Learn TCP / IP with Sniffer Pro (1)
2003/10/28
YDZQW
Note: Sniffer Pro should know, don't know, Google search J
It is best to have this << TCP / IP Details 1: Agreement >>
These two days are reading << TCP / IP Details >>, always feels that some places are not deep enough. So I wrote a small program, plus Sniffer, and chew it slowly.
The procedure is as follows:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -
#include
#include
#include
Using namespace std;
void main ()
{
Word WVER;
Wsadata wsadata;
// WSAStartup
WVER = MakeWord (1, 1);
IF (WSAStartup (WVER, & WSADATA))
{
COUT << "WSASTAUP ERROR!";
Return;
}
// Socket Init
Socket sock;
IF ((Sock = Socket (AF_INET, SOCK_STREAM, 0)) <0)
{
Cout << "Socket Error!";
Return;
}
// bind, Listen and Accept
SockAddr_in sockadr;
SockAdr.sin_Family = AF_INET;
SockAdr.sin_addr.s_un.s_addr = HTONL (INADDR_Any);
SockAdr.sin_Port = HTONS (6666);
IF (Bind (SockAddr *) & SockAdr, Sizeof (SockAdr)))
{
Cout << "Bind Error!";
Return;
}
IF (Listen (Sock, 5))
{
COUT << "Listen Error!";
Return;
}
Socket Sock_svr;
SockAddr_in sockadr_svr;
INT Ilen = SizeOf (SockAdr_svr);
Blocking when // accept, if you want to exit the program, what?
SOCK_SVR = Accept (Sock, (SockAddr *) & SockAdr_SVR, & Ilen);
IF (SOCK_SVR == Invalid_socket)
{
Cout << "accetp erroor!";
Return;
}
// select and recv
FD_SET RDFS;
TimeVal TV;
Char BUF [1024 * 2];
int Retval;
Int Recv_err;
TV.tv_sec = 5;
TV.TV_USEC = 0;
FOR (;;)
{
FD_ZERO (& RDFS);
FD_SET (SOCK_SVR, & RDFS);
RetVal = SELECT (0, & RDFS, NULL, NULL, & TV);
MEMSET (BUF, 0, SIZEOF (BUF));
IF (RetVal> 0)
{
RECV_ERR = Recv (Sock_SVR, BUF, SIZEOF (BUF), 0);
IF (Recv_err == 0) {
CloseSocket (SOCK_SVR);
Break;
}
Else
{
Cout << BUF;
}
}
}
CloseSocket (SOCK);
WSACLEANUP ();
}
------------------------------------------------------------------------------------------------------------------------------ -------------------------
#include
#include
#include
Using namespace std;
void main ()
{
Word WVER;
Wsadata wsadata;
// WSAStartup
WVER = MakeWord (1, 1);
IF (WSAStartup (WVER, & WSADATA))
{
COUT << "WSASTAUP ERROR!";
Return;
}
// Socket Init
Socket sock;
IF ((Sock = Socket (AF_INET, SOCK_STREAM, 0)) <0)
{
Cout << "Socket Error!";
Return;
}
// Connect and Send
SockAddr_in sockadr;
SockAdr.sin_Family = AF_INET;
// Server enables loopback interface when this machine, and you can capture data.
// With SNIFFER can't capture data, this should be Windows to do corresponding on the bottom.
SockAdr.sin_addr.s_un.s_addr = inet_addr ("192.168.1.81");
SockAdr.sin_Port = HTONS (6666);
IF (Connect (SockAddr *) & SockAdr, Sizeof (SockAdr)) == Socket_ERROR)
{
COUT << "Connect Error!";
Return;
}
Where is the slice? IP layer? TCP layer?
CHAR TEST [2000];
MEMSET (TEST, 65, SIZEOF (TEST));
TEST [SIZEOF (TEST) - 1] = 'b'; // This can only see if all passed.
IF (SOND (SOCK, TEST, SIZEOF (TEST), 0) == Socket_ERROR)
{
Cout << "Send Error!";
Return;
}
// Sleep (1000); // Waiting for the SERVER's response package to close
// Close and WSacleanup
IF (ClossoSocket)
{
COUT << "CloseSocket Error!";
Return;
}
IF (wsacleanup ())
{
COUT << "WSACLEANUP ERROR!";
Return;
}
}
-------------------------------------------------- ----------------------------------
Change the 192.168.1.81 of the Client End to the IP address of the machine where the Server side is located. Client and Server cannot be in the same machine (I am also confused this), otherwise the sniffer can't capture the data.
START SnifferPro (Capture-> Start), then running Server, Client, the program is over, and Stop and Display SnifferPro (Capture-> Stop and Display). Although the program is over, it doesn't matter, and what we want is Sniffer Capture. Click Decode in the panel, you can start.
Note the above figure, from No.12 to No.21 (of course, it is not necessarily 12-21 when executed in your machine) is the whole process of this transmission. 12, 13, 14 is the three handshakes that establish a connection (DDoS attack has a loopholes that use three handshakes), see << Details >> P176.15, 16 is data transfer (here there is a data fragmentation problem, the following will be described in detail below 17, 19, 20, 21 is a four-time hands on the connection, 18 is the response package, and the data transfer of 15, 16 is responsive. Because the CloseSocket immediately immediately after Send, the response package is behind the termination connection request, of course, as long as the Sleep (1000) after Send, there will be no such situation. I also wonder if I have five handshakes, I am not correct here, it is to reveal everyone, be careful.
The structure of the data packet is started below: