I also posted an article: Win2K command line Guniffer source code (including Mstcpip.h)

Guniffer.cpp file:

/// / / / Guniffer for win2k by shotgun /// //////////////////////////////////////////////////////////////////////// HomePage: ////.com /// [http://it.xici.net] //// [http://www.patching.net] /// / //// # include #include #include #include #include

#define status_failed 0xffff File: // Define Exception Error Code #define Max_Pack_LEN 65535 File: // Received Maximum IP Packet #define Max_addr_len 16 File: // Dot Detained Address Maximum Length #define Max_Proto_Text_len 16 File: // Agreement name (such as "TCP") maximum length #define max_proto_num 12 file: // Sub protocol Number #define max_hostname_lan 255 file: // Maximum host name length #define cmd_Param_help True

Typedef struct _iphdr {unsigned char h_lenver; file: // 4 top length 4-bit IP version number unsigned char TOS; file: // 8 bit service type TOS unsigned short total_len; file: // 16 bit total length (byte ) UNSIGNED SHORT IDENT; File: // 16 Bit Number Unsigned Short Frag_and_Flags; File: // 3 Bit Number Unsigned Char Ttl; File: // 8 Bit Survival Tetl Unsigned Char Proto; File: // 8 Protocol (TCP , UDP or other) UNSIGNED Short Checksum; File: // 16-bit IP header checks and unsigned int sourceip; file: // 32 Bit source IP address unsigned int desip; file: // 32 bit ip address} ip_header;

Typedef struct _tcphdr file: // Define TCP header {ushort tr_sport; file: // 16-bit source port USHORT TH_DPORT; File: // 16-bit destination port unsigned int th_seq; file: // 32-bit serial number unsigned int th_ack; file : // 32-bit confirmation number Unsigned char th_lenres; file: // 4 top length / 6 position reserved word unsigned char th_flag; file: // 6 bit flag bit Ushort TH_WIN; File: // 16-bit window size ushort th_sum; File: // 16-bit checksum Ushort TH_URP; File: // 16-bit emergency data offset} TCP_HEADER;

Typedef struct _udphdr file: // Defines the UDP header {UNSIGNED SHORT UH_SPORT; File: // 16 Bit source port UNSIGNED SHORT UH_DPORT; File: // 16 - bit Destination Port Unsigned Short Uh_len; File: // 16 - length UNSIGNED SHORT UH_SUM; File: // 16-bit checksum} udp_header; typedef struct _icphdr file: // Defines ICMP header {byte i_type; file: // 8-bit type Byte i_code; file: // 8-bit code ushort i_cksum; file: // 16-bit checksum usort i_id; file: // identifier number (general procedure number as an identification number) ushort i_seq; file: // message serial number Ulong timestamp; file: // Time stamp} ICMP_HEADER;

Typedef struct _protomap file: // Define sub-protocol mapping table {int protonum; char prototext [MAX_PROTO_TEXT_LEN];

Protomap proto = {file: / / For sub-protocol mapping table assignment {ipProto_IP, "IP"}, {ibproto_icmp, "IGMP"}} {ibproto_ggp, "ggp"}} { Ipproto_tcp, "tcp"}, {ibproto_pup, "pup"}}}} {ipproto_idp, "iPP"}}} {ipproto_nd, "np"}} {ipproto_raw, "raw"}} {ipproto_max, "Max"}, {null, "}};

Socket SockRaw; char TCPFLAG [6] = {'f', 's', 'r', 'p', 'a', 'u'}; file: // Defines TCP flag BOOL paramtcp = false; // -T pay attention to TCP packet BOOL paramudp = false; // -u Follow UDP packet BOOL paramicMP = false; // -i Follow ICMP Packet BOOL Paramdecode = false; // -d to decode Char * strfromipfilter = null ; // Source IP Address Filter Char * STRDESTIPFILTER = NULL; // Destination Address Filter CHAR * STRSENSITIVE = NULL; // Sensitive String INT iPortFilter = 0; // Port Filter INT IPROTOCOL, ITTL; Char Szprotocol [MAX_PROTO_TEXT_LEN]; char SzsourceIP [MAX_ADDR_LEN], SZDestip [MAX_ADDR_LEN];

INT decodeippack (char *, int); file: // IP unpacking function int decodetcppck (char *, int); file: // TCP unpacking function int decodeudppck (char *, int); file: // udp unpack Function int decodeicmppack (char *, int); file: // ICMP unpack function void checksockerror (int, char *); file: // error handler char * checkprotocol (int); file: // protocol check void usage Void); file: // Use the instructions Bool getCmdline (int, char **); file: // command line parameter processing

Void main (int Argc, char ** argv) {int erRrorcode; char recvbuf [MAX_PACK_LEN] = {0}; usage (); if (getcmdline (argc, argv) == cmd_param_help) exit (0); File: // initialization SOCKET WSADATA wsaData; iErrorCode = WSAStartup (MAKEWORD (2,1), & wsaData); CheckSockError (iErrorCode, "WSAStartup"); SockRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP); CheckSockError (SockRaw, "socket"); file: // Get the local IP address of the char FAR name [MAX_HOSTNAME_LAN]; iErrorCode = gethostname (name, MAX_HOSTNAME_LAN); CheckSockError (iErrorCode, "gethostname"); struct hostent FAR * pHostent; pHostent = (struct hostent *) malloc (sizeof (struct hostent)); pHostent = gethostbyname (name); SOCKADDR_IN sa; sa.sin_family = AF_INET; sa.sin_port = htons (6000); memcpy (& sa.sin_addr.S_un.S_addr, pHostent-> h_addr_list [0], pHostent-> h_length; free (phostent); IrrorCode = Bind (SockRaw, (psockaddr) & sa, sizeof (sa)); checksockerror (iERRORCODE, "Bind"); file: // Sets SOCK_RAW to SiO_RCVALL to receive all IP packets DWORD DWBufferlen [10]; dword dwbufferinlen = 1; DWORD DWBYTESRETURNED = 0; i ErrorCode = WSAIoctl (SockRaw, SIO_RCVALL, & dwBufferInLen, sizeof (dwBufferInLen), & dwBufferLen, sizeof (dwBufferLen), & dwBytesReturned, NULL, NULL); CheckSockError (iErrorCode, "Ioctl"); file: // listening IP packets while (1 ) {memset (recvBuf, 0, sizeof (recvBuf)); iErrorCode = recv (SockRaw, recvBuf, sizeof (recvBuf), 0); CheckSockError (iErrorCode, "recv"); iErrorCode = DecodeIpPack (recvBuf, iErrorCode); CheckSockError ( Irrorcode, "decode");}}

file: // IP unpacking procedure int DecodeIpPack (char * buf, int iBufSize) {IP_HEADER * pIpheader; SOCKADDR_IN saSource, saDest; pIpheader = (IP_HEADER *) buf; file: // protocol screening iProtocol = pIpheader-> proto; strncpy (szProtocol, CheckProtocol (iProtocol), MAX_PROTO_TEXT_LEN); if (! (iProtocol == IPPROTO_TCP) && (ParamTcp)) return true; if (! (iProtocol == IPPROTO_UDP) && (ParamUdp)) return true; if ((iProtocol = = IPPROTO_ICMP) && (ParamIcmp)) return true; file:! // source address saSource.sin_addr.s_addr = pIpheader-> sourceIP; strncpy (szSourceIP, inet_ntoa (saSource.sin_addr), MAX_ADDR_LEN); if (strFromIpFilter) if (strcmp (strFromIpFilter, szSourceIP)) return true; file: // destination address saDest.sin_addr.s_addr = pIpheader-> destIP; strncpy (szDestIP, inet_ntoa (saDest.sin_addr), MAX_ADDR_LEN); if (strDestIpFilter) if (strcmp (strDestIpFilter, SZDESTIP)) Return True; ITTL = Pipheader-> TTL; file: // calculates the length IIPHLEN = SIZEOF (Pipheader-> h_lenver & 0xf); file: // call according to the protocol type Function Switch (iProtocol) {Case ipproto_tcp: decodetcppck (BUF iiphlen, iBufSize); break; case IPPROTO_UDP: DecodeUdpPack (buf iIphLen, iBufSize); break; case IPPROTO_ICMP: DecodeIcmpPack (buf iIphLen, iBufSize); break; default: break;} file: // printf ( "/ n"); Return true;} file: // protocol identification program char * checkprotocol (int iprotocol) {for (int i = 0; i

file: // TCP unpacking procedure int DecodeTcpPack (char * TcpBuf, int iBufSize) {TCP_HEADER * pTcpHeader; int i; int iSourcePort, iDestPort; pTcpHeader = (TCP_HEADER *) TcpBuf; file: // TCP header length calculation int TcpHeaderLen = pTcpHeader-> th_lenres >> 4; TcpHeaderLen * = sizeof (unsigned long); char * TcpData = TcpBuf TcpHeaderLen; file: // If the string is determined whether the filter contains sensitive if (strSensitive) if ((strstr (TcpData, strSensitive )) == NULL) RETURN TRUE; File: // Makes ISOURCEPORT = NTOHS (PTCPHEADER-> TH_SPORT); IDestport = NTOHS (PTCPHEADER-> TH_DPORT); if (iPortfilter) && (isourceport! = Iportfilter) && (IDestport! = iportfilter) Return true; file: // Output Printf ("% s", szprotocol); Printf ("% 15s:% 5D ->% 15s:% 5D", SzsourceIP, ISOOST, SZDestip, IDestport PRINTF ("TTL =% 3D", ITTL); File: // Judgment TCP flag NNSIGNED CHAR flagmask = 1; for (i = 0; i <6; i ) {IF ((ptcpheader-> th_flag) & flagmask ) PRINTF ("% C", tcpflag [i]); Else Printf ("-"); flagmask = flagmask << 1;} printf ("bytes =% 4D", ibufsize; printf ("/ n"); File: / / Data analysis for packets greater than 40 bytes (ip_header tcp_header = 40) IF ((Paramdecode) && (ibufsize> 40)) {file: // Analysis TCP Data Section IF ((! strsensitive) || (TCPDATA, STRSENSITIVE))) {Printf ("[DATA] / N"); Printf ("% s", tcpdata); Printf ("/ n [data end] / n / N / N");}} Return True;}

file: // UDP unpacking procedure int DecodeUdpPack (char * UdpBuf, int iBufSize) {UDP_HEADER * pUdpHeader; pUdpHeader = (UDP_HEADER *) UdpBuf; int iSourcePort = ntohs (pUdpHeader-> uh_sport); int iDestPort = ntohs (pUdpHeader-> UH_DPORT); File: // Filtering the port IF (iPortFilter) IF ((iDestport! = iportfilter) && (IDestport! = iportfilter) Return True; Printf ("% s", szprotocol); printf ("% 15s: % 5D ->% 15S:% 5D ", SzsourceIP, ISOURPORT, SZDestip, Idestport); Printf (" TTL =% 3D ", ITTL); Printf (" Len =% 4D ", NTOHS (Pudpheader-> UH_LEN); Printf ("Bytes =% 4D", IBUFSIZE); Printf ("/ n"); file: // Data analysis for packets greater than 28 bytes (IP_Header UDP_Header> 28) IF ((Paramdecode) && (iBUFSIZE) > 28)) {Printf ("[DATA] / N"); file: // UDP header length is 8 char * udpdata = udpbuf 8; file: // Analyze UDP data segment for (unsigned int i = 0; i <(iBUFSIZE-SIZEOF (UDP_Header)); i ) {if (! (i% 8)) Printf ("/ n"); if ((UDPData [i]> 33) && (udpdata [i] <122))) Printf ("% 3C [% 3X]", udpdata [i], udpdata [i]); Else Printf ("[% 3X]", ABS (udpdata [i])); }printf ("/ n [data end ] / n / n / n ");} Return True;

file: // ICMP unpacking procedure int DecodeIcmpPack (char * IcmpBuf, int iBufSize) {ICMP_HEADER * pIcmpHeader; pIcmpHeader = (ICMP_HEADER *) IcmpBuf; int iIcmpType = pIcmpHeader-> i_type; int iIcmpCode = pIcmpHeader-> i_code; file: / / Filter IF (iPortFilter) && (iicmpty "&& (iicmpty" & (iicmptype! = Iportfilter) Return True; Printf ("% s", szprotocol); file: // printf ("% 15s type% D ->% 15s code% D) ", szsourceip, Iicmptype, szdestip, Iicmpcode); Printf ("% 15S ->% 15S ", szSourceIP, SZDestip; Printf (" TTL =% 3D ", ITTL); Printf (" Type% 2D,% D ", Iicmptype, IicmpCode; Printf ("BYTES =% 4D", IBUFSIZE); Printf ("/ n"); file: // For data analysis IF ((Paramdecode> 28) for packets containing data segments & (ibufsize> 28)) {Char * icmpdata = ICMPBUF 4; file: // Analysis ICMP data segment printf ("[data]"); for (unsigned int i = 0; i <(ibufsize-sizeof (ICMP_HEADER)); i ) {IF ( ! (i% 8)) Printf ("/ n"); IF ((ICMPDATA [I]> 33) && (ICMPDATA [I] <122)) Printf ("% 3C [% 3X]", ICMPData [i] , ICMPDATA [I]); Else Printf ("[% 3X]", ABS (ICMPDATA [I]));} Printf ("/ N [Data end] / n / n / n");} return true;}

File: // Command line parameters Process Bool getCmdline (int Argc, char ** argv) {if (argc <2) Return cmd_param_help; for (int i = 1; i

File: // Use the description void usage (void) {Printf ("guniffer / n"); Printf ("/ tsinffer for win2k by shotgun (Ver 0.3) / N"); Printf ("/ tshotgun@xici.net/n "); Printf (" /thttp://it.xici.net/n "); printf (" /thttp://www.patch "); Printf (" usage: / n ") PRINTF ("/ T / T / TCP PACKETS / N"); Printf ("/ T / U OTPUT UDP Packets / N"); Printf ("/ T / I Output ICMP Packets / N"); Printf ("/ T / P Decode Packets (Default Off) / N "); Printf (" / T / F: fromip Output Packets fromip = fromip (Default All) / N "); Printf (" / T / D: Destip Output Packets Destip = DESTIP (DEFAULT ALL) / N "); Printf (" / T / S: String Output Packets include SENSITIVE STRING (TCP Only) / N "); Printf (" / T / O: Port Output Packets from Or To The Port) ICMP IS TYPE) / N "); Printf (" eXample: / n "); Printf (" / tguniffer.exe /dguniffer.log/n "); Printf (" / tguniffer.exe / t / u / f : 192.168.15.231/N "); Printf (" / tguniffer.exe / t / p / s: pass / n ");} file: // SOCK error handler Void Checksockerror (int IerrorCode, char * perror) {if (IrrorCode == Socket_ERROR) {Printf ("% s err OR:% D / N ", PerrorMsg, getLastError ()); ClosSocket (SockRaw); exit (0);}}

============================================================================================================================================================================================================= ======

The following is a mstcpip.h file:

// Copyright (c) Microsoft Corporation, 1996-1999 # ified_MSC_VER> 1000 # Pragma Once # Endif

/ * Argument structure for SiO_keepalive_vals * /

Struct tcp_keepalive {u_long onoff; u_long keepalivetime; u_long keypaliveinterval;}; // new WSAIOCTL OPTIONS

#define SIO_RCVALL _WSAIOW (IOC_VENDOR, 1) #define SIO_RCVALL_MCAST _WSAIOW (IOC_VENDOR, 2) #define SIO_RCVALL_IGMPMCAST _WSAIOW (IOC_VENDOR, 3) #define SIO_KEEPALIVE_VALS _WSAIOW (IOC_VENDOR, 4) #define SIO_ABSORB_RTRALERT _WSAIOW (IOC_VENDOR, 5) #define SIO_UCAST_IF _WSAIOW ( IOC_VENDOR, 6) #define SIO_LIMIT_BROADCASTS _WSAIOW (IOC_VENDOR, 7) #define SIO_INDEX_BIND _WSAIOW (IOC_VENDOR, 8) #define SIO_INDEX_MCASTIF _WSAIOW (IOC_VENDOR, 9) #define SIO_INDEX_ADD_MCAST _WSAIOW (IOC_VENDOR, 10) #define SIO_INDEX_DEL_MCAST _WSAIOW (IOC_VENDOR, 11)