Forehead
I often see that the forum asks questions about the interception and analysis of the data package. Fortunately I also know this slightly, I have written a lot of Sniffer, so I want to write a series of articles to explore the data package in detail. knowledge.
I hope that through this series of articles, I can make knowledge about the data packets are popular, so every article in this series, I will have a shallow depth, detailed analysis, and encoding steps, and additionally with detailed The source code of the comment (in order to take care of most friends, I provide the source code of the MFC).
However, since it is also an initiator, he is still looking forward to it.
This article condenses the author's heart, if you want to reprint, please indicate the original author and the source, thank you! ^ _ ^
OK ,. Let's go! Have Fun! ! q ^ _ ^ P
The second hand teaches you to capture the packet
table of Contents:
One. Capture the principle of implementation of packets
two. Capture the programming implementation of the packet:
1. Realization method of Raw Socket
2. WinPCAP implementation method
a. Information on this machine network card
b. Open the corresponding network card and set to mixed mode
c. Intercept packets and save as file
Author:
9CBS VC / MFC Network Programming Master PiggyXP
One. Capture the implementation principle of packets: ----------------------------------------- -------------------------
Under normal circumstances, the socket program of network communication can only respond to the data frames that match the hardware address or in broadcast form, for other forms of data frames, such as the network interface, but is not sent to this address. Data frames, network interfaces will not be in response after verifying delivery addresses, that is, the application cannot charge a packet that is not related to yourself.
So we want to realize all the packets that flow through the network equipment, we have to take a little special means:
Set the NIC to a mixed mode.
In this way, the network card of the host can capture all packets and frames flowing through its network card.
However, pay attention to it, this interception is only a copy of the packet, and it cannot be truncated. If you want to cut off network traffic, you should use some more underlying methods, not within the discussion of this article.
two. Capture the programming implementation of the packet:
1.Raw Socket implementation method ----------------------------------------- -------------------------
Unlike our commonly used data flow sleeve and data sets, after creating the original socket, you need to use the wsaiocTl () function to set it, it is such a definition.
INT WSAIOCTL (
Socket S,
DWORD DWIOCONTROLCODE,
LPVOID LPVINBUFFER,
DWORD CBINBUFFER,
LPVOID LPVOUTBUFFER,
DWORD CBOUTBUFFER,
LPDWORD LPCBBYTESRETURNED,
LPWSAOVERLAPPED LPOVERLAPPED,
LPWSAOVERLAPPED_COMPLETION_ROUTINE LPCOMPLETIONROUTINE
);
Although it is more than the parameters, it is only the second item we care about. What we need to do is to set the second item as SiO_rcvall, say so much, but what is actually doing this, it is very simple. Is it? ^ _ ^
Of course, we can also specify whether it processes the IP header, but this is not necessary.
The complete code is similar to the following, the bold code is where the need to pay attention to usual:
(In order to make the code at a glance, I will remove the wrong hand, the same) #include "winsock2.h"
#define sio_rcvall_wsaiow (IOC_VENDOR, 1)
Socket SnifferSocket
Wsadata wsadata;
iflag = WSAStartup (Makeword (2, 2), & WSADATA); / / Open Winsock.dll
SnifferSocket = WSASOCKET (AF_INET, / / Creating Raw Socket
SOCK_RAW, IPPROTO_IP, NULL, 0, WSA_FLAG_OVERLAPPEDs;
Char far name [128]; // Get this machine IP address
GethostName (Name, Sizeof (Name));
Struct Hostent Far * Phostent;
phostent = gethostByName (Name);
SockAddr_in sa; // Fill the contents of the SockAddr_in structure
sa.sin_family = af_inet;
sa.sin_port = HTONS (6000); // port number can be changed, of course, the system cannot conflict with the system
Memcpy (& (sa.sin_addr), phostent-> h_addr, phostent-> h_length;
Bind (SnifferSocket, (LPSOCKADDR) & sa, sizeof (sa)); // Binding
// Set IOCTL to receive all network data, key steps
DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD DWBYTESRETURNED = 0;
WSAIOCTL (SnifferSocket, IO_RCVALL, & DWBUFFERINLEN, IZEOF (dwbufferinlen),
& dwbufferlen, SizeOf (dwbufferlen), & DWBYTESRETURNED, NULL, NULL
At this point, it can actually start sniffing the network packet, and the reception of the packet is also completed by the RECV () function, because the different Socket model is involved, and the receiving method is very different. Therefore, the received code is not provided here.
2.WinPCap implementation method: ----------------------------------------- ----------------------------
WinPCAP driver package is a good Dongdong, and WinPCAP's main functionality is to send and receive raw datagrams independently of host protocols (such as TCP-IP), mainly to provide us with four functions:
Functions: 1> Capture the original datagram, including the data reported on the shared network, and exchanged data reports; 2> Before the data is reported to the application, according to the custom rules, certain special Datasters are filtered off; 3> Send raw datagram on the network; 4> Collect statistics during network communication
If the environment is allowed (such as what you do is not a Trojan program), I still recommend you to use WinPCAP to intercept the packet because it is more powerful, the work efficiency is higher, the unique shortcomings are before running WinPCAP development, To install the WinPCap's Driver on the host. And we will find it better than the Raw Socket function, and work is more under, the most obvious reason is that the data package captured by Raw Socket is not too old, this is an afterward.
As for how to install use, please refer to this series of "hand-handed people to play in the ARP package", there is a detailed way to load WinPCAP driver ^ _ ^
Not much nonsense, let us transfer to the topic, using WinPcap to intercepting the packets to do some of the following work:
A. Enumerate the information of this machine network card (mainly the name of the NIC)
It is used to use the PCAP_FINDALDALDEVS function, it is defined
/ **************************************************
INT PCAP_FINDALDEVS (PCAP_IF_T ** AlldevSP,
Char * Errbuf
)
Features:
Enumerate information about all network devices
Parameters: alldevsp: It is a pointer to a PCAP_IF_T structure. If the function PCAP_FINDALDEVS function is successful, a list of available NICs will be obtained, while stored is a pointer for the first element.
Errbuf: String of the error message
Return Value: INT: If it returns 0, it is successful, and the error returns -1.
********************************************************* /
We use this function to get the full code of the NIC name as follows:
PCAP_IF_T * ALLDEVS;
PCAP_IF_T * D;
CHAR ERRBUF [PCAP_ERRBUF_SIZE];
PCAP_FINDALDEVS (& alldevs, errbuf); // Get network device pointers
For (d = alldevs; d; d = d-> next) // enumerate the network card then add to ComboBox
{
D-> name; // D-> Name is the network card name string we need, and save it to your corresponding variable according to you //
}
PCAP_FREEALLDEVS (AllDevs); // Release AllDev Resources
Please look forward to the following. . . . . ^ _ ^
