bit check and ushort i_id; // identification number (generally used process number as identification number Ushort i_seq; // Packet serial number Ulong timestamp; // Timestamp} ICMP_HEPEF STRUCT _PROTOMAP // Define sub-protocol mapping table {int protonum; char prototext [MAX_PROTO_TEXT_LEN];} Protomap;
Protomap protomap [max_proto_num] = {// Present to sub-protocol mapping table {ipProto_IP, "IP"}, {ipproto_igmp, "IGMP"}} {ipproto_ggp, "ggp"} {ipproto_tcp, "TCP"}, {ipproto_pup, "pup"}, {ipproto_udp, "udp"}, {ipproto_idp, "idp"}}} {ipproto_raw, "raw"}, {ipproto_max, "max "}, {Null,"}};
Socket SockRaw; char TCPFLAG [6] = {'f', 's', 'r', 'p', 'a', 'u'}; // Define TCP flag BOOL paramtcp = false; // -t Pay attention to TCP packet BOOL paramudp = false; // - pay attention to UDP packet BOOL Paramicmp = false; // -i Follow ICMP Packet Bool Paramdecode = false; // -d to decode Char * strfromipfilter = null; / / source IP address filtering char * strDestIpFilter = NULL; // destination address filtering char * strSensitive = NULL; // sensitive string int iPortFilter = 0; // port filtering int iProtocol, iTTL; char szProtocol [MAX_PROTO_TEXT_LEN]; char szSourceIP [ MAX_ADDR_LEN], SZDestip [MAX_ADDR_LEN];
INT decodeippack (char *, int); // ip unpacking function int decodetcppck (char *, int); // TCP unpacking function int decodeudppack (char *, int); // UDP unpacking function int decodeicmppack (char * , int); // ICMP unpacking function void checksockerror (int, char *); // error handler CHAR * CheckProtocol (int); // Protocol check void usage (void); // Use Bool getCmdline (int, Char **); // Command line parameter processing void main (int Argc, char ** argv) {Int Irrorcode; char recvbuf [MAX_PACK_LEN] = {0}; usage (); if (getcmdline (argc, argv) == CMD_PARAM_HELP) exit (0); // initialize SOCKET WSADATA wsaData; iErrorCode = WSAStartup (MAKEWORD (2,1), & wsaData); CheckSockError (iErrorCode, "WSAStartup"); SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP); CheckSockError ( SockRaw, "socket"); // Get the local IP address of the char FAR name [MAX_HOSTNAME_LAN]; iErrorCode = gethostname (name, MAX_HOSTNAME_LAN); CheckSockError (iErrorCode, "gethostname"); struct hostent FAR * pHostent; pHostent = (struct hostent *) Malloc (Struct Hostent); phostent = gethostByname (name); sockaddr_in sa; sa.sin_family = AF_INET; sa.sin_port = htons (6000); MEMCP y (& sa.sin_addr.S_un.S_addr, pHostent-> h_addr_list [0], pHostent-> h_length); free (pHostent); iErrorCode = bind (SockRaw, (PSOCKADDR) & sa, sizeof (sa)); CheckSockError (iErrorCode, "bind"); // set SOCK_RAW to SIO_RCVALL, in order to receive all IP packets DWORD dwBufferLen [10]; DWORD dwBufferInLen = 1; DWORD dwBytesReturned = 0; iErrorCode = WSAIoctl (SockRaw, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen Sizeof (dwbufferlen), & dwbytesreturned, null, null; checksockerror (IrrorCode, "IOCTL"); // Listening IP Packet While (1) {MEMSET (Recvbuf, 0, SizeOf (Recvbuf)); IrrorCode =
recv (SockRaw, RecvBuf, sizeof (RecvBuf), 0); CheckSockError (iErrorCode, "recv"); iErrorCode = DecodeIpPack (RecvBuf, iErrorCode); CheckSockError (iErrorCode, "Decode");}} // IP unpack program int DecodeIpPack (char * buf, int iBufSize) {IP_HEADER * pIpheader; SOCKADDR_IN saSource, saDest; pIpheader = (IP_HEADER *) buf; // screening protocol iProtocol = pIpheader-> proto; strncpy (szProtocol, CheckProtocol (iProtocol), MAX_PROTO_TEXT_LEN); IF (iProtocol == ipproto_tcp) Return True; if ((iProtocol == Ipproto_UDP) && (! paramudp)) Return True; if ((iProtocol == ipproto_ICMP) && (! paramicMP) Return True ; // address source saSource.sin_addr.s_addr = pIpheader-> sourceIP; strncpy (szSourceIP, inet_ntoa (saSource.sin_addr), MAX_ADDR_LEN); if (strFromIpFilter) if (strcmp (strFromIpFilter, szSourceIP)) return true; // destination address saDest.sin_addr.s_addr = pIpheader-> destIP; strncpy (szDestIP, inet_ntoa (saDest.sin_addr), MAX_ADDR_LEN); if (strDestIpFilter) if (strcmp (strDestIpFilter, szDestIP)) return true; iTTL = pIpheader-> ttl; // Calculate the length IIPHL of IP head en = sizeof (unsigned long) * (pIpheader-> h_lenver & 0xf); // call to each protocol type corresponding function switch (iProtocol) {case IPPROTO_TCP: DecodeTcpPack (buf iIphLen, iBufSize); break; case IPPROTO_UDP: DecodeUdpPack (BUF iiphlen, ibufsize; bren; case ipproto_icmp: decodeicmppack (buf iiphlen, ibufsize); break; default: Break;} // printf ("/ n"); return true;}
// Protocol Identification Program Char * CheckProtocol (INT iProtocol) {for (int i = 0; i
IF (ProtomAP [i] .protonum == iprotocol) Return protoomap [i] .prottext; return ";} // TCP unpackler int decodetcppck (char * tcpbuf, int ibufsize) {tcp_header * ptcpheader; int i; int iSourcePort, iDestPort; pTcpHeader = (TCP_HEADER *) TcpBuf; // calculate the TCP header length int TcpHeaderLen = pTcpHeader-> th_lenres >> 4; TcpHeaderLen * = sizeof (unsigned long); char * TcpData = TcpBuf TcpHeaderLen; // If the filter Sensitive strings determine if IF (strSensitive) IF ((strstr (tcpdata, strsensitive)) == null) Return true; // Filter the port isourcePort = NTOHS (ptcporter-> th_sport); IDestport = NTOHS (PTCPHEADER- > TH_DPORT); if (iPortfilter) && (isourceport! = iportfilter) && (IDestport! = iportfilter) Return true; // Output Printf ("% s", szprotocol); Printf ("% 15s:% 5D -> % 15s:% 5D ", SzsourceIP, ISOURPORT, SZDestip, Idestport); Printf (" TTL =% 3D ", ITTL); // Judgment TCP flag Nsigned char flagmask = 1; for (i = 0; i <6; i ) {if (ptcpheader-> th_flag) & flagmask) Printf ("% c", tcpflag [i]); else printf ("-"); flagmask = flagmask << 1;} printf ("bytes =% 4D ", ibufsize); Printf (" / n "); / / For data analysis of the length greater than 40 bytes (IP_HEADER TCP_HEADER = 40) IF ((ibufsize> 40)) {// Analysis TCP Data Section IF ((! Strsensitive) || (strstr TCPDATA, STRSENSITIVE))) {Printf ("[DATA] / N"); Printf ("% s", tcpdata); Printf ("/ n [data end] / n / n / n");}} Return True }
// UDP unpack program int DecodeUdpPack (char * UdpBuf, int iBufSize) {UDP_HEADER * pUdpHeader; pUdpHeader = (UDP_HEADER *) UdpBuf; int iSourcePort = ntohs (pUdpHeader-> uh_sport); int iDestPort = ntohs (pUdpHeader-> uh_dport) ; // Filter the port IF (iPortFilter) if (iSourcePort! = Iportfilter) && (IDestport! = Iportfilter) Return True; Printf ("% s", szprotocol); printf ("% 15s:% 5d -> % 15s:% 5D ", SzsourceIP, ISOURPORT, SZDestip, Idestport); Printf (" TTL =% 3D ", ITTL); Printf (" LEN =% 4D ", NTOHS (Pudpheader-> UH_LEN); Printf (" bytes =% 4D ", IBUFSIZE); Printf (" / n "); // Data analysis for packets greater than 28 bytes (IP_Header UDP_Header> 28) IF ((Paramdecode) && (ibufsize> 28)) {Printf ("[DATA] / N"); // UDP header length is 8 char * udpdata = udpbuf 8; // Analyze UDP data segment for (unsigned int i = 0; i <(iBUFSIZE-SIZEOF (UDP_HEADER)); i ) {if (! (i% 8)) Printf ("/ n"); if ((UDPData [i]> 33) && (UDPDATA [i] <122)) Printf ("% 3C [% 3X]" UDPDATA [I], UDPDATA [I]); Else Printf ("[% 3X]", ABS (UDPData [i]));} Printf ("/ N [Data end] / n / n / n"); } Return True;}
// ICMP unpack program int DecodeIcmpPack (char * IcmpBuf, int iBufSize) {ICMP_HEADER * pIcmpHeader; pIcmpHeader = (ICMP_HEADER *) IcmpBuf; int iIcmpType = pIcmpHeader-> i_type; int iIcmpCode = pIcmpHeader-> i_code; // types of Filter IF (iictfilter) && (iicmptype! = Iportfilter) Return True; Printf ("% s", szprotocol); // printf ("% 15 s type% D ->% 15S code% D", SzsourceIP, Iicmptype, SZDestip, IicmpCode; Printf ("% 15s ->% 15S", szsourceip, szdestip); Printf ("TTL =% 3D", ITTL); Printf ("Type% 2D,% D", Iicmptype, IicmpCode; printf ("Bytes =% 4D", IBUFSIZE); Printf ("/ n"); // For data analysis of packets containing data segments, IF ((ibufsize> 28)) {char * icmpdata = ICMPBUF 4 ; // Analyze ICMP data segment printf ("[DATA]"); for (unsigned int i = 0; i <(ibufsize-sizeof (icmp_header)); i ) {if (! (I% 8)) Printf (" / N "); IF ((ICMPDATA [I]> 33) && (ICMPDATA [I] <122)) Printf ("% 3C [% 3X] ", ICMPDATA [I], ICMPData [I]); Else Printf "[% 3X]", ABS (ICMPDATA [I]));} printf ("/ n [data end] / n / n / n");} return true;} // command line parameter processing BOOL getCmdline (int Argc, char * * argv) {IF (argc <2) Return cmd_param_help; for (int i = 1; i
{
IF (Argv [i] [0]! = '/') Return CMD_PARAM_HELP;
Else Switch (Argv [I] [1])
{
Case 'T':
Case 'T': paramtcp = true;
Case 'u':
Case 'u': paramudp = true;
Case 'I':
Case 'I': paramicMP = true;
Case 'P':
Case 'P': paramdecode = true; Break;
Case 'f':
Case 'f':
{
Strfromipfilter = (char *) Malloc (16 * sizeof (char));
MEMSET (StrfromiPfilter, 0,16 * sizeof (char));
STRCPY (StrfromiPfilter, Argv [i] 3); Break;
}
Case 'd':
Case 'd':
{
STRDESTIPFILTER = (char *) Malloc (16 * sizeof (char));
MEMSET (STRDestipfilter, 0,16 * sizeof (char));
STRCPY (STRDestipfilter, Argv [i] 3);
Break;
}
Case 's':
Case 's':
{
STRSENSITIVE = (char *) Malloc (255 * sizeof (char));
MEMSET (STRSENSITIVE, 0, 255 * SIZEOF (CHAR));
STRCPY (strSensitive, Argv [i] 3);
Break;
}
Case 'o':
Case 'o':
{
Iportfilter = ATOI (Argv [i] 3);
Break;
}
}
}
Printf ("/ nwill sniffer");
IF (paramtcp) Printf ("tcp");
IF (paramudp) Printf ("UDP");
IF (paramicMP) Printf ("ICMP");
IF (strfromipfilter) Printf ("fromip:% s", strfromifilter);
IF (strDestipfilter) Printf ("destip:% s", strDestipfilter);
IF (paramdecode) Printf ("Decode on");
IF (STRSITIVE) Printf ("Sensitive String: '% s'", strsensitive;
Printf ("/ n / tctrl c to quit / nStart: / n");
Return (! cmd_param_help);
}
// Use the instructions void usage ("guniffer / n"); printf ("/ tsinffer for win2k by shotgun (ver 0.3) / n"); Printf ("/ tshotgun@xici.net/n") PRINTF ("/thttp://it.xici.net/n"); Printf ("/thttp://www.patching.net/n/n"); Printf ("usage: / n"); printf ("/ T / T Output TCP Packets / N"); Printf ("/ T / U OUTPUT UDP Packets / N"); Printf ("/ T / I Output ICMP Packets / N"); Printf ("/ T / P Decode Packet / N "); Printf (" / T / f: fromip output packets fromip = fromip (default all) / n "); Printf (" / t / d: destip output packets destip = destip) Default all) / N "); Printf (" / t / s: string output packets include sensitive string (tcp only) / n "); Printf (" / t / o: port output packets from or to the port (ICMP IS TYPE) / N "); Printf (" eXample: / n "); Printf (" / tguniffer.exe /d "); printf (" / tguniffer.exe / t / usf:192.168 . 15.231 / N "); Printf (" / tguniffer.exe / t / p / s: pass / n ");} // SOCK error handler Void ChecksockerRroRROR (Irror) {if (IrrorCode == Socket_ERROR) {Printf ("% s error:% d / n", PERRORMSG, getLastError (); closocket (sockraw); exit (0);}} // Copyright (c) Microsoft Corporation, 1996-1999 # if _msc_ver> 1000 # Pragma Once # ENDIF
/ * Argument structure for SiO_keepalive_vals * /
Struct tcp_keepalive {u_long onoff; u_long keepalivetime; u_long keepaliveinter;
// new WSAIOCTL OPTIONS
