One. Capture the implementation principle of packets: ----------------------------------------- -------------------------
Under normal circumstances, the socket program of network communication can only respond to the data frames that match the hardware address or in broadcast form, for other forms of data frames, such as the network interface, but is not sent to this address. Data frames, network interfaces will not be in response after verifying delivery addresses, that is, the application cannot charge a packet that is not related to yourself.
So we want to realize all the packets that flow through the network equipment, we have to take a little special means:
Set the NIC to a mixed mode.
In this way, the network card of the host can capture all packets and frames flowing through its network card.
However, pay attention to it, this interception is only a copy of the packet, and it cannot be truncated. If you want to cut off network traffic, you should use some more underlying methods, not within the discussion of this article.
two. Capture the programming implementation of the packet:
1.Raw Socket implementation method ----------------------------------------- -------------------------
Unlike our commonly used data flow sleeve and data sets, after creating the original socket, you need to use the wsaiocTl () function to set it, it is such a definition.
INT WSAIOCTL (
Socket S,
DWORD DWIOCONTROLCODE,
LPVOID LPVINBUFFER,
DWORD CBINBUFFER,
LPVOID LPVOUTBUFFER,
DWORD CBOUTBUFFER,
LPDWORD LPCBBYTESRETURNED,
LPWSAOVERLAPPED LPOVERLAPPED,
LPWSAOVERLAPPED_COMPLETION_ROUTINE LPCOMPLETIONROUTINE
);
Although it is more than the parameters, it is only the second item we care about. What we need to do is to set the second item as SiO_rcvall, say so much, but what is actually doing this, it is very simple. Is it? ^ _ ^
Of course, we can also specify whether it processes the IP header, but this is not necessary.
The complete code is similar to the following, the bold code is where the need to pay attention to usual:
(In order to make the code at a glance, I will remove the wrong handle, the same below)
#include "winsock2.h"
#define sio_rcvall_wsaiow (IOC_VENDOR, 1)
Socket SnifferSocket
Wsadata wsadata;
iflag = WSAStartup (Makeword (2, 2), & WSADATA); / / Open Winsock.dll
SnifferSocket = WSASOCKET (AF_INET, / / Creating Raw Socket
SOCK_RAW, IPPROTO_IP, NULL, 0, WSA_FLAG_OVERLAPPEDs;
Char far name [128]; // Get this machine IP address
GethostName (Name, Sizeof (Name));
Struct Hostent Far * Phostent;
phostent = gethostByName (Name);
SockAddr_in sa; // Fill the contents of the SockAddr_in structure
sa.sin_family = af_inet;
sa.sin_port = HTONS (6000); // port number can be changed, of course, with certain system cannot conflict Memcpy (& (sa.sin_addr), phostent-> h_addr, phostent-> h_length);
Bind (SnifferSocket, (LPSOCKADDR) & sa, sizeof (sa)); // Binding
// Set IOCTL to receive all network data, key steps
DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD DWBYTESRETURNED = 0;
WSAIOCTL (SnifferSocket, IO_RCVALL, & DWBUFFERINLEN, IZEOF (dwbufferinlen),
& dwbufferlen, SizeOf (dwbufferlen), & DWBYTESRETURNED, NULL, NULL
At this point, it can actually start sniffing the network packet, and the reception of the packet is also completed by the RECV () function, because the different Socket model is involved, and the receiving method is very different. Therefore, the received code is not provided here.
2.WinPCap implementation method: ----------------------------------------- ----------------------------
WinPCAP driver package is a good Dongdong, and WinPCAP's main functionality is to send and receive raw datagrams independently of host protocols (such as TCP-IP), mainly to provide us with four functions:
Functions: 1> Capture the original datagram, including the data reported on the shared network, and exchanged data reports; 2> Before the data is reported to the application, according to the custom rules, certain special Datasters are filtered off; 3> Send raw datagram on the network; 4> Collect statistics during network communication
If the environment is allowed (such as what you do is not a Trojan program), I still recommend you to use WinPCAP to intercept the packet because it is more powerful, the work efficiency is higher, the unique shortcomings are before running WinPCAP development, To install the WinPCap's Driver on the host.
And we will find it better than the Raw Socket function, and work is more under, the most obvious reason is that the data package captured by Raw Socket is not too old, this is an afterward.
As for how to install use, please refer to this series of "hand-handed people to play in the ARP package", there is a detailed way to load WinPCAP driver ^ _ ^
Not much nonsense, let us transfer to the topic, using WinPcap to intercepting the packets to do some of the following work:
A. Enumerate the information of this machine network card (mainly the name of the NIC)
It is used to use the PCAP_FINDALDALDEVS function, it is defined
/ **************************************************
INT PCAP_FINDALDEVS (PCAP_IF_T ** AlldevSP,
Char * Errbuf
)
Features:
Enumerate information about all network devices
Parameters: alldevsp: It is a pointer to a PCAP_IF_T structure. If the function PCAP_FINDALDEVS function is successful, a list of available NICs will be obtained, while stored is a pointer for the first element. Errbuf: String of the error message
Return Value: INT: If it returns 0, it is successful, and the error returns -1.
********************************************************* /
We use this function to get the full code of the NIC name as follows:
PCAP_IF_T * ALLDEVS;
PCAP_IF_T * D;
CHAR ERRBUF [PCAP_ERRBUF_SIZE];
PCAP_FINDALDEVS (& alldevs, errbuf); // Get network device pointers
For (d = alldevs; d; d = d-> next) // enumerate the network card then add to ComboBox
{
D-> name; // D-> Name is the network card name string we need, and save it to your corresponding variable according to you //
}
PCAP_FREEALLDEVS (AllDevs); // Release AllDev Resources
