First of all, I am coming to advertise today :) I haven't updated column for a long time, the key is to write something good, I am afraid that everyone will laugh! Although I haven't been to be over, I have seen others being smashed, hehe. Not to say, this seems to be normal in 9cbs! Today, I put this post, this is a special discussion of the topic development version: http://expert.9cbs.net/EXPERT/topic/2333/2333459.xml? Temp = .3382532, in fact, this post also There is no more in-depth thing, the key is that the topic is very popular. I sent this post to I hope more people can go to the special edition, participate in and organize discussions, but the result is not ideal.
Kingzai: Sniffer Chinese translation is an olfactory detector, which is very wide in current network technology. Sniffer can be used as a network
Diagnostic tools can also be used as a tool for hacker sniffing and listening. In the last two years, the network monitoring (Sniffer technology has appeared new)
Important features. Traditional SNIFFER technology is passively listening to network communication, username, and passwords. The new Sniffer technology has appeared
The characteristics of communication data are moved, extending the SNIFFER technology to a new field. Sniffer technology is currently in traditional
Network detection management has also begun to be applied in the field of information preservation. It can be said that Sniffer technology is a double-edged sword, how
Better use of it, understanding some of its features, will make this technology better to make us convenience. Sniffer's programming method is more common, 1.WinPcap This is a relatively universal library, believes that
Tool Most people will not be too strange 2. Raw Socket has supported this feature after 2000, 2000 Server
Network monitors are based on Raw Socket 3.TDI, NDIS, SPI, Hook Socket technology, which is relatively large.
You can take a package instead of just get a copy of the package. In general, it will generally be more than two. I have mentioned one here, but more needs everyone to add. The purpose of this topic is to hope that everyone will learn together.
Discuss Sniffer technology, let more people participate, let everyone know that this sector can bring you really want.
. Warton: libpcap is a good thing, Linux, Windows can be used under Windows, and the security systems such as many intrusion detection are used as the core. Do not
I have never used it, I don't know how it is cross-platform. To use the SPI, look at the XFilter's code and book, especially the book is good, but unfortunately, it has not used it to make something.
. Raw Socket writes more than Sniffer, there are also a lot online code! Yesterday I saw 9CBS Home, there were a few articles about Sniffer, preserved, haven't come to see ... I will talk about the current common SNIFFER tools and their technical implementation!
Two articles of the 9CBS homepage, everyone can look at it, there is still a few articles, temporarily can't find http://www.9cbs.net/develop/Article/21/21363.shtmhttp://www.9cbs.net /Develop/Article/21/21352.shtmhttp://www.9cbs.net/develop/Article/15/15919.shtm
Netsys2: 1) WinPCAP Drive Introduction WinPCAP (Windows Packet Capture) is a free, public network access system in the Windows platform. open
The purpose of sending WinPCap This project is to provide Win32 applications to access the network underlying ability. It provides the following functions: 1> Capture the original datagram, including the data reported on the shared network and exchange / acceptance between each other; 2> Before the data is reported to the application, according to the custom The rule filters some special datagrams; 3> Send raw datagram on the network; 4> Collect statistics during network communication.
The main function of WinPCAP is to send and receive raw datagrams independently of host protocols such as TCP-IP. That is, Winp
CAP cannot block, filter or control the sending of other application datagrams, it is just to listen to the data report transmitted on the shared network
. Therefore, it cannot be used for QoS schedule or personal firewall.
At present, the main object developed by WinPCAP is Windows NT / 2000 / XP, mainly because it is using WinPCAP.
Only a small part of the user is using only Windows 95/98 / ME, and M $ has also given up the development of Win9x. because
The program related by this article T-ARP is also NT / 2000 / XP users. In fact, the concept of 9X system in WinPCap and
The NT system is very similar, but there is a bit difference in some implementation, such as 9X only supports ANSI encoding, and the NT system advocates
Use Unicode encoding.
ZZhong2: There is a software called Sniffer Pro. It can be used as a network management software. There are many functions to monitor network operation, and data for each network machine.
Traffic, real-time reflecting the IP accesses the IP and the data circulation between each machine, can capture the package, can set the filter so that
Just grab the wanted package, such as the POP3 package, SMTP package, FTP package, etc., and can find the mailbox username and password, and FTP username and
Password. It can also listen on the network using the switch, but you have to load it on the switch. There is a simple listening software called Passwordsniffer, you can cut the mailbox username and password, and FTP username and password, it
It can only be used in Xiaofifeng to be uploaded in Xiaofeng on the two softwares on the HUB network: http://www.chinehack.org/
Warton: Libpcap's latest version is 0.7.2, download a lot of latest version of WinPCAP (Based on Linux / UNIX) WinPCAP is 3.0 here has source code for WinPCAP: http://download.pchome.net/php/dl.php? sID = 11474 Famous software TCPDUMP and IDS Snort are written based on libpcap, and the NMAP scanner is also based on libppcap.
The packet returned by the target host. WinPCAP provides two different levels of programming interfaces for users: a libpcap-based wpcap.dl, the other is a bottom layer
Packet.dll. For the general development of LibPCAP, it is of course selection using pacap.dll.
. The following libraries are related to LIPCAP: libnet1.0.2: Packet Sending Construction Process Libnids: Some framework for IDS LIBICMP: ICMP packet processing
Some famous snifiers: tcpdump / windump: Support multiple UNIX, the latter supports Windows. Based on libpCapsniffit: UNIX, Windows, Libpcapngrep: Libpcap, UnixWindows. You can use rule expressions, identify PPP, SLIP, and FDDI packets Snifer Pro / NetXray: Professional protocol analysis tools, is part of the network analysis scheme provided by NAI: IrislanexplorernetMonitorCommview
Single-use 噢 口 手: Winsniffer, typical hacking tool, sniffing and analyzing FTP, POP3, HTTP, ICQ, SMTP, Telnet, IMAP, NNTP, etc. Password Sniffer for Nethackeriii
Dedicated sniffer: SMB sniffer: l0phtcrack, smallTCP connection session sniffer: CommView, Iris, JuggerNautsSL Snifting: SSLDUMP - SSLV3 / TLS Network Protocol Analysis Tool Ridius 控: A UDP-based argument Agreement, Radiusniff is its representative PPTP controller: anger, pptp-sniff (Solaris) SNMP 器: SNMPSNIFF
Switching network sniffer: ettercap synthesis: DSNIFF Other exchange network snifper: SNARP, Parasite
Sniffing countermeasures .........
Netsys2:
Guniffer, circulated on the network is a basic prototype:
http://asp.6to23.com/nowcan/code/guniffer.zip
Void main (int Argc, char ** argv)
{
Int IrrorCode;
Char recvbuf [MAX_PACK_LEN] = {0};
USAGE ();
IF (getCmdline (Argc, Argv) == cmd_param_help) exit (0);
// Initialize Socket
Wsadata wsadata;
Ierrorcode = WSAStartup (Makeword (2, 1), & WSADATA);
Checksockerror (Irrorcode, "WSAStartup);
SockRaw = Socket (AF_INET, SOCK_RAW, IPPROTO_IP);
Checksockerror (SockRaw, "Socket");
// Get the native IP address
Char far name [max_hostname_lan];
Irrorcode = gethostname (name, max_hostname_lan);
Checksockerror (IrrorCode, "gethostname");
Struct hostent far * phostent; // Note the following three sentences, here is allocated to Phostent
Phostent = (strunt hostent *) malloc (Struct Hostent);
// Memory, then have the return to the gethostbyname function
Phostent = gethostByname (name); //, but the gethostbyname function is in the internal part of the function
Save, so the previous sentence is excessive, and everything is fine after deleting the previous sentence. But there is no problem with this procedure compiled with VC6.
,Do not know why? Perhaps the compiler optimization of VC6 is played.
SockAddr_in SA;
sa.sin_family = af_inet;
sa.sin_port = htons (6000);
Memcpy (& sa.sin_addr.s_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length);
Free (phostent); // Since the statement that allocates the memory has been deleted, this sentence is also removed, otherwise an error. Thanks
Friends Heyuming found this problem.
Irrorcode = Bind (SockRaw, (PSockAddr) & sa, sizeof (sa)); Checksockerror (IrrorCode, "Bind");
/ / Set SOCK_RAW to SiO_RCVALL to receive all IP packets
DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD DWBYTESRETURNED = 0;
Irrorcode = WSAIOCTL (SockRaw, Sio_rcvall, & DWBufferinlen,
SizeOf (dwbufferinlen),
& dwbufferlen, SizeOf (dwbufferlen), & DWBYTESRETURNED, NULL, NULL
Checksockerror (IrrorCode, "IOCTL");
// Listen to IP packets
While (1)
{
MEMSET (Recvbuf, 0, SizeOf (Recvbuf));
Irrorcode = Recv (SockRaw, Recvbuf, SizeOf (Recvbuf), 0);
Checksockerror (IrrorCode, "RECV");
Irrorcode = DecodeipPack (Recvbuf, IerrorCode);
Checksockerror (IerrorCode, "Decode");
}
}
It has two inconvenienties: 1) No network card 2) uses a dead loop mode to read data, and the feeling of cranes when it is adapted to Windows window mode.
Sevencat (): The last time I found some information, but the popularity is not prosperous, and I have been busy recently. I haven't going it yet. Http://expert.9cbs.net/expert/topic/2299/2299615.xml?temp =.2761499windows network package filtering technology (original: http://www.ndis.com/papers/winpktfilter.htm) 1, User -Mode network package filter 1, Winsock layered Service Provider refers to the documentation and examples on Microsoft Platform SDK (http://www.microsoft.com/msdownload/platformsdk/sdkupdate/) There are several Microsoft LSP examples, the latest (possibly The most bug-free is often found here. Need to know
You can call the core TCPIP driver via TDI, and you can freely bypass Winsock, in most cases this is not a question.
question. For example: QoS implementation can be on the Winsock LSP. However, if this is done, the program must check and operate each package, but can not rely on Winsock LSP, they have to pick up
The approach of the core state is realized. 2, Win2000 package filter interface WIN2000 package filter interface provides a mechanism, this mechanism allows user programs or services to specify a series of "filtration
Principle, these filtration principles will be implemented by low-level TCPIP. This filter is mainly for IP origin, target address
, Port number (or port number range) performs pass or DROP operations. Windows Developer's Journal "packet filtering with iphlpapi.dll" Author: Ton plooy, October, 2000, Volume 11, Number 10. Win2000 provides a better programmable control for TCPIP, including packet filtering. Unfortunately, the documentation about this new API is not easy to find. This article demonstrates how to make a package for a specific IP address or a specific TCP port.
Performing blocking programming. Link: www.wdj.com The top of this example download: ftp://ftp.wdj.com/pub/webzip/1110/plooy.ziphollis solution: HTS W2K iPhook example demonstrates IP filtering and its hook API, Contains original files, and free,
Requires HTSCPP runtime library (free), download address: http://www.hollistech.com/3 ,winsock replacing DLL before using Winsock LSP, the only way is to replace Microsoft's Winsock DLL with their own DLL, fake
If you have successfully, your own DLL will receive the user's Winsock call request, and then call the original Winsoc.
K DLL is processed. However, this is relatively laborious, with some difficulties is that Microsoft's Winsock DLL often has some no
The function of the publicly used, a Winsock instead of the DLL to at least handle some undisclosed functions. With the changes in the Windows system structure, some aspects have been strengthened, such as system file protection, which makes this technology
It becomes less feasible. In general, the use of Winsock DLL is not a bad idea. (Xfilter is using this skill
Surgery, the original code may be circulated online, I have seen it before) II, Kernel-Mode network package filter 1, Transport Data Interface (TDI) This is primarily a layer filtering directly on the core TCPIP drive. TDI drive on WinXP is a traditional
The NT style driver uses IRP-based APIs, there are two ways to implement. A, IoattachDevicexyz function family using core mode services implements one filtering on TDI. B. Filter the TDI drive IRP DISPATCH table. The IoattachDevicexyz function mentioned in many WinNT driver development. Both techniques need to drive WinNT
The development programming technology is very understandable, and the TDI function is quite understanding. 2, NDIS Intermediate Layer (IM) Specifically, see NDIS IM FAQ: http://www.pcausa.com/resources/ndisimfaq.htm3 ,win2000 Filter-Hook Please refer to DDK documentation, there can be only one event in the system. -HOOK exists, this is the use of this technology
Severe limit. (Usually seen this is this) 4, Win2000 FireWall-Hook FireWall-Hook Driver function is a little in the document and is not available in some Win2000 versions. Please
Related documents by Microsoft: http://msdn.microsoft.com/library/default.asp? URL = / library / en-us
/Network/HH /NETWORK/firewall_3wfb.asp5, moings, this kind of technology is used, as far as I know, although I have never seen the original code.) ndis-hooking driver intercepted or called "hook" Some functions exported by NDIS package programs. Although it is a little informal from achieving a means, a systematic NDIS-Hooking filter will be very effective. In addition: Ndis-hooking filter drivers have the following benefits: A, easy to install (can be dynamically handled, but sometimes there is a problem, there are some cases now unknown.) B, support dial -ppp adapter. Ndis-hooking technology is very effective and practical under the 98 and ME systems. On these platforms, DDK documents and provide
D Services can help you hook your hook by the function of Ndis Wrapper. Ndis-hooking technology is equally effective and practical on NT, 2000, and XP. This technique is very similar to the debugger of the core mode.
The document supports less, and basically will not be certified by WHQL. PCAUSA provides an example of NDIS PIM driver, which can run success on the existing WIN platform (from 95 to x)
P). Address: http://www.pcausa.com/ndispim/default.htm
Other: NetWork Actions and Process Information: There are many people who want to know how to connect on the network and WIN process (which is the application), for example,
You may want to know which process sends or receives data on a specific IP port. Don't consider whether this technology is useful, or if it is reliable, we believe that the core mode TCPIP drives the upper filter.
Take this problem. The filter drove the lower layer of the TCPIP does not see process information at all. Particularly pay attention to some online services
Whenever the operation generates a new process ATTACH to the system process. In this case process information can't tell us where the original is
Process is generated. Especially in the core mode WIN service (TDI customer), it is necessary to see the following information United States Patent 5,987,611; "System and SYSTEM AND
Methodology for Managing Internet Access ON a Per Application Basis for Client
Computers Connected to the Internet "We don't know the value of this patent, nor do you know if he can use it on a package filter. For details, please refer to: http: // www.
USPTO.GOV/PATFT/index.htmlwww.pcausa.com
===================================================== DRVIPFLT specific resolution is above What mentioned (2-3 is said to this East). Assume that everyone has a certain understanding of the driver framework. IRP assignment procedure is as follows: NTSTATUS DrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {... switch (irpStack-> MajorFunction) {... case IRP_MJ_DEVICE_CONTROL: ioControlCode = irpStack-> Parameters.DeviceIoControl.IoControlCode; switch (ioControlCode) { // ioctl code to start filtering / / This can be sent from the user mode program. / / Directly use the DeviceIocontrol this function, just like it is called below
Let's take it, I think.
// DeviceioControl (DriveHandle, Start_ip_hook, null, 0, null, 0, & bytereturned, Nu
LL) Case start_ip_hook: {// This should be the most important function. SetFilterFunction (CBFilterFunction);
Break;
// ioctl to stop filtering case stop_ip_hook: {setfilterfunction (null); Break;}
// ioctl to address: {ix (inputbufferLength == sizeof (ipfilter) {ipfilter * nf;
NF = (ipfilter *) obuffer; addfiltertolist (nf);
Break;
// ioctl to free filter rule list case clear_filter: {CLEARFILTERLIST ();
Break;
Default: IRP-> iostatus.status =
Status_INVALID_PARAMETER;
Break;
Break; ...} setfilterFunction (CBFilterFunction) may be the most important program. The specific is as follows: In fact, this approach is quite registered a callback function in the system. NTSTATUS SetFilterFunction (PacketFilterExtensionPtr filterFunction) {NTSTATUS status = STATUS_SUCCESS, waitStatus = STATUS_SUCCESS; UNICODE_STRING filterName; PDEVICE_OBJECT ipDeviceObject = NULL; PFILE_OBJECT ipFileObject = NULL;
PF_set_extension_hook_info filterdata; kevent evenet; io_status_block ostatus; pirp IRP;
// First get a device pointer. // first of all, we have to get a pointer to IpFilterDriver Device RtlInitUnicodeString (& filterName, DD_IPFLTRDRVR_DEVICE_NAME); status = IoGetDeviceObjectPointer (& filterName, STANDARD_RIGHTS_ALL,
& ipFileObject, & ipDeviceObject; if (nt_success (status)) {// Some initialization work, populate FilterData. // Initialize the struct with functions parameters filterdata.extensionPointer = filterfunction;
// We need initialize the time used later by the ipfilterdriver to
Signal US // When IT Finished ITS Work KeinitializeEvent (& Event, NotificationEvent, False);
// This is the most important registration callback function process. DDK specifically tells this // ioctl_pf_set_extension_pointr registers filter-hook callback functions to
The IP Filter Driver // TO Inform The IP Filter Driver To Call Those Filter Hook Callbacks for Every IP Packet // That IS Received or Transmitted. Also, IOCTL_PF_SET_EXTENSION_POINTER
Clears Filter-Hook // Callback Functions from The IP Filter Driver. (See it, the last sentence, registration new callback letter
The number will be removed from the original clear, so there is only one such drive in the system. ) // We build the igp needed to establish fitler function This place is only
It is only to generate such an IRP and have not registered IRP =
IOBUILDDEVICEIOCONTROLREQUEST (IOCTL_PF_SET_EXTENSION_POINTER,
ipDeviceObject,
(PVOID) & filterdata,
SizeOf (pf_set_extension_hook_info),
NULL,
0,
False,
& Event,
& iostatus);
IF (IRP! = null) {// We send the IRP // This place is true registration. Status = IOCALLDRIVER (IPDeviceObject, IRP);
// and finally, we wait for "ACKNOWEDGE" of
Ipdriverfilter if (status == status_pend) {waitstatus = KewaitforsingleObject (& Event,
Executive, KernelMode, False, NULL;
IF (WaitStatus! = status_success) {}}
Status = iostatus.status;
IF (! NT_Success (status)) {}} else {//iff allocate the space, we return the
Corresponding code error status = status_insuffect_resources;
}
IF (ipfileObject! = null) ObdereferenceObject; ipfileObject = null; ipDeviceObject = null;} else returnction;} // The true filter function is this, this function passed in the earliest IrpDispatch. // This function is something that the system passes a cladding and package content and packet length. You can do some processing, // If you want this package, return pf_forward, or you don't want to make the package If you return to PF_D
ROP is stopped. Is it very simple, pf_forward_action cbfilterFunction (in unsigned char * packetheader, in
Unsigned char * packet, in unsigned int packetLENGTH, in unsigned INT
RecvinterfaceIndex, in unsigned int sendinterfaceIndex, in unsigned long
RecvlinkNexthop, in unsigned long sendlinknexthop) {ippacket * ipp; tcpheader * tcph; udpheader * udph;
INT country = 0;
Struct Filterlist * aux = first;
// We "extract" The ip header ipp = (ippacket *) packetheader;
// Dprintf ("Source:% X / NDestination:% x / nprotocol:% D", IPP-> IPSource,
IPP-> ipdestination, ipp-> ipprotocol); // TCP -> protocol = 6 // We Accept All Packets of Established Connections IF (IPP-> ipprotocol == 6) {TCPH = (TCPHEADER *) Packet;
// Dprintf ("Flags:% X / N", TCPH-> Flags); // if we havent the bit syn activate, we pass the packets if (! (Tcph-> flags & 0x02)) Return Pf_forward;}
// OtherWise, We compare the packet with our rules while (aux! = null) {// Dprintf ("Comparing with rule% d", countrule;
// if protocol is the Same .... IF (aux-> ipf.protocol == 0 || ipp-> ipprotocol ==
AUX-> ipf.protocol) {// WE LOOK IN SOURCE Address IF (AUX-> ipf.sourceIP! = 0 && (IPP-> IPSource & Aux-> ipf.sourcemask! = aux-> ipf.sourceIP) {aux = AUX-> Next; Countrule ; Continue;} // WE LOOK IN DESTINATION Address if (aux-> ipf.destinationip! = 0 && (ipp-> ipdestination
& aux-> ipf.destinationmask! = aux-> ipf.destinationip) {aux = aux-> next
CountRule ; Continue;} // if we have a tcp packet, we look in ports // TCP, protocol = 6 if (ipp-> ipprotocol == 6) {if (aux-> ipf.sourcePort == 0 ||
TCPH-> Sourceport == AUX-> ipf.sourceport) {if (aux-> ipf.destinationport == 0
|| TCPH-> DestinationPort == aux-> ipf.destinationport) // puerto tcp destino {// now we decided What
To do with the packet if (aux-> ipf.drop)
Return PF_Drop; ELSE
Return pf_forward;}}} // udp, protocol = 17 else IF (ipp-> ipprotocol == 17) {udph = (udpheader *) packet;
IF (AUX-> ipf.sourcePort == 0 ||
UDPH-> Sourceport == aux-> ipf.sourcePort) {if (aux-> ipf.destinationport == 0
|| UDPH-> DestinationPort == aux-> ipf.destinationport) {// now we decided What
To do with the packet if (aux-> ipf.drop) Return
PF_DROP; ELSE RETURN
Pf_forward;}}} else {// for Other Packet We DONT LOOK MORE AND
.... // Now we decided what to do with the
Packet if (aux-> ipf.drop) Return PF_Drop; Else Return Pf_forward;}} // compare with the next rule countrule ; aux = aux-> next;} // we accept all NOT Registered Return Pf_forward;}
WinPCap is also used for NDIS, registering yourself as an protocol processed drive. (Can be seen in the DriveRentry of the original code)
Also: The filter section of this DRVIPFLT this code doesn't know if you look familiar, yes, it is the name of the copy.
The MEGE driver development package is in a package filter, it seems that foreigners like to copy everywhere.
Ruike: When I read research, I specifically made NIDS, so I can say that WinPCAP can be said to have a unique moment, this Dongdong is really useful, but it is really annoying.
People, it has a fatal defect that is only applicable to shared Ethernet networks, and the data under the exchange network is unable to force, I
Specialized testing, under the local area network connected to the switch, can only listen to the data within this network segment, and for other network segments
The data cannot be listened, unless you pick up the probe or receive the switch's console mouth, but
Disadvantages are obvious. Therefore, WinPCAP's application is still very limited!
Kingzai: There are also many ways to implement the switching network 1. Place your captains on the gateway or proxy server, which caught the entire LAN. 2. For the switch to implement port mapping, map all the packets of the port to a monitoring machine. 3. Connect a HUB between the switch and the router, so that the data will be sent in a broadcast manner. 4. Implement ARP spoof, that is, the forwarding of the entire package is achieved on your machine, but it will reduce the efficiency of the entire local area network.
Warton: Sniffing Countermeasures: Light Sniffing, I talk about anti-sniffing:) 1. Check if the network card is set to a mixed mode (there are many tools to do, Antisniff, Promiscan, S
Entinel et al. 2. Switching network sniffer such as ettercap, can use the method of preventing ARP spoofing from deceiving the 3.SSH encryption channel 4.ssl5.vpn6.pgp, etc.
This is currently using NIC mixed mode software that does not seem to be great, so it should be considered to switch the network.
WORK
Mac flooding, mac duplicating, ARP spoof, etc. These methods are not easy, welcome to friends with interest, huh, huh!
Netsys: Does anyone have used Raw Socket? Although the WinPCP is very large, Raw Socket allows you to directly Socket's native mechanism. In fact, the two issues I mention are very easy to solve. .
Netsys2: For some mixed modes, most of them use the way to send special ARP packages, the correct network card will not respond, but
The network card of the mixed mode will respond.
Of course, the ARP and IP are in the same level, so you can't complete it with Raw Socket, you need WinPCAP support work.
Here are some code
Ansistring MsgStatus; Extern Tarpfuncparam WPARAMS;
int BuildARPPacket (PArpPacket ArpPacket, unsigned char * dst_etheraddr, unsigned char * src_etheraddr, int ar_op, unsignedchar * ar_sha, unsigned char * ar_sip, unsigned char * ar_tha, unsigned char * ar_tip, unsigned short int ar_hw) {memcpy (& (ArpPacket- > eth_dst_addr), dst_etheraddr, ETH_ADD_LEN); memcpy (& (ArpPacket-> eth_src_addr), src_etheraddr, ETH_ADD_LEN); ArpPacket-> eth_type = htons (ETH_TYPE_ARP); ArpPacket-> ar_hrd = htons (ar_hw); ArpPacket-> ar_pro = htons (ARP_PRO_IP); ArpPacket-> ar_hln = ARP_ETH_ADD_SPACE; ArpPacket-> ar_pln = ARP_IP_ADD_SPACE; ArpPacket-> ar_op = htons (ar_op); memcpy (& (ArpPacket-> ar_sha), ar_sha, ARP_ETH_ADD_SPACE); memcpy (& (ArpPacket-> ar_spa), ar_sip, ARP_IP_ADD_SPACE); memcpy (& (ArpPacket-> ar_tha), ar_tha, ARP_ETH_ADD_SPACE); memcpy (& (ArpPacket-> ar_tpa), ar_tip, ARP_IP_ADD_SPACE); memset (ArpPacket-> eth_pad, 32, ETH_PADDING_ARP); Return (exit_success);} int openadapter (LPADAPTER * LPADAPTER) {* lpadapter =
Packetopenadapter (wparams.Adapterlist [wparams.selectedadapter]);
if (! (* lpAdapter) || ((* lpAdapter) -> hFile == INVALID_HANDLE_VALUE)) {msgStatus = "Error: unable to open the driver."; SHOWSTAT (msgStatus); return (EXIT_FAILURE);} return (EXIT_SUCCESS } void closeadapter (LPADAPTER LPADAPTER) {PacketCloseadapter (LPADAPTER);
} Void getLocalMac (LPADAPTER LPADAPTER, UNSIGNED Char * Ether_ADDR) {
Ulong ioctlbufferlength = (Sizeof (packet_oid_data) sizeof (ulong) - 1); PPACKET_OID_DATA OIDDATA;
OidData = (struct _PACKET_OID_DATA *) malloc (IoCtlBufferLength); OidData-> Oid = OID_802_3_CURRENT_ADDRESS; OidData-> Length = 6; if (PacketRequest (lpAdapter, FALSE, OidData) == FALSE) memcpy (ether_addr, 0, 6); else memcpy (ether_addr, OidData-> Data, 6); free (OidData);} int GetARPReply (LPPACKET lpPacket, unsigned char * iptarget, unsigned char * result) {unsigned short int ether_type; unsigned char ipsender [4]; unsigned int off = 0; unsigned int in; struct bpf_hdr * hdr; char * pchar; char * buf;
BUF = (char *) lppacket-> buffer; HDR = (struct bpf_hdr *) (BUF OFF); tlen = HDR-> BH_CAPLEN; OFF = HDR-> BH_HDRLEN; PCHAR = (Char *) (BUF OFF) ; Off = packet_wordalign (off tlen); Memcpy (& ether_type, pchar 12, 2); ether_type = ntoHS (Ether_TYPE); if (ether_type == eth_type_arp) {Memcpy (IpSender, PCHAR 28, 4); IF iptarget [0] == ipsender [0]) && (iptarget [1] == ipsender [1]) && (iptarget [2] == ipsender [2]) && (iptarget [3] == ipsender [3]) ) memcpy (result, pChar 22, 6); else return (EXIT_FAILURE);} else return (EXIT_FAILURE); return (EXIT_SUCCESS);} int CheckPROMode (LPADAPTER lpAdapter, unsigned char * iptarget, unsigned char
* RemoteMac) {
LPPACKET LPPACKETREQUEST; LPPACKET LPPACKETREPLY; CHAR BUFFER [256000];
TARPPACKET ARPACKET; UNSIGNED CHAR MAGICPACKET; UN_ADD_LEN] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE}; unsigned char macterget [arp_eth_add_space];
DWORD TIMESTAMP = 0; int NumPacks = 0; / * init fields * / memset (MacTarget, 0, 6); / * allocate packet structure for arp request packet * / if ((lppcketRequest = packetallocatepacket ()) == null) { MsgStatus = "error: failed to allocate the lppacket structure .."; showst (msgstatus); return (exit_failure);} / * init packet structure * / memory (& arppcket, 0, sizeof (tarppacket);
/ * Build ARP Request Packet * / Buildarppacket (& Arppacket, Magicpack, Wparams.srcmac, ARP_OP_REQUEST,
WParams.srcmac, wparams.srcipadd, mactarget, iptarget, wparams.ar_hw);
/ * Init ARP Request packet * / PacketInitPacket (lpPacketRequest, & ArpPacket, sizeof (ArpPacket)); / * Set number of ARP Request packets to send * / if (PacketSetNumWrites (lpAdapter, 1) == FALSE) {msgStatus = "Warning: unable to send more than one packet in a single write .. "; SHOWSTAT (msgStatus);} / * Set hardware filter to directed mode * / if (PacketSetHwFilter (lpAdapter, NDIS_PACKET_TYPE_DIRECTED) == FALSE) {msgStatus =" Warning: unable To set directed mode .. "; showstat (msgstatus);} / * set a 512k buffer in the driver * / if (PacketSetBuff (LPADAPTER, 512000) == false) {msgstatus =" error: unable to set the kernel buffer. . "; SHOWSTAT (msgStatus); PacketFreePacket (lpPacketRequest); return (EXIT_FAILURE);} / * Set a 1 second read timeout * / if (PacketSetReadTimeout (lpAdapter, -1) == FALSE) {msgStatus =" Warning: unable to Set the read tiemout .. "; showstat (msgstatus);} / * allocate packet structure for arp reply packet * / if ((LPPACKETREPLY = P) acketAllocatePacket ()) == NULL) {msgStatus = "Error: failed to allocate the LPPACKET structure .."; SHOWSTAT (msgStatus); PacketFreePacket (lpPacketRequest); return (EXIT_FAILURE);} / * Init ARP Reply packet * / PacketInitPacket ( LPPACKETREPLY, (CHAR *) Buffer, 256000); / * Allocate Memory for Remote Mac Address * / TimeStamp = GetTickCount ();
/ * Main capture loop * / for (;;) {if (Numpacks
, Huh, not only IP IP, only I and two Mac (this time the Chinese is doing well), I don't want to find a third party, it is very safe, but
Not all such security, many people's network is still very bad. Many encryption protocols can be used to improve security, but old POP3, SMTP, HTTP, FTP, this protocol is widely used, and it is impossible to short.
The time is completely replaced, and the encryption is also available, so it will be encrypted for a higher case. However, Sniffer is not to give you the secret code. I used to learn the network, look at the package, later used Come as a network management tool,
Analyze the health of the network, in fact, you know, you know that Sniffer is connected to the network I need to detect, stethoscope
, Listen everywhere, huh, huh, so I use the switch, Sniffer is still useful, but not catching password !! WinCap is very simple, big 3 students don't be afraid, go to his website, have an example, VC6 compiles, BCB is also linear, turn the lib's format
To change it, but write this procedure, you are best to be familiar with the agreement, many agreements have ready-made source code in Linux, mainly Struct
Let's pay attention to the GCC, some C's advanced grammar, the compile option should be noted, otherwise you can't get the correct result. If you can't get Sniffer, Win2000 Server also has a network package viewer, Not strong than Sniffer, but simple things
It is also fast. The anti-sniffing and sniffing technique are actually very old, huh, but 9CBS is often Old. Be careful not to do bad things, there must be shield
Sevencat: The mixed mode of the network card seems to be set by NDIS. The following is a repost. Which UP is coming, I will pass it. A drive Open Source Author: gjpland see packet interception technology provides a lot of my dear friend, is where most of the preparation IM DRIVER NDIS intermediate layer of data packets between MINIPORT (NIC driver) and protocol drivers intercept. This is a technology provided by Microsoft but writing the filter interceptor is very complicated, and the installation is very troublesome.
I briefly introduce a more efficient NDIS package intercept technology.
Everyone knows that the NDIS protocol driver is a table that fills in a Ndis_Protocol_Characteristics.
And call the NDIS API function NDisregisterProtocol for registration. Now let's pay attention to NDIS_PROTOCOL_CHARACTERI
This table, the entrance to all protocol drivers and underlying distribution functions in this table. Such as SendHandler, ReceiveHandler, Bi
NDADAPTERHANDALE, etc.
The order has a packet of the protocol to enter, and the protocol driver is driven by the sendhandler or sendpacketshandler function.
If you send a packet to the network, someone will strange programs not to call NDISSEND or NDISSENDPACKETS functions? That's right,
This is like this, but you can see if Ndis.h's header file knows the definition of these two functions, they are all macro definitions, actually sent by SendHandler or SendPacketsHandler through this table.
Now what we have to do should be very clear, as long as we can fill in NDIS_PROTOCOs in each protocol program
The Distribution function in the L_Characteristics table points to its own function, we can successfully intercept the packet. So this one of each protocol driver
Does the table are there? Too simple, look at the prototypes rendered by NDISREGISTERPROTOCOL.
struct _NDIS_PROTOCOL_BLOCK {PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol REFERENCE Ref; // contains spinlock for OpenQueue UINT Length; // of this NDIS_PROTOCOL_BLOCK struct NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics; // handler
Addresses
struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next ULONG MaxPatternSize; #if defined (NDIS_WRAPPER) // // Protocol filters // struct _NDIS_PROTOCOL_FILTER * ProtocolFilter [NdisMediumMax 1]; WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to // notify protocols . of existing drivers KMUTEX Mutex; // For serialization of Bind / Unbind requests PKEVENT DeregEvent; // Used by NdisDeregisterProtocol #endif}; typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK, * PNDIS_PROTOCOL_BLOCK;
Export Void NdisregisterProtocol (Out Pndis_Status Status, Out Pndis_Protocol_block ndisprotocolhandle, / * Note NDIS_HANDLE pointing
Is the structure of Pndis_Protocol_block, don't have any doubts. * / In Pndis_Protocol_Characteristics Protocolcharacteristics, in uint characteristicsLength;
NDIS_PROTOCOL_BLOCK (protocol table)
It is NDIS to maintain a unidirectional link table that has been registered in all systems. Field NextProtocol points to the next protocol table. Fortunately, when we register a new agreement, NDIS always puts the newly registered Acjunction on the head of the list and returns this table.
So as long as we register a new protocol, you can easily traverse all protocol tables in the system in the system through the new protocol. Now we hope to get every
The NDIS_PROTOCOL_CHARACTERISTISTISTISTISTICS table of the agreement is placed in front of us, how to hook the distribution function in the hanging table, I
I don't have to say more. By the way, NDISREGISTERPROTOCOL is all assigned by NDIS_PROTOCOL_BLOCK is NonPagedPool
Type of. For core Driver, the core area memory is a linear memory area, and all core Driver is any address that can access the core memory area. What should you pay attention to?
Paging and non-paged memory with the IRQL level.
Will someone will ask this way? Do you really intercept? If there is anything that the people are eager to write the program, they will be disappointed, because he will find what the results are not intercepted or even intercept some packets. why? Because the NDIS network card driver and protocol driver is not called Pndis_Open_Block-> Proto when sending and receiving a number of times
Distribution function in colcharacteristics. How to do? It is necessary to introduce how binding between NDIS NIC drivers and protocol drivers, NDisRegisterProtocol After registering a protocol, NDIS will send functions to the table BindAdaPterHandler by calling tables, and notify the protocol to make Binding for each network card. Or when the system passes PNP
BindAdapterHandler will also call the protocol to Binding when a new network card is called. In the binding call, the agreement will be based on your own
Need to use NDisopenadapter to bind itself to the appropriate NIC. And return ndisbindinghandle.ndisbindingHandle? NDISBINDINGHANDL actually points a pointer to the NDIS_OPEN_BLOCK table, then what is the use of the ndis_open_block table? Agree
After the binding, each bound network card and each protocol have established channels of data transmission, and ndis_open_block is used to maintain this data channel.
table. struct _NDIS_OPEN_BLOCK {PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol NDIS_HANDLE ProtocolBindingContext; // context when calling ProtXX funcs PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue PFILE_OBJECT FileObject; // created by operating system BOOLEAN Closing; // TRUE when removing this struct BOOLEAN Unloading; // TRUE when processing unload BOOLEAN NoProtRsvdOnRcvPkt; / / REFLECT The protocol_options ndis_handle closequesthandle; // 0 indicates an internal close kspin_lock spinlock; // guards closing pndis_open_block nextglobalopen;
//////////////// Necessary, But Are Here to save a dereference through the mac block // send_handler sendhandler; Transfer_Data_Handler TransferDataHandler
// // These are optimizations for getting to PROTOCOL routines They are not // necessary, but are here to save a dereference through the PROTOCOL block // SEND_COMPLETE_HANDLER SendCompleteHandler;.. TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler; RECEIVE_HANDLER ReceiveHandler; RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;
// // Extentions to the OPEN_BLOCK since Product 1. // RECEIVE_HANDLER PostNt31ReceiveHandler; RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler; // // NDIS 4.0 extensions // RECEIVE_PACKET_HANDLER ReceivePacketHandler; SEND_PACKETS_HANDLER SendPacketsHandler;
/// More ndis 3.0 cached handlers // reset_handler resetHandler; Request_Handler Requesthandler;
//////////// Upcased name of the adapter we are bound to};
The above table structure can be clearly seen that this table is a one-way linked table and stored and pndis_open_block-
> ProtocolCharacteristics the same data transceiver distribution function, when the N-block network card sends a packet to the nth protocol, the nth protocol and the nth
The SendHandler or SendPacketHandler in the NDIS_OPEN_BLOCK table established between the NIC. So we also need to do this
The distribution function is handled (hook). So how do you hook the NDIS_OPEN_BLOCK table between the protocol and the NIC. Let's go back to NDIS_PROTOCOL_
Block this table, in the NDIS_PROTOCOL_BLOCK table field pndis_open_block openqueue; is all the protocol
There is a header of NDIS_OPEN_BLOCK. Traverse it through AdapterNextopen, and then hook it. It can be intercepted smoothly.
It is worth noting. 1. NDIS_OPEN_BLOCK NDIS_PIS_OPEN_BLOCK NDIS_PROTOCOL_BLOCK These structural Different NDIS versions are different, and the solution is to use the Ndis.h of Windows98DDK under Windows 98 and Windows 95 (NDIS 3.1).
Define under Windows Me (NDIS 5.0 or 4.0) Please use the definition NT (NDIS4.0) in Nd (NDIS4.0) in NTDDK in NTDDK, 2000 (NDIS5.0) 2. Do not repeat the hook the same function.
If you have any questions, you can pass QQ: 3955727 mail: gjpland@netese.com
//// Protocol Wrapper Version 1.05 // Author: gjp // email: gjpland@netese.com//
#include "ndishook.h" #include "hookrule.h"
#pragma pack (push) #pragma pack (1) typef struct _hook_context_struct {// runtime code ubyte code1_0x58; // 0x58 | POP EAX | POP Caller IP from Stack To
EAX Ubyte Code2_0x68; // 0x68 | Push Imm | Push Our Hook Context
Address struct _hook_context_struct * m_phookContext; // Point this ubyte code3_0x50; // 0x50 | Push Eax | Push Caller
IP from eax to stack ubyte code4_0xe9; // 0xe9 | JMP hookproc | jump ot hook proc UDWORD M_PHOOKPROCOFFSET; // Our Context Data
PVOID M_PORIGINALPROC; PVOID M_PHOKPROC; PVOID M_PBINDADAPTHANDLE; PVOID M_PPROTOCOLCONTENT; PVOID * M_PPORIGINPTR;
Struct_hook_context_struct * m_phooknext;} hook_context_struct; #pragma pack (POP)
Hook_context_struct * m_pouraronhekcontext = null;
dword m_IsFilterEnabled = FALSE; NDIS_HANDLE m_ourPacketPoolHandle = NULL; NDIS_HANDLE m_ourBufferPoolHandle = NULL; PNDIS_PACKET m_ourPacketHandle = NULL; PNDIS_BUFFER m_ourBufferHandle = NULL; PVOID m_ourBuffer = NULL;
Void Readpacket (Pndis_Packet Packet, Pvoid PBuffer, Udword DwBufsize); UWORD WSWAP (UWord Value);
Void hookunload (void) {releasehookfunc ();
if (m_ourBufferHandle) {NdisFreeBuffer (m_ourBufferHandle); m_ourBufferHandle = NULL;} if (m_ourBuffer) {NdisFreeMemory (m_ourBuffer, MAX_PACKET_SIZE, 0); m_ourBuffer = NULL;} if (m_ourPacketHandle) {NdisFreePacket (m_ourPacketHandle); m_ourPacketHandle = NULL;} if (m_ourBufferPoolHandle) {NdisFreeBufferPool (m_ourBufferPoolHandle); m_ourBufferPoolHandle = NULL;} if (m_ourPacketPoolHandle) {NdisFreePacketPool (m_ourPacketPoolHandle); m_ourPacketPoolHandle = NULL;} return;} dword HookInit (void) {NTSTATUS status;
M_OrPacketPoolHandle = NULL; NDISALLOCATEPACKETPOOL (& status, & m_ourpacketpoolhandle, 0xff, 0x10); if (status! = ndis_status_success) Return False;
m_ourbufferpoolhandle = null; NdisallocateBufferPool (& status, & m_ourbufferpoolhandle, 0x10); if (status! = ndis_status_success) Return False;
m_ourbuffer = null; status =
NdisallocateMemorywithtag (& m_ourbuffer, max_packet_size, 'namw'); if (status! = Ndis_status_success) Return False;
m_ourbufferhandle = NULL;
NdisallocateBuffer (& status, & m_ourbufferhandle, m_ourbufferpoolhandle, m_ourbuff
Er, Max_packet_size; if (status! = ndis_status_success) Return False;
m_ourpacketHandle = NULL;
NdisallocatePacket (& status, & m_ourpacketHandle, m_ourpacketpoolhandle); if (status! = Ndis_status_success) Return False;
NdischainBufferatfront (m_ourpackethandle, m_ourbufferhandle); return true;}
typedef struct _NDIS41_PROTOCOL_CHARACTERISTICS {#ifdef __cplusplus NDIS40_PROTOCOL_CHARACTERISTICS Ndis40Chars; #else NDIS40_PROTOCOL_CHARACTERISTICS; #endif // // Start of NDIS 4.1 extensions //.
CO_SEND_COMPLETE_HANDLER
CosendCompleteHandler; CO_STATUS_HANDLER
Costatushandler; CO_RECEIVE_PACKET_HANDLER
CoreceivePacketHandler; CO_REQUEST_HANDLER
CorequestHandler; CO_REQUEST_COMPLETE_HANDLER
CorequestCompleteHandler;
NDIS41_PROTOCOL_CHARACTERISTICS;
dword HookProtocol (void) {// Default ndis version is 5.0 NDIS_PROTOCOL_CHARACTERISTICS ourNPC; NDIS_STRING protoName = NDIS_STRING_CONST ( "HdFw_Slot"); NDIS_STATUS Status; NDIS_HANDLE ourProtocolHandle = NULL; byte * ProtocolChain; dword offset; dword len;
// ndis_protocol_block * pndisblock = NULL;
// pndisblock = pndisblock-> NextProtocol; // pndisblock-> nextprotocol = null;
MEMSET (& outpc, 0, sizeof (ndis_protocol_characteristics);
if (m_dwMajorVersion == 0x03) {len = sizeof (NDIS30_PROTOCOL_CHARACTERISTICS); // We must need at least ndis version 3.10 ourNPC.MajorNdisVersion = 0x03; ourNPC.MinorNdisVersion = 0x0A;} else if (m_dwMajorVersion == 0x04) {len = sizeof (NDIS40_PROTOCOL_CHARACTERISTICS); ourNPC.MajorNdisVersion = 0x04; ourNPC.MinorNdisVersion = 0x00;} else {// treat as version 5.0 len = sizeof (NDIS50_PROTOCOL_CHARACTERISTICS); ourNPC.MajorNdisVersion = 0x05; ourNPC.MinorNdisVersion = 0x00;}
ourNPC.Name = protoName; ourNPC.OpenAdapterCompleteHandler = PtOpenAdapterComplete; ourNPC.CloseAdapterCompleteHandler = PtCloseAdapterComplete; ourNPC.SendCompleteHandler = PtSendComplete; ourNPC.TransferDataCompleteHandler = PtTransferDataComplete; ourNPC.ResetCompleteHandler = PtResetComplete; ourNPC.RequestCompleteHandler = PtRequestComplete; ourNPC.ReceiveHandler = PtReceive; ourNPC. ReceiveCompleteHandler = PtReceiveComplete; ourNPC.StatusHandler = PtStatus; ourNPC.StatusCompleteHandler = PtStatusComplete; ourNPC.BindAdapterHandler = PtBindAdapter; ourNPC.UnbindAdapterHandler = PtUnbindAdapter; ourNPC.UnloadHandler = PtUnload; ourNPC.ReceivePacketHandler = PtReceivePacket; ourNPC.PnPEventHandler = PtPNPHandler;
NdisregisterProtocol (& Status, & OurprotocolHandle, & Ornpc, Len); if (! NT_Success (status) ||URPROTOCOLHANDLE == NULL) RETURN FALSE
// NdisregisterProtocol Return Hand Reference OF
NDIS_PROTOCOL_BLOCK; ProtocolChain = (byte *) ourProtocolHandle; while (1) {DebugInfoCount ;. // Obtain pointer to next protocol link if (m_dwMajorVersion == 0x03) offset = 4; else if (m_dwMajorVersion == 0x04) {if (m_dwMinorVersion = = 0x01) Offset = 0x8c; else offset = 0x60;} else if (m_dwmajorversion == 0x05) // ndis_protocol_block-> NextProtocol Offset = 0x10; else // Error Break;
Protocolchain = ((Byte **) (protocolchain offset) [0]; if (protocolchain == null) Break;
HookFuncBlock (ProtocolChain);} if (m_dwMajorVersion = 4!) NdisDeregisterProtocol (& Status, ourProtocolHandle); else {// ((byte *) ourProtocolHandle) [0x0C] = 0x01; // NdisDeregisterProtocol (& Status, ourProtocolHandle);} return TRUE; } // protocolcontent // version nextchain offset ndis_protocol_characteristics offset
Bindingadapthandle offset // ndis 3.xx 0x04
0x14
0x08 // ndis 4.xx 0x60
0x14
0x00 // NDIS 4.01 0x8c
0x14
0x00 // ndis 5.xx 0x10
0x14
0x00
// ----- Void hookprotocolsendpackets (in hook_context_struct * pourcontext, in ndis_handle
MiniPortadapterContext, in PPNDIS_PACKET PACKETARRAY, IIN
NUMBEROFPACKETS;
NDIS_STATUS HOOKPROTOCOLWANSEND (in hook_context_struct * pourcontext, in ndis_handle
MacbindingHandle, In ndis_handle linkhandle, in pvoid packet; ndis_status hookprotocolsend (in hook_context_struct * pourContext, in ndis_handle
MacbindingHandle, in pndis_packet packet;
NDIS_STATUS HookProtocolReceive (IN HOOK_CONTEXT_STRUCT * pOurContext, IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize); NDIS_STATUS HookWanReceive (IN HOOK_CONTEXT_STRUCT * pOurContext, IN NDIS_HANDLENdisLinkHandle, IN PUCHAR
Packet, in ulong
Packetsize; int hookprotocolreceivepacket (in hook_context_struct * pourcontext, in ndis_handle
ProtocolbindingContext, in pndis_packet packet;
Void hookbindadapterhandler (in
Hook_Context_struct * PourContext, OUT
Pndis_status status, in
NDIS_HANDLE BINDCONTEXT, IN
Pndis_String DeviceName, in pvoid
Systemspect1, in pvoid
Systemspecific2);
Void HooksendComplete (in hook_context_struct * pourcontext, in ndis_handle protocolbindingcontext, in pndis_packet packet, in ndis_status status;
Void ReleaseHookFunc (void) {
Hook_context_struct * phookcontext, * pnext;
PhookContext = m_PouraLLOFHOKCONTEXT; m_PouraLLOFHOKCONTEXT = null; while (phookcontext) {pNext = phookcontext-> m_phooknext; phookcontext-> m_pporiginptr [0] =
PhookContext-> m_poriginalProc; ExfreePool (phookcontext); phookcontext = PNEXT;} Return;
Hook_context_struct * iShookedndisfunc (PVOID PADDR) {
Hook_context_struct * phookcontext;
pHookContext = m_pOurAllOfHookContext; while (pHookContext) {if (pHookContext == pAddr) break; pHookContext = pHookContext-> m_pHookNext;} return pHookContext;} HOOK_CONTEXT_STRUCT * IsHookedNdisFuncEx (PVOID * pAddr) {HOOK_CONTEXT_STRUCT * pHookContext;
pHookContext = m_pOurAllOfHookContext; while (pHookContext) {if (pHookContext-> m_ppOriginPtr == pAddr) break; pHookContext = pHookContext-> m_pHookNext;} return pHookContext;}
Hook_Context_struct * hookndisfunc (Pvoid PhookProc, Pvoid
* PPorigProc, pvoid pbindadapthandle, pvoid pprotocolcontent) {
Hook_context_struct * phookcontext; pvoid orgfunc;
PhookContext = Ishookedndisfunc (pporigproc [0]); if (phookcontext) orgfunc = phookcontext-> m_poriginalProc; else orgfunc = pporigProc [0]; if (orgfunc == null) Return NULL;
PhookContext = iShookedndisfunceX (PPORIGPROC); if (phookcontext) returnophtext; phookcontext =
ExallocatePoolwithtag (NonpagedPool, SizeOf (hook_context_struct), 'HCSP'); if (phookcontext == null) Return Null; Memset (PhoOKContext, 0, Sizeof (hook_context_struct);
PhookContext-> Code1_0x58 = 0x58; phookcontext-> code2_0x68 = 0x68; phookcontext-> code3_0x50 = 0x50; phookcontext-> code4_0xe9 = 0xE9;
PhookContext-> m_phookcontext = phookcontext; phookcontext-> m_phookproCoffset = ((UDWORD) PhookProc)
(((Udword) & pHookContext-> m_pHookProcOffset) sizeof (udword)); pHookContext-> m_pBindAdaptHandle = pBindAdaptHandle; pHookContext-> m_pProtocolContent = pProtocolContent; pHookContext-> m_pOriginalProc = OrgFunc; // ppOrigProc [0]; pHookContext-> m_ppOriginPtr = ppOrigProc; pHookContext-> m_pHookProc = pHookProc; pHookContext-> m_pHookNext = m_pOurAllOfHookContext; m_pOurAllOfHookContext = pHookContext; ppOrigProc [0] = pHookContext; return pHookContext;}
TYPEDEF STRUCT _NDIS40_OPEN_BLOCK {pndis_mac_block machandle;
// Pointer to Our Mac NDIS_HANDLE
MacbindingHandle; // context when calling macxx funcs pndis_adapter_block adapterhandle;
// Pointer to Our Adapter Pndis_Protocol_Block ProtocolHandle; //
Pointer to Our Protocol NDIS_HANDLE
ProtocolbindingContext; // context when calling protxx funcs pndis_open_block adapternextopen; //
Used by adapter's openqueue pndis_open_block protocolnextopen; //
Used by Protocol's OpenQueue Pfile_Object FileObject;
// created by Operating System Boolean
Closing; // True When Removing this struct boolean
Unloading; // true when processing unload ndis_handle
ClosequestHandle; // 0 Indicates An Internal Close Kspin_lock spinlock
// guards closing pndis_open_block nextglobalopen;
/////////////// Necessary, But Are Here to save a dereference through the mac block. //
Send_handler SendHandler; Transfer_Data_Handler TransferDataHandler;
//////////////////// '
Not // Necessary, But Are Here to Save a Dereference Throungh Protocol
BLOCK. //
Send_complete_handler SendCompleteHandler; Transfer_Data_complete_handler TransferDatAndPleteHandler; Receive_HandlerReceiveHandler; Receive_Complete_Handler ReceiveCompletehandler;
// // EXTENTIONS to the open_block since product 1. // receive_handler
Postnt31ReceiveHandler; Receive_complete_handler postnt31recompletehandler;
// // NDIS 4.0 extensions // receive_packet_handler receivepacketHandler; send_packets_handler sendpacketshandler;
///////////////// UNICODE_STRING ADAPTERNAME;
// Upcased name of the adapter we are bound to} ndis40_open_block, * pndis40_open_block;
Void hookfuncblock (byte * protocolcontent) {
Pndis_protocol_characteristics PPROCHAR; DWORD Iswan; Ndis_String WanString = NDIS_STRING_CONST ("ndiswan"); ndis_string deficewanstring =
Ndis_string_const ("// device // ndiswan);
NDIS_STRING TCPIPSTRING = NDIS_STRING_CONST ("TCPIP"); ndis_string tcparpstring = ndis_string_const ("tcpip_wanarp"); ndis_string rasarpstring = ndis_string_const ("Rasarp");
IF (protocolcontent == null) return; // Get Pointer to Ndis_Protocol_Characteristics from protocol
Content Pprochar = (Pndis_Protocol_Characteristics (ProtocolContent
0x14);
IF (KegetCurrentiRQL () == passive_level) {// Check Protocol Name WHETHER IS WAN LAN protocol so That WE
Can Correctly Hook Our Function IF
RtlcompareUnicodestring (& pprochar-> name, & wanstring, true) ||
Rtlcompareunicodestring (& PPROCHAR-> Name, & DevicewanString, True) {iswan = 1;} else iswan = 0;
// WE R ONLY Interest in Following Protocol IF
! (! RtlcompareunicodeString (& PPROCHAR-> Name, & Tcpipstring, true) ||
Rtlcompareunicodestring (& pprochar-> name, & tcparpstring, true) ||! Rtlcompareunicodestring (& PPROCHAR-> Name, & Rasarpstring, true))) {return;}} else iswan = 0;
// if (! Iswan) {hookndisfunc (HookProtocolReceive, (PVOID)
*) & pprochar-> ReceiveHandler, Null, ProtocolContent
// {{added by GJP 6.24 // __ASM INT 3; // hookndisfunc (HooksendComplete, (PVOID)
*) & pprochar-> sendcompletehandler, null, protocolcontent; //}}} else hookndisfunc (HookwanReceive, (PVOID)
*) & pprochar-> wanreceivehandler, null, protocolcontent; if (pprochar-> majorndisversion> 0x03) {hookndisfunc (hookprotocolreceivepacket, (pvoid)
*) & PPROCHAR-> ReceivePacketHandler, Null, ProtocolContent; hookndisfunc (HookbindadapterHandler, (PVOID)
*) & pprochar-> bindadapterhandler, null, protocolcontent;}
Zihan: Guniffer I have done a modification, implement it with threads, but it is better. It is BCB made // --------------------------- ------------------------------------------------
#include
/ / -------------------------------------------------------------------------------------------- ---------------------------
__fastcall TSniffer :: TSniffer (bool CreateSuspended): TThread (CreateSuspended) {MParamTcp = true; // attention TCP packets MParamUdp = true; // attention UDP packets MParamIcmp = true; // attention ICMP packets MParamDecode = true; FreeOnTerminate = true; strcpy (tcpflag, "fsrpau"); // tcpflag [6] = {'f', 's', 'r', 'p', 'a', 'u'}; // Define TCP flags Bit strfromipfilter = null; // source IP address filter strDestipfilter = null; // destination address filter strSensitive = null; // sensitive string iPortFilter = 0; // port filtering Recvbuf [MAX_PACK_LEN] = null;} // --- -------------------------------------------------- ---------------------- void __fastcall tsniffer :: execute () {// ---- Place Thread code Here ---- // Listening IP Message Snifferinit (); while (! Terminated) {receivedata ();} form1-> listview1-> additem ("thread end, stop interception ...", 0);} void Tsniffer :: sniferinit () {// Initializing Socket Wsadata Wsadata; IerrorCode = Wsastartup (Makeword (2, 1), & Wsadata); Checksockerror (IrrorCode, "WSAStartup "); SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP); CheckSockError (SockRaw," socket "); // Get the local IP address of the char FAR name [MAX_HOSTNAME_LAN]; iErrorCode = gethostname (name, MAX_HOSTNAME_LAN); CheckSockError (iErrorCode, "gethostname"); struct hostent FAR * pHostent; pHostent = (struct hostent *) malloc (sizeof (struct hostent)); pHostent = gethostbyname (name); SOCKADDR_IN sa; sa.sin_family = AF_INET; sa.sin_port = htons (6000 ); Memcpy (& sa.sin_addr.s_un.s_addr, phostent-> h_addr_list [0],
phostent-> h_length; free (phostent); IrrorCode = Bind (SockRaw, (psockaddr) & sa, sizeof (sa)); checksockerror (iERRORCODE, "Bind"); // Sets Sock_RAW to SiO_RCVALL to receive all IP packets LPVOID DWBufferlen [10]; DWORD dwbufferinlen = 1; DWORD DWBYTESRETURNED = 0; IrrorCode = WSAIOCTL (SockRaw, SiO_Rcvall, & Dwbufferinlen,
Sizeof (dwbufferinlen), & DWBufferlen, Sizeof (dwbufferlen), & DWBYTESRETURNED, NULL,
NULL); Checksockerror (IrrorCode, "IOCTL");}
// IP Unpackler Int Tsniffer :: Decodeippack (Char * BUF, INT IBUFSIZE) {ip_header * pipheader; sockaddr_in sasource, sadest; pipheader = (ip_header *) BUF;
// screening protocol iProtocol = pIpheader-> proto; strncpy (szProtocol, CheckProtocol (iProtocol), MAX_PROTO_TEXT_LEN); if (! (IProtocol == IPPROTO_TCP) && (MParamTcp)) return true; if ((iProtocol == IPPROTO_UDP) && ( ! MParamUdp)) return true; if ((iProtocol == IPPROTO_ICMP) && (MParamIcmp)) return true;! // source address saSource.sin_addr.s_addr = pIpheader-> sourceIP; strncpy (szSourceIP, inet_ntoa (saSource.sin_addr), MAX_ADDR_LEN); if (strFromIpFilter) if (strcmp (strFromIpFilter, szSourceIP)) return true; // destination address saDest.sin_addr.s_addr = pIpheader-> destIP; strncpy (szDestIP, inet_ntoa (saDest.sin_addr), MAX_ADDR_LEN); if ( STRDESTIPFILTER) f (strdestipfilter, szdestip) Return true; ittl = pipheader-> ttl; // calculate the length Iip header IIPHLEN = SIZEOF (Pipheader-> h_lenver & 0xf); // According to the agreement Types call corresponding functions Switch (iProtocol) {Case ipproto_tcp: decodetcppck (BUF iiphlen,
ibufsize; bren; case ipproto_udp: decodeudppck (buf iiphlen,
ibufsize; bren; case ipproto_icmp: decodeicmppack (buf iiphlen, ibufsize); break; default: Break;} Return True;
// Protocol Identification Procedure Char * Tsniffer :: CheckProtocol (INT iProtocol) {for (int i = 0; i // TCP Unpackler Int Tsniffer :: Decodetcppck (Char * TCPBUF, INT IBUFSIZE) {TCP_Header * Ptcpheader; Int i; int tentport, idestport; receivefo * receivedInfo = new receiveInfo; pTcpHeader = (TCP_HEADER *) TcpBuf; // calculate the TCP header length int TcpHeaderLen = pTcpHeader-> th_lenres >> 4; TcpHeaderLen * = sizeof (unsigned long); char * TcpData = TcpBuf TcpHeaderLen; // if the string is sensitive filter It is judged whether or not (strsnsitive) IF ((strstr (tcpdata, strsensitive) == null) Return True; // The port is filtered by the port isourcePort = NTOHS (PTCPHEADER-> TH_SPORT); IDESTPORT = NTOHS (ptcpheader-> th_dport); IF (iPortFilter) && (isourceport! = iportfilter) && (IDestport! = iportfilter) Return true; // Output // Sprintf (OtherInfo, "% s", szprotocol); // sprintf (OtherInfo, "% 15s: % 5D ->% 15S:% 5D ", SzsourceIP, ISOURPORT, szDestIP, iDestPort); // sprintf (OtherInfo, "TTL =% 3d", iTTL); ReceiveInfo-> szProtocol = szProtocol; ReceiveInfo-> szSourceIP = szSourceIP; ReceiveInfo-> szDestIP = szDestIP; ReceiveInfo-> iSourcePort = iSourcePort; ReceiveInfo -> Idestport = Idestport; ReceiveInfo-> ittl = ittl; // Judgment TCP flag unsigned char flagmask = 1; for (i = 0; i <6; i ) {if (ptcpheader-> th_flag) & flagmask {// sprintf (OtherInfo, "% C", TCPFLAG [ I]); ReceiveInfo-> tcpflag [i] = tcpflag [i];} else {// sprintf (OtherInfo, "-"); receiveInfo-> tcpflag [i] = '-';} flagmask = flagmask << 1 } // sprintf (OtherInfo, "Bytes =% 4D / N", IBUFSIZE); ReceiveInfo-> ibufsize = ibufsize; / / Data analysis for packets greater than 40 bytes (IP_HEADER TCP_HEADER = 40) IF ((( MParamDecode) && (ibufsize> 40)) {// Analysis TCP Data Section IF ((! Strsensitive) || (STRSTR (TCPDATA, STRSENSITIVE))) {// sprintf (OtherInfo, "[DATA] / N"); / / sprintf (OtherInfo, "% s% s", OtherInfo, TCPDATA); // Sprintf (OtherInfo, "% S / N [Data end] / n / n / n", OtherInfo; receivedata = tcpdata;}} // form1-> memo1-> lines-> add (ortho); addreceivedata (ReceiveInfo); delete receiveInfo; Return true;} // UDP unpack program int TSniffer :: DecodeUdpPack (char * UdpBuf, int iBufSize) {UDP_HEADER * pUdpHeader; pUdpHeader = (UDP_HEADER *) UdpBuf; int iSourcePort = ntohs (pUdpHeader-> uh_sport); int iDestPort = ntohs (pUdpHeader- > UH_DPORT); ReceiveInfo * receiveInfo = new receiveInfo; // Filter IF (iPortFilter) if (iPortport! = Iportfilter) && (iDestport! = Iportfilter) Return True; // Printf ("% s", szprotocol); // Printf ("% 15s:% 5d ->% 15s:% 5D", SzsourceIP, ISOURPORT, SZDestip, Idestport); // Printf ("TTL =% 3D", ITTL); // Printf ("LEN =% 4D", NTOHS (Pudpheader-> UH_LEN)); // Printf ("Bytes =% 4D", IBUFSIZE) ; // printf ( "/ n"); ReceiveInfo-> szProtocol = szProtocol; ReceiveInfo-> szSourceIP = szSourceIP; ReceiveInfo-> iSourcePort = iSourcePort; ReceiveInfo-> szDestIP = szDestIP; ReceiveInfo-> iDestPort = iDestPort; ReceiveInfo-> iTTL = ITTL; ReceiveInfo-> length = ntoHs (pudpheader-> uh_len); receiveInfo-> ibufsize = ibufsize; / / For data analysis of the length greater than 28 bytes (IP_HEADER UDP_HEADER> 28) IF ((mParamDecode) && (ibufsize> 28)) {// printf ("[data] / n"); // UDP head a length of 8 char * UdpData = UdpBuf 8; // UDP data analysis section ReceiveInfo-> ReceiveData = UdpData; TStringStream * DataStringStream = new TStringStream (NULL); try {DataStringStream-> Write (UdpData, sizeof (UdpData)); / / DataStringStream-> CopyFrom (UdpData, sizeof (UdpData))} ReceiveInfo-> ReceiveUdpData = DataStringStream-> dataString;} __finally {delete DataStringStream;} for (unsigned int i = 0; i <(iBufSize-sizeof (UDP_HEADER)); i ) {// if (! (i% 8)) Sprintf (OtherInfo, "% S / N", OtherInfo; // Memset (OtherInfo, 0, Strlen (OtherInfo)); IF ((UDPData [i]> 33) && (udpdata [i] <122)) // sprintf (OtherInfo, "% C", udpdata [i]); Else // Sprin TF (UDPDATA, "[% 3X]", ABS (udpdata [i])); udpdata [i] = '_';} // printf ("/ n [data end] / n / n / n"); } AddReceiveData (ReceiveInfo); delete ReceiveInfo; return true;} // ICMP unpack program int TSniffer :: DecodeIcmpPack (char * IcmpBuf, int iBufSize) {ICMP_HEADER * pIcmpHeader; pIcmpHeader = (ICMP_HEADER *) IcmpBuf; int iIcmpType = pIcmpHeader- > i_type; int IICMPCode = PICMPHEADER-> i_code; ReceiveInfo * ReceiveInfo = new receiveInfo; // Filter IF (iictfilter) && (iicmptype! = Iportfilter) Return True; // Printf ("% s", szprotocol); // printf ("% 15s Type% D ->% 15S Code% D ", SzsourceIP, Iicmptype, Szdestip, IicmpCode); // Printf ("% 15S ->% 15S ", szSourceIP, Szdestip; // Printf (" TTL =% 3D ", ITTL) // Printf ("type% 2D,% D", Iicmptype, IicmpCode); // printf ("Bytes =% 4D", IBUFSIZE); // Printf ("/ n"); ReceiveInfo-> Szprotocol = Szprotocol; ReceiveInfo-> szSourceIP = szSourceIP; ReceiveInfo-> iIcmpType = iIcmpType; ReceiveInfo-> szDestIP = szDestIP; ReceiveInfo-> iIcmpCode = iIcmpCode; ReceiveInfo-> iTTL = iTTL; ReceiveInfo-> iBufSize = iBufSize; / / For data analysis of the package containing the data segment, IF ((ibufsize> 28)) {char * icmpdata = ICMPBUF 4; // Analyze ICMP Data Section // Printf ("[DATA]"); / / for (unsigned int i = 0; i <(iBUFSIZE-SIZEOF (ICMP_HEADER)); i ) // {// IF (! (i% 8)) Printf ("/ n"); // IF ((ICMPData) [I]> 33) && (ICMPDATA [I] <122) // Printf ("% 3C [% 3X]", ICMPDATA [i], ICMPDATA [I]); // Else Printf ("[% 3X]", ABS (ICMPDATA [I])); //} // printf ("/ n [Data end] / n / n / n"); ReceiveInfo-> ReceiveData = IcmpData;} AddReceiveData (ReceiveInfo); delete ReceiveInfo; return true;} // SOCK error handler void TSniffer :: CheckSockError (int iErrorCode, char * pErrorMsg) {if (iErrorCode == SOCKET_ERROR) {// Printf ("% s error:% d / n", perroormsg, getLastError ()); form1-> listview1-> additem (perrormsg, 0); CloseSocket (SockRaw); exit (0);}} void TSniffer :: AddReceiveData (RECEIVEINFO * ReceiveInfo) {TListItem * Item; Item = Form1-> ListView1-> Items-> Add (); Item-> Caption = ReceiveInfo-> szProtocol; Item-> SubItems-> Add (ReceiveInfo- > szSourceIP); Item-> SubItems-> Add (IntToStr (ReceiveInfo-> iSourcePort)); Item-> SubItems-> Add (ReceiveInfo-> szDestIP); Item-> SubItems-> Add (IntToStr (ReceiveInfo-> iDestPort) ); Item-> Subitems-> Add (ReceiveInfo-> ITTL); item-> Subitems-> Add (ITTOSTR (ReceiveInfo-> ibufsize); item-> subs-> add (receiveInfo-> tcpflag); Item-> Subitems-> Add (ReceiveInfo-> length)); item-> subs-> add (receiveInfo-> iicmpty); item-> subs-> add (receiveInfo-> iicmpcode); try {ipiem-> Subitems-> add (receiveInfo-> receivedata); item-> subs-> add (receiveInfo-> receivedudpdata);} catch (...) {}} void Tsniffer :: removedata () {MEMSET (Recvbuf, 0, Sizeof (Recvbuf); iERRORCODE = RE CV (SockRaw, Recvbuf, SizeOf (Recvbuf), 0); Checksockerror (IrrorCode, "RECV"); IrrorCode = DecodeipPack (Recvbuf, IerrorCode); Checksockerror (IrrorCode, "Decode");} head File//---------------------------------------------- ----------------------------- #ifndef sniferthreadh # define sniffReadh // ---------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- # include #define status_failed 0xfffFFFF // Define Unusual Error Code #define Max_Pack_LEN 655350 // Received maximum IP packet #define max_addr_len 16 // points Detail address The maximum length #define max_proto_text_len 16 // Sub-protocol name (such as "TCP") Maximum length #define max_proto_num 12 // Sub-protocol quantity #define max_hostname_lan 255 // Maximum host name length #define cmd_param_help True Typedef struct _iphdr {unsigned char h_lenver; // 4 top length 4-bit IP version number UNSigned char TOS; // 8 bit service type TOS unsigned short total_len; // 16-bit total length (byte) unsigned short ide; / / 16-bit identifier Unsigned short frag_and_flags; // 3 bit flag bit unsigned char TTL; // 8-bit survival time TTL unsigned char proto; // 8-bit protocol (TCP, UDP or Others) Unsigned short checksum; // 16-bit IP header checksum unsigned int sourceip; // 32 bitsource IP address unsigned int desip; // 32 bit IP address}}}}}}}} ip_header; TYPEDEF STRUCT _TCPHDR / / Define TCP header {ushort th_sport; // 16-bit source port Ushort TH_DPORT; / / 16-bit destination port unsigned int th_seq; // 32-bit serial number UNSIGNED INT TH_ACK; / / 32 bit confirmation number UNSIGNED CHAR TH_LENRES ; // 4 top length / 6 reserved word unsigned char th_flag; // 6-bit flag bit Ushort TH_WIN; / / 16-bit window large Small USHORT TH_SUM; / / 16-bit checks and ushort t_urp; // 16 in an emergency According to offset} TCP_HEADER; TYPEF STRUCT _UDPHDR / / Define UDP header {UNSIGNED SHORT UH_SPORT; / / 16-bit source port unsigned short uh_dport; // 16-bit destination port unsigned short uh_len; // 16 length UNSIGNED SHORT UH_SUM; // 16 bit checksum} UDP_HEADER; Typedef struct _ICMphdr // Defines ICMP header {byte i_type; // 8-bit type Byte i_code; // 8-bit code ushort i_cksum; // 16 bit check and ushort i_id; // identification number (general Using the process number as the identification number) Ushort i_seq; // message serial number Ulong timestamp; // Timestamp} ICMP_HEADER; Typedef struct _protomap // Define sub-protocol mapping table {int protonum; char prototext [MAX_PROTO_TEXT_LEN];} Protomap; typedef struct _receiveinfo {char * szProtocol; char * szSourceIP; int iSourcePort; char * szDestIP; int iDestPort; int iTTL; int Length; char TcpFlag [6]; int iBufSize; char iIcmpType; char iIcmpCode; char * ReceiveData; AnsiString ReceiveUdpData; } ReceiveInfo; Protomap protomap [MAX_PROTO_NUM] = {// Prevent the sub-protocol map table assignment {ipproto_ip, "ip"}, {ipproto_IGMP, "IGMP"}, {ipproto_ggp, "ggp"}} {IpProto_TCP, "TCP"}, {ibproto_pup, "pup"}, {ipproto_udp, "udp"}, {ipproto_idp, "idp"}, {ipproto_nd, "np"}, {ipproto_raw, "raw"}, {ipproto_max , "Max"}, {null, "}}; Class Tsniffer: Public TTHREAD {Private: INT Decodeippack (CHAR *, INT); // IP Unpacking Function INT DecodeCPPack (CHAR *, INT); // TCP Unpacking Function INT DecodeudPPack (Char *, Int); // UDP Unpacking function int decodeicmppack (char *, int); // iCMP unpacking function void checksockerror (int, char *); // error handling function char * checkprotocol (int); // protocol check void snifferinit (); void addreceivedata (RECEIVEINFO * ReceiveInfo); void ReceiveData (); protected: void __fastcall Execute (); public: SOCKET SockRaw; bool MParamTcp; // attention TCP packets bool MParamUdp; // attention UDP packets bool MParamIcmp; // attention to the ICMP Bool mParamDecode; // Decoding the protocol Char tcpflag [6]; // Defines TCP flag char * strfromipfilter; // Source IP address filtering char * strDestipFilter; // destination address filter char * strsensitive; // sensitive string INT iPortFilter; // Port filter int iprotocol, ittl; char szprotocol [max_proto_text_len]; char szsourceip [max_addr_len], SZD Estip [MAX_ADDR_LEN]; Char OtherInfo [100]; INT Ierrorf [MAX_PAX_PACK_LEN]; __fastcall Tsniffer (Bool createSuspend);}; // ----------------- -------------------------------------------------- ------ # endiflovemagic: Recommend Ethereal 0.9.14 to everyone, it also calls WinPCAP3.0, which now supports data files for various captain software, including TCPDump and etherealsnoop (incrssion shomiti) and atmsnooplanalyzersnifer (Compressed or uncompressed) Microsoft Network MonitorAIX's iptraceNetXraySniffer ProRADCOM's WAN / LAN analyzerLucent / Ascend router debug outputHP-UX's nettlthe dump output from Toshiba's ISDN routersi4btrace from the ISDN4BSD project and it is ported from the Linux over, there are free source code. A few days ago, I finalized WinPCap's document. If anyone wants, please go to the topic development version to give a message: http://expert.9cbs.net/EXPERT/TOPIC/2465/2465797.xml? Temp = .4748651 I hope that everyone will have no time to have something to go. The topic development version of the new development network security and database version, I hope everyone can travel to exchange!!
