C++

Forum

 
Packet Sniffer

Jul 27, 2010 at 12:12am
JBtje (1)
Hello there,

A few years ago I found the source of a packet sniffer for C++. After some editing, I was able to use it to read the TCP connection of a certain game I play. Now, to create an additional program for this game I wanted to use my packet sniffer again, thought for some reason it does not capture all data. It does see there is a packet, but the datasize = 0 and also the data itself is filled with 0.

I used to run this program on my windows XP-32bit computer, but now I've got win-7-64bit / xp64 bit running on my PC's, so that could be an explanation for the fact that its only working half, thought I think there is something wrong in the code. Also I’m using Ms Visual C++ 2008, while I used to use an earlier version

I think the problem is in the structure of tcphdr, thought editing does not result in a solution (so far)

Also I'm a total n00b with C++, which might explain why I can’t figure it out :) (I do know PHP though and a little C#)

Best regards, and thank you for all the help!
Jeffrey

p.s. Why I'm not using winPcap? Because I'm able to continue working with software that works, as this program does for like 95%, but Im unable to find out how to make it work. I have no clue how I should make winPcap work and therefor I haven't used it.
p.p.s. Is it true u need to have winPcap installed on the computer to be able to run the software to use it? aka I compile my software while using winPcap, do I have to have winPcap installed on all the other pc's I want to run winPcap on ?


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
 
#pragma comment(lib, "ws2_32.lib")

#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <time.h>


/* packet header structures */
#pragma pack(push, 1)
struct iphdr {
	unsigned char ihl:4;
	unsigned char ver:4;

	unsigned char tos;
	unsigned short totlen;
	unsigned short id;
	unsigned short frag_and_flags;
	unsigned char ttl;
	unsigned char proto;
	unsigned short checksum;
	unsigned int src;
	unsigned int dst;
};

struct tcphdr {
	unsigned short sport;
	unsigned short dport;
	unsigned int   seq;
	unsigned int   acknum;
	unsigned char  unused:4;
	unsigned char  tcphl:4;
	unsigned char  Flags;
	unsigned short Windows;
	unsigned short cksum;
	unsigned short UrgPointer;
};

#pragma pack(pop)

#define HOSTNAME_LEN 1024
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
#define PAKSIZE 65536

void init_opt(int, char **);
void init_net(void);
void die(char *);
void process_pak(char *, int);
void bind_to_interface(int);
void WriteData( const char* );

/* G L O B A L S */
SOCKET s0k;
short promiscuous=1;
int minSize = 30;

unsigned char NavyFieldHDR [48] = 
{4,   3,   2,   1};


// Pin Code versturen
// 04 03 02 01 01 61 01 80  00 00 00 00 00 00 00 00
// 04 00 00 00 XX XX XX XX  CC OO DD EE
[code]// File.cpp
#include "header.h"
#include <iostream>
using namespace std;


/* open raw socket, set promiscuous mode */
void init_net() {

	WSADATA w;
	SOCKADDR_IN sa;
	DWORD bytes;
	char hostname[HOSTNAME_LEN];
	struct hostent *h;
	unsigned int opt = 1;

	if (WSAStartup(MAKEWORD(2,2), &w) != 0)
		die("WSAStartup failed\n");

	if ((s0k = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET)
		die("unable to open raw socket\n");

	// use default interface
	if ((gethostname(hostname, HOSTNAME_LEN)) == SOCKET_ERROR)
		die("unable to gethostname\n");

	if ((h = gethostbyname(hostname)) == NULL)
		die("unable to gethostbyname\n");

	sa.sin_family = AF_INET;
	sa.sin_port = htons(6000);
	memcpy(&sa.sin_addr.S_un.S_addr, h->h_addr_list[0], h->h_length);

	if ((bind(s0k, (SOCKADDR *)&sa, sizeof(sa))) == SOCKET_ERROR)
		die("unable to bind() socket\n");

	if (promiscuous)	/* -d on the command line to disable promiscuous mode */
		if ((WSAIoctl(s0k, SIO_RCVALL, &opt, sizeof(opt), NULL, 0, &bytes, NULL, NULL)) == SOCKET_ERROR)
			die("failed to set promiscuous mode\n");
}



void main() {

	char pak[PAKSIZE];
	DWORD bytes;
	init_net();

	WriteData( "Program has started: " );
	WriteData( "\r\n\r\n" );
	
	while(1)
	{
		memset(pak, 0, sizeof(pak));
		if ((bytes = recv(s0k, pak, sizeof(pak), 0)) == SOCKET_ERROR)
		{
			die("socket error on recv\n");
		}else{
			process_pak(pak, bytes);
		}
	}
}



void WriteData( const char* buffer ) 
{
	FILE * pFile;
	pFile = fopen( "./File1.txt", "a" );
	printf( buffer );
	fprintf( pFile, buffer );
	fclose( pFile );
}


/* parse pak, print out requested fields */
void process_pak(char *pak, int len) {

	struct iphdr *ip;
	struct tcphdr *tcp;
	char *data;
	unsigned char proto;	/* to avoid repeated dereferencing */
	int i, j, k, end, datasize;

	ip = (struct iphdr *) pak;
	proto = ip->proto;

	printf("Prototype: %i\n", (unsigned char)proto);

	if(proto == IPPROTO_TCP)
	{
		tcp = (struct tcphdr *) (pak + (ip->ihl * 4));

		data = pak + (ip->ihl * 4) + (tcp->tcphl * 4);
		datasize = ntohs(ip->totlen) - (ip->ihl*4) - (tcp->tcphl*4);

/* ==================================== */
/*       START CONTROLE FUNCTIE         */
/* ==================================== */

		i = 0;
		// If the packet size is smaller than the required size, just trow it away!
//		if( datasize < minSize )
//		{
//			return;
//		}

		char temp[50];
		sprintf(temp, "New Package: %x %x %x %x", data[0], data[1], data[2], data[3]);
		WriteData( temp );
		WriteData("\r\n");

		printf("DataSize: %i\r\n", datasize);

		// Print all data to the file.
		for(j=0; j<datasize; j++)
		{
			char temp [10];
			sprintf(temp, "%4i", data[j]);

			WriteData( temp );
			i = (i+1);
			if(i==4){ WriteData("  "); }
			if(i==8) { WriteData("    "); }
			if(i==12){ WriteData("  "); }
			if(i==16) {
				WriteData("     ->     ");
				i=0;
				for(k=(j-15); k<(j+1); k++)
				{
					char temp [10];
					sprintf(temp, "%1c", data[k]);
					if(data[k] < 32)
					{
						sprintf(temp, "%1c", '.');
					}

					WriteData( temp );
					i = (i+1);
					if(i==8) { WriteData("  "); }
				}
				WriteData("\r\n"); i=0;
			}
		}
		if(i > 0)

		WriteData("\r\n");
		WriteData("\r\n");

	}else{
		// No TCP protocol: return and don't waist any time!
		return;
}	}



void bind_to_interface(int choice) {

	SOCKET sd;
	sd = WSASocket(AF_INET, SOCK_DGRAM, 0, 0, 0, 0);
	if (sd == SOCKET_ERROR)
		printf("error on WSASocket\n");

	INTERFACE_INFO InterfaceList[20];
	unsigned long nBytesReturned;
	if (WSAIoctl(sd, SIO_GET_INTERFACE_LIST, 0, 0, &InterfaceList, sizeof(InterfaceList), &nBytesReturned, 0, 0) == SOCKET_ERROR) {
		printf("error fetching interface list\n");
	}

	int nNumInterfaces = nBytesReturned / sizeof(INTERFACE_INFO);
	if (choice > nNumInterfaces) {
		die("invalid interface selection\n");
	}

	if (choice) {
		// bind to the specified interface and return
        SOCKADDR_IN *pAddress;
        pAddress = (SOCKADDR_IN *) & (InterfaceList[choice-1].iiAddress);
        printf("using interface: %s\n", inet_ntoa(pAddress->sin_addr));

		if ((bind(s0k, (SOCKADDR *)&(InterfaceList[choice-1].iiAddress), sizeof(SOCKADDR_IN))) == SOCKET_ERROR)
			die("unable to bind() socket\n");

		return;
}	}

void die(char *s) {
	WSACleanup();
	WriteData( "%s" );
	exit(-1);
}
Edit & run on cpp.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
// header.h
#pragma com
ment(lib, "ws2_32.lib")

#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <time.h>


/* packet header structures */
#pragma pack(push, 1)
struct iphdr {
	unsigned char ihl:4;
	unsigned char ver:4;

	unsigned char tos;
	unsigned short totlen;
	unsigned short id;
	unsigned short frag_and_flags;
	unsigned char ttl;
	unsigned char proto;
	unsigned short checksum;
	unsigned int src;
	unsigned int dst;
};

struct tcphdr {
	unsigned short sport;
	unsigned short dport;
	unsigned int   seq;
	unsigned int   acknum;
	unsigned char  unused:4;
	unsigned char  tcphl:4;
	unsigned char  Flags;
	unsigned short Windows;
	unsigned short cksum;
	unsigned short UrgPointer;
};

#pragma pack(pop)

#define HOSTNAME_LEN 1024
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
#define PAKSIZE 65536

void init_opt(int, char **);
void init_net(void);
void die(char *);
void process_pak(char *, int);
void bind_to_interface(int);
void WriteData( const char* );

/* G L O B A L S */
SOCKET s0k;
short promiscuous=1;
Jul 27, 2010 at 7:54am
kbw (9488)
Have a look at WinPCAP. That's a port of libpcap to Windows. libpcap is a library that encapsulates different capture methods in Unix.

Two popular clients of pcap are tcpdump and wireshark/ethereal. All are available with source.
Topic archived. No new replies allowed.