The simple steps would be :
1. Start a loop for the port number range to be scanned.
2. Create a Socket inside the loop.
3. Call the connect function using the socket and the port number to connect to the host.
4. If connect returns SOCKET_ERROR then the connection failed hence port closed, otherwise connection established and port open.

The following code does the same. It should be noted that it scans only TCP ports. For a linux version of the same code view this post.

Code :

/*
 TCP Connect portscanner with winsock
*/

#include<stdio.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib"); //To link the winsock library  

int main(int argc, char **argv)
{
 WSADATA firstsock;
 SOCKET s;
 struct hostent *host;
 int err,i, startport , endport;
 struct sockaddr_in sa; //this stores the destination address
 char hostname[100];

 strncpy((char *)&sa,"",sizeof sa);
 sa.sin_family = AF_INET; //this line must be like this coz internet

 //Initialise winsock
 if (WSAStartup(MAKEWORD(2,0),&firstsock) != 0)  //CHECKS FOR WINSOCK VERSION 2.0
 {
  fprintf(stderr,"WSAStartup() failed"); //print formatted data specify stream and options
  exit(EXIT_FAILURE);        //or exit(1);
 } 

 printf("Enter hostname or ip to scan : ");
 gets(hostname);

 printf("Enter starting port : ");
 scanf("%d" , &startport);

 printf("Enter ending port : ");
 scanf("%d" , &endport);

 if(isdigit(hostname[0]))
 {
  printf("Doing inet_addr...");
  sa.sin_addr.s_addr = inet_addr(hostname); //get ip into s_addr
  printf("Done\n");
 }
 else if( (host=gethostbyname(hostname)) != 0)
 {
  printf("Doing gethostbyname()...");
  strncpy((char *)&sa.sin_addr , (char *)host->h_addr_list[0] , sizeof sa.sin_addr);
  printf("Done\n");
 }
 else
 {
    printf("Error resolving hostname");
       exit(EXIT_FAILURE);
 }

 //Start the portscan loop
 printf("Starting the scan loop...\n");
 for(i = startport ; i<= endport ; i++)
 {

  s = socket(AF_INET , SOCK_STREAM , 0); //make net a valid socket handle
  if(s < 0)  //if not a socket
  {
   perror("\nSocket creation failed");  // perror function prints an error message to stderr
   exit(EXIT_FAILURE);       //or exit(0);
  }

  sa.sin_port = htons(i);
  //connect to the server with that socket
  err = connect(s , (struct sockaddr *)&sa , sizeof sa);

  if(err == SOCKET_ERROR) //connection not accepted
  {
   printf("%s %-5d Winsock Error Code : %d\n" , hostname , i , WSAGetLastError());
   fflush(stdout);
  }
  else  //connection accepted
  {
   printf("%s %-5d accepted            \n" , hostname , i);
   if( shutdown( s ,SD_BOTH ) == SOCKET_ERROR )
   {
    perror("\nshutdown");// perror function prints an error message to stderr
    exit(EXIT_FAILURE);
   }
  }
  closesocket(s);   //closes the net socket
 }

 fflush(stdout); //clears the contents of a buffer or flushes a stream
 return(0);
}

The above can be compiled with vc++ 6.0 for example. Simply create a project and add this file to the project and click run.

The steps are simple :

1. Create a socket
2. Run a Loop to connect with each port on the remote system ; if connection established then port open otherwise closed.

Code :

#include<stdio.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<errno.h>
#include<netdb.h>
#include<string.h>

int main(int argc , char **argv)
{
 struct hostent *host;
 int err, i , net ,start , end;
 char hostname[100];
 struct sockaddr_in sa;
 //Get the hostname to scan
 printf("Enter hostname or IP : ");
 gets(hostname);
 //Get start port number
 printf("\nEnter start port number : ");
 scanf("%d" , &start);
 //Get end port number
 printf("\nEnter end port number : ");
 scanf("%d" , &end);

 //Initialise the sockaddr_in structure
 strncpy((char*)&sa , "" , sizeof sa);
 sa.sin_family = AF_INET;

 if(isdigit(hostname[0]))
 {
  printf("Doing inet_addr...");
  sa.sin_addr.s_addr = inet_addr(hostname);
  printf("Done\n");
 }
 else if((host = gethostbyname(hostname))!=0)
 {
  printf("Doing gethostbyname...");
  strncpy((char*)&sa.sin_addr , (char*)host->h_addr , sizeof sa.sin_addr);
  printf("Done\n");
 }
 else
 {
  herror(hostname);
  exit(2);
 }
 //Start the port scan loop
 printf("Starting the portscan loop : \n");
 for(i=start ; i<=end ; i++)
 {
  //Fill in the port number
  sa.sin_port = htons(i);
  //Create a socket of type internet
  net = socket(AF_INET , SOCK_STREAM , 0);
  //Check whether socket created fine or not
  if(net < 0)
  {
   perror("\nSocket");
   exit(1);
  }
  //Connect using that socket and sockaddr structure
  err = connect(net , (struct sockaddr*)&sa , sizeof sa);

  if(err<0)
  {
   printf("%s %-5d %s\r" , hostname , i, strerror(errno));
   fflush(stdout);
  }
  else
  {
   printf("%s %-5d accepted. \n",  hostname , i);
   //Now shutdown the read and write operations on this socket
   if(shutdown(net , SHUT_RDWR) < 0)
   {
    //Print error with error message mapped from err_no
    perror("\nShutdown");
    exit(1);
   }
  }
  close(net);
 }
 printf("\r");
 fflush(stdout);
 return(0);
}

To install libpcap on your linux distro you can either download the source from the website and compile it and install. Or if you are on a distro like ubuntu then it can be installed from synaptic package manager. In the list of packages in Synaptic Package Manager look for 2 packages named as libpcap0.8 and libpcap0.8-dev. Install both of them.

To start with the C program the simple steps would be :

1. Find all available devices – find_alldevs()

find_alldevs() is the function which can be used to get a list of all available network devices or interfaces present on the machine or which can be opened by pcap_open_live() for sniffing purpose.

The prototype is as :

int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)

where alldevsp is a pointer to an array of of pcap_if_t structures and errbuf is a character pointer and will contain any error message that occured during the function call.

2. Select a device for sniffing data – pcap_open_live()

pcap_open_live() is the function to get a packet capture descriptor or a handle to a device which has been opened up for sniffing. The protoype is as :

pcap_t *pcap_open_live(const char *device, int snaplen,int promisc, int to_ms, char *errbuf)

device – is the name of the device as obtained from the call to pcap_findalldevs.
snaplen – is the maximum amount of data to be captured. 65536 should be sufficient length.
promisc – 0 or 1 to indicate whether to open the device in promiscuous mode.
to_ms – the timeout in milliseconds , 0 for no timeout
errbuf – buffer to contain any error message

It returns a device handler in the form of the structure pcap_t which can be used by pcap_loop() to capture data from.

3. Start sniffing the device – pcap_loop()
4. Process the sniffed packet – user defined callback method

Code :

 /*
 Packet sniffer using libpcap library
*/
#include<pcap.h>
#include<stdio.h>
#include<net/ethernet.h>
#include<netinet/ip_icmp.h> //Provides declarations for icmp header
#include<netinet/udp.h> //Provides declarations for udp header
#include<netinet/tcp.h> //Provides declarations for tcp header
#include<netinet/ip.h> //Provides declarations for ip header

void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet);
void process_ip_packet(unsigned char* , int);
void print_ip_header(unsigned char* , int);
void print_tcp_header(unsigned char* buffer , int size);
void print_udp_header(unsigned char* , int);

FILE *logfile;
struct sockaddr_in source,dest;

int main()
{
 pcap_if_t alldevsp[100] , *device;
 pcap_t *handle; //Handle of the device that shall be sniffed

 char errbuf[100] , *devname , **devs;
 int count = 1 , n;
 //First get the list of available devices
 printf("Finding available devices ... ");
 if(pcap_findalldevs(&alldevsp, errbuf))
 {
  printf("Error finding devices : %s" , errbuf);
  exit(1);
 }
 printf("Done");
 //Print the available devices
 printf("\nAvailable Devices are :\n");
 device = alldevsp;
 while(device != NULL)
 {
  *(devs + count) = device->name;
  printf("%d. %s - %s\n", count++ , device->name , device->description);
  device = device->next;

 }
 //Ask user which device to sniff
 printf("Enter the number of the device you want to sniff : ");
 scanf("%d" , &n);
 devname = *(devs + count - 1);
 //Open the device for sniffing
 printf("Opening device for sniffing ... ");
 handle = pcap_open_live("eth0" , 65536 , 1 , 0 , errbuf);
 if (handle == NULL) {
  fprintf(stderr, "Couldn't open device eth0 : %s\n" , errbuf);
  exit(1);
 }
 printf("Done\n");

 logfile=fopen("log.txt","w");
 if(logfile==NULL) printf("Unable to create file.");

 //Put the device in sniff loop
 pcap_loop(handle , -1 , process_packet , NULL);
 return 0;
}

void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
 int size = header->len;
 struct ether_header *ethh;
 ethh = (struct ether_header *)packet;
 //Print the ethernet header in the log file

 if(ntohs(ethh->ether_type) == ETHERTYPE_IP)
 {

  process_ip_packet(packet + sizeof *ethh , size - sizeof ethh);
  printf("%d" , sizeof *ethh);
  fflush(stdout);
 }
 return 0;
}

void process_ip_packet(unsigned char* buffer, int size)
{
 //Get the IP Header part of this packet
 struct iphdr *iph = (struct iphdr*)buffer;
 switch (iph->protocol) //Check the Protocol and do accordingly...
 {
  case 1:  //ICMP Protocol
   //PrintIcmpPacket(Buffer,Size);
   break;
  case 2:  //IGMP Protocol
   break;
  case 6:  //TCP Protocol
   print_tcp_packet(buffer , size);
   break;
  case 17: //UDP Protocol
   print_udp_packet(buffer , size);
   break;
  default: //Some Other Protocol like ARP etc.
   break;
 }
}

void print_ip_header(unsigned char* Buffer, int Size)
{
 unsigned short iphdrlen;

 struct iphdr *iph = (struct iphdr *)Buffer;
 iphdrlen =iph->ihl*4;

 memset(&source, 0, sizeof(source));
 source.sin_addr.s_addr = iph->saddr;

 memset(&dest, 0, sizeof(dest));
 dest.sin_addr.s_addr = iph->daddr;

 fprintf(logfile,"\n");
 fprintf(logfile,"IP Header\n");
 fprintf(logfile,"   |-IP Version        : %d\n",(unsigned int)iph->version);
 fprintf(logfile,"   |-IP Header Length  : %d DWORDS or %d Bytes\n",(unsigned int)iph->ihl,((unsigned int)(iph->ihl))*4);
 fprintf(logfile,"   |-Type Of Service   : %d\n",(unsigned int)iph->tos);
 fprintf(logfile,"   |-IP Total Length   : %d  Bytes(Size of Packet)\n",ntohs(iph->tot_len));
 fprintf(logfile,"   |-Identification    : %d\n",ntohs(iph->id));
 //fprintf(logfile,"   |-Reserved ZERO Field   : %d\n",(unsigned int)iphdr->ip_reserved_zero);
 //fprintf(logfile,"   |-Dont Fragment Field   : %d\n",(unsigned int)iphdr->ip_dont_fragment);
 //fprintf(logfile,"   |-More Fragment Field   : %d\n",(unsigned int)iphdr->ip_more_fragment);
 fprintf(logfile,"   |-TTL      : %d\n",(unsigned int)iph->ttl);
 fprintf(logfile,"   |-Protocol : %d\n",(unsigned int)iph->protocol);
 fprintf(logfile,"   |-Checksum : %d\n",ntohs(iph->check));
 fprintf(logfile,"   |-Source IP        : %s\n",inet_ntoa(source.sin_addr));
 fprintf(logfile,"   |-Destination IP   : %s\n",inet_ntoa(dest.sin_addr));
}

void print_tcp_packet(unsigned char* Buffer, int Size)
{
 unsigned short iphdrlen;

 struct iphdr *iph = (struct iphdr *)Buffer;
 iphdrlen = iph->ihl*4;

 struct tcphdr *tcph=(struct tcphdr*)(Buffer + iphdrlen);

 fprintf(logfile,"\n\n***********************TCP Packet*************************\n"); 

 print_ip_header(Buffer,Size);

 fprintf(logfile,"\n");
 fprintf(logfile,"TCP Header\n");
 fprintf(logfile,"   |-Source Port      : %u\n",ntohs(tcph->source));
 fprintf(logfile,"   |-Destination Port : %u\n",ntohs(tcph->dest));
 fprintf(logfile,"   |-Sequence Number    : %u\n",ntohl(tcph->seq));
 fprintf(logfile,"   |-Acknowledge Number : %u\n",ntohl(tcph->ack_seq));
 fprintf(logfile,"   |-Header Length      : %d DWORDS or %d BYTES\n" ,(unsigned int)tcph->doff,(unsigned int)tcph->doff*4);
 //fprintf(logfile,"   |-CWR Flag : %d\n",(unsigned int)tcph->cwr);
 //fprintf(logfile,"   |-ECN Flag : %d\n",(unsigned int)tcph->ece);
 fprintf(logfile,"   |-Urgent Flag          : %d\n",(unsigned int)tcph->urg);
 fprintf(logfile,"   |-Acknowledgement Flag : %d\n",(unsigned int)tcph->ack);
 fprintf(logfile,"   |-Push Flag            : %d\n",(unsigned int)tcph->psh);
 fprintf(logfile,"   |-Reset Flag           : %d\n",(unsigned int)tcph->rst);
 fprintf(logfile,"   |-Synchronise Flag     : %d\n",(unsigned int)tcph->syn);
 fprintf(logfile,"   |-Finish Flag          : %d\n",(unsigned int)tcph->fin);
 fprintf(logfile,"   |-Window         : %d\n",ntohs(tcph->window));
 fprintf(logfile,"   |-Checksum       : %d\n",ntohs(tcph->check));
 fprintf(logfile,"   |-Urgent Pointer : %d\n",tcph->urg_ptr);
 fprintf(logfile,"\n");
 fprintf(logfile,"                        DATA Dump                         ");
 fprintf(logfile,"\n");

 fprintf(logfile,"IP Header\n");
 PrintData(Buffer,iphdrlen);

 fprintf(logfile,"TCP Header\n");
 PrintData(Buffer+iphdrlen,tcph->doff*4);

 fprintf(logfile,"Data Payload\n");
 PrintData(Buffer + iphdrlen + tcph->doff*4 , (Size - tcph->doff*4-iph->ihl*4) );

 fprintf(logfile,"\n###########################################################");
}

void print_udp_packet(unsigned char *Buffer , int Size)
{

 unsigned short iphdrlen;

 struct iphdr *iph = (struct iphdr *)Buffer;
 iphdrlen = iph->ihl*4;

 struct udphdr *udph = (struct udphdr*)(Buffer + iphdrlen);

 fprintf(logfile,"\n\n***********************UDP Packet*************************\n");

 print_ip_header(Buffer,Size);   

 fprintf(logfile,"\nUDP Header\n");
 fprintf(logfile,"   |-Source Port      : %d\n" , ntohs(udph->source));
 fprintf(logfile,"   |-Destination Port : %d\n" , ntohs(udph->dest));
 fprintf(logfile,"   |-UDP Length       : %d\n" , ntohs(udph->len));
 fprintf(logfile,"   |-UDP Checksum     : %d\n" , ntohs(udph->check));

 fprintf(logfile,"\n");
 fprintf(logfile,"IP Header\n");
 PrintData(Buffer , iphdrlen);

 fprintf(logfile,"UDP Header\n");
 PrintData(Buffer+iphdrlen , sizeof udph);

 fprintf(logfile,"Data Payload\n");
 PrintData(Buffer + iphdrlen + sizeof udph ,( Size - sizeof udph - iph->ihl * 4 ));

 fprintf(logfile,"\n###########################################################");
}

void print_icmp_packet(unsigned char* Buffer , int Size)
{
 unsigned short iphdrlen;

 struct iphdr *iph = (struct iphdr *)Buffer;
 iphdrlen = iph->ihl*4;

 struct icmphdr *icmph = (struct icmphdr *)(Buffer + iphdrlen);

 fprintf(logfile,"\n\n***********************ICMP Packet*************************\n"); 

 print_ip_header(Buffer , Size);

 fprintf(logfile,"\n");

 fprintf(logfile,"ICMP Header\n");
 fprintf(logfile,"   |-Type : %d",(unsigned int)(icmph->type));

 if((unsigned int)(icmph->type) == 11)
  fprintf(logfile,"  (TTL Expired)\n");
 else if((unsigned int)(icmph->type) == ICMP_ECHOREPLY)
  fprintf(logfile,"  (ICMP Echo Reply)\n");
 fprintf(logfile,"   |-Code : %d\n",(unsigned int)(icmph->code));
 fprintf(logfile,"   |-Checksum : %d\n",ntohs(icmph->checksum));
 //fprintf(logfile,"   |-ID       : %d\n",ntohs(icmph->id));
 //fprintf(logfile,"   |-Sequence : %d\n",ntohs(icmph->sequence));
 fprintf(logfile,"\n");

 fprintf(logfile,"IP Header\n");
 PrintData(Buffer,iphdrlen);

 fprintf(logfile,"UDP Header\n");
 PrintData(Buffer + iphdrlen , sizeof icmph);

 fprintf(logfile,"Data Payload\n");
 PrintData(Buffer + iphdrlen + sizeof icmph , (Size - sizeof icmph - iph->ihl * 4));

 fprintf(logfile,"\n###########################################################");
}

void PrintData (unsigned char* data , int Size)
{
 int i,j;
 for(i=0 ; i < Size ; i++)
 {
  if( i!=0 && i%16==0)   //if one line of hex printing is complete...
  {
   fprintf(logfile,"         ");
   for(j=i-16 ; j<i ; j++)
   {
    if(data[j]>=32 && data[j]<=128)
     fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet

    else fprintf(logfile,"."); //otherwise print a dot
   }
   fprintf(logfile,"\n");
  } 

  if(i%16==0) fprintf(logfile,"   ");
  fprintf(logfile," %02X",(unsigned int)data[i]);

  if( i==Size-1)  //print the last spaces
  {
   for(j=0;j<15-i%16;j++) fprintf(logfile,"   "); //extra spaces

   fprintf(logfile,"         ");

   for(j=i-i%16 ; j<=i ; j++)
   {
    if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char)data[j]);
    else fprintf(logfile,".");
   }
   fprintf(logfile,"\n");
  }
 }
}   

Compile : gcc sniffer.c -lpcap -o sniffer
Run : sudo ./sniffer

The program requires superuser or root privileges to be able to sniff the packets.
Wireshark(previously ethereal) and tcpdump are examples of applications which use the libpcap library on linux to capture packet data.

1. Create a Raw Socket.
2. Put it in a recvfrom loop.

A raw socket when put in recvfrom receives all incoming packets. The following code shows an example of such a sniffer. Note that it sniffs only incoming packets. For sniffing all traffic on a network a packet capture library like libpcap can be used.

Code : sniffer.c

#include<netinet/in.h>
#include<errno.h>
#include<netdb.h>
#include<stdio.h>	//For standard things
#include<netinet/ip_icmp.h>	//Provides declarations for icmp header
#include<netinet/udp.h>	//Provides declarations for udp header
#include<netinet/tcp.h>	//Provides declarations for tcp header
#include<netinet/ip.h>	//Provides declarations for ip header
#include<sys/socket.h>
#include<arpa/inet.h>
#include<sys/ioctl.h>
#include<sys/time.h>
#include<sys/types.h>
#include<unistd.h>

void ProcessPacket(unsigned char* , int);
void print_ip_header(unsigned char* , int);
void print_tcp_header(unsigned char* buffer , int size);
void print_udp_header(unsigned char* , int);

int sock_raw;
FILE *logfile;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
struct sockaddr_in source,dest;

int main()
{
	int saddr_size , data_size;
	struct sockaddr_in saddr;
	struct in_addr in;

	unsigned char *buffer = (unsigned char *)malloc(65536); //Its Big!

	logfile=fopen("log.txt","w");
	if(logfile==NULL) printf("Unable to create file.");
	printf("Starting...\n");
	//Create a raw socket that shall sniff
	sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
	if(sock_raw < 0)
	{
		printf("Socket Error\n");
		return 1;
	}
	while(1)
	{
		saddr_size = sizeof saddr;
		//Receive a packet
		data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
		if(data_size <0 )
		{
			printf("Recvfrom error , failed to get packets\n");
			return 1;
		}
		//Now process the packet
		ProcessPacket(buffer , data_size);
	}
	close(sock_raw);
	printf("Finished");
	return 0;
}

void ProcessPacket(unsigned char* buffer, int size)
{
	//Get the IP Header part of this packet
	struct iphdr *iph = (struct iphdr*)buffer;
	++total;
	switch (iph->protocol) //Check the Protocol and do accordingly...
	{
		case 1:  //ICMP Protocol
			++icmp;
			//PrintIcmpPacket(Buffer,Size);
			break;

		case 2:  //IGMP Protocol
			++igmp;
			break;

		case 6:  //TCP Protocol
			++tcp;
			print_tcp_packet(buffer , size);
			break;

		case 17: //UDP Protocol
			++udp;
			print_udp_packet(buffer , size);
			break;

		default: //Some Other Protocol like ARP etc.
			++others;
			break;
	}
	printf("TCP : %d   UDP : %d   ICMP : %d   IGMP : %d   Others : %d   Total : %d\r",tcp,udp,icmp,igmp,others,total);
}

void print_ip_header(unsigned char* Buffer, int Size)
{
	unsigned short iphdrlen;

	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen =iph->ihl*4;

	memset(&source, 0, sizeof(source));
	source.sin_addr.s_addr = iph->saddr;

	memset(&dest, 0, sizeof(dest));
	dest.sin_addr.s_addr = iph->daddr;

	fprintf(logfile,"\n");
	fprintf(logfile,"IP Header\n");
	fprintf(logfile,"   |-IP Version        : %d\n",(unsigned int)iph->version);
	fprintf(logfile,"   |-IP Header Length  : %d DWORDS or %d Bytes\n",(unsigned int)iph->ihl,((unsigned int)(iph->ihl))*4);
	fprintf(logfile,"   |-Type Of Service   : %d\n",(unsigned int)iph->tos);
	fprintf(logfile,"   |-IP Total Length   : %d  Bytes(Size of Packet)\n",ntohs(iph->tot_len));
	fprintf(logfile,"   |-Identification    : %d\n",ntohs(iph->id));
	//fprintf(logfile,"   |-Reserved ZERO Field   : %d\n",(unsigned int)iphdr->ip_reserved_zero);
	//fprintf(logfile,"   |-Dont Fragment Field   : %d\n",(unsigned int)iphdr->ip_dont_fragment);
	//fprintf(logfile,"   |-More Fragment Field   : %d\n",(unsigned int)iphdr->ip_more_fragment);
	fprintf(logfile,"   |-TTL      : %d\n",(unsigned int)iph->ttl);
	fprintf(logfile,"   |-Protocol : %d\n",(unsigned int)iph->protocol);
	fprintf(logfile,"   |-Checksum : %d\n",ntohs(iph->check));
	fprintf(logfile,"   |-Source IP        : %s\n",inet_ntoa(source.sin_addr));
	fprintf(logfile,"   |-Destination IP   : %s\n",inet_ntoa(dest.sin_addr));
}

void print_tcp_packet(unsigned char* Buffer, int Size)
{
	unsigned short iphdrlen;

	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;

	struct tcphdr *tcph=(struct tcphdr*)(Buffer + iphdrlen);

	fprintf(logfile,"\n\n***********************TCP Packet*************************\n");	

	print_ip_header(Buffer,Size);

	fprintf(logfile,"\n");
	fprintf(logfile,"TCP Header\n");
	fprintf(logfile,"   |-Source Port      : %u\n",ntohs(tcph->source));
	fprintf(logfile,"   |-Destination Port : %u\n",ntohs(tcph->dest));
	fprintf(logfile,"   |-Sequence Number    : %u\n",ntohl(tcph->seq));
	fprintf(logfile,"   |-Acknowledge Number : %u\n",ntohl(tcph->ack_seq));
	fprintf(logfile,"   |-Header Length      : %d DWORDS or %d BYTES\n" ,(unsigned int)tcph->doff,(unsigned int)tcph->doff*4);
	//fprintf(logfile,"   |-CWR Flag : %d\n",(unsigned int)tcph->cwr);
	//fprintf(logfile,"   |-ECN Flag : %d\n",(unsigned int)tcph->ece);
	fprintf(logfile,"   |-Urgent Flag          : %d\n",(unsigned int)tcph->urg);
	fprintf(logfile,"   |-Acknowledgement Flag : %d\n",(unsigned int)tcph->ack);
	fprintf(logfile,"   |-Push Flag            : %d\n",(unsigned int)tcph->psh);
	fprintf(logfile,"   |-Reset Flag           : %d\n",(unsigned int)tcph->rst);
	fprintf(logfile,"   |-Synchronise Flag     : %d\n",(unsigned int)tcph->syn);
	fprintf(logfile,"   |-Finish Flag          : %d\n",(unsigned int)tcph->fin);
	fprintf(logfile,"   |-Window         : %d\n",ntohs(tcph->window));
	fprintf(logfile,"   |-Checksum       : %d\n",ntohs(tcph->check));
	fprintf(logfile,"   |-Urgent Pointer : %d\n",tcph->urg_ptr);
	fprintf(logfile,"\n");
	fprintf(logfile,"                        DATA Dump                         ");
	fprintf(logfile,"\n");

	fprintf(logfile,"IP Header\n");
	PrintData(Buffer,iphdrlen);

	fprintf(logfile,"TCP Header\n");
	PrintData(Buffer+iphdrlen,tcph->doff*4);

	fprintf(logfile,"Data Payload\n");
	PrintData(Buffer + iphdrlen + tcph->doff*4 , (Size - tcph->doff*4-iph->ihl*4) );

	fprintf(logfile,"\n###########################################################");
}

void print_udp_packet(unsigned char *Buffer , int Size)
{

	unsigned short iphdrlen;

	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;

	struct udphdr *udph = (struct udphdr*)(Buffer + iphdrlen);

	fprintf(logfile,"\n\n***********************UDP Packet*************************\n");

	print_ip_header(Buffer,Size);			

	fprintf(logfile,"\nUDP Header\n");
	fprintf(logfile,"   |-Source Port      : %d\n" , ntohs(udph->source));
	fprintf(logfile,"   |-Destination Port : %d\n" , ntohs(udph->dest));
	fprintf(logfile,"   |-UDP Length       : %d\n" , ntohs(udph->len));
	fprintf(logfile,"   |-UDP Checksum     : %d\n" , ntohs(udph->check));

	fprintf(logfile,"\n");
	fprintf(logfile,"IP Header\n");
	PrintData(Buffer , iphdrlen);

	fprintf(logfile,"UDP Header\n");
	PrintData(Buffer+iphdrlen , sizeof udph);

	fprintf(logfile,"Data Payload\n");
	PrintData(Buffer + iphdrlen + sizeof udph ,( Size - sizeof udph - iph->ihl * 4 ));

	fprintf(logfile,"\n###########################################################");
}

void print_icmp_packet(unsigned char* Buffer , int Size)
{
	unsigned short iphdrlen;

	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;

	struct icmphdr *icmph = (struct icmphdr *)(Buffer + iphdrlen);

	fprintf(logfile,"\n\n***********************ICMP Packet*************************\n");	

	print_ip_header(Buffer , Size);

	fprintf(logfile,"\n");

	fprintf(logfile,"ICMP Header\n");
	fprintf(logfile,"   |-Type : %d",(unsigned int)(icmph->type));

	if((unsigned int)(icmph->type) == 11)
		fprintf(logfile,"  (TTL Expired)\n");
	else if((unsigned int)(icmph->type) == ICMP_ECHOREPLY)
		fprintf(logfile,"  (ICMP Echo Reply)\n");
	fprintf(logfile,"   |-Code : %d\n",(unsigned int)(icmph->code));
	fprintf(logfile,"   |-Checksum : %d\n",ntohs(icmph->checksum));
	//fprintf(logfile,"   |-ID       : %d\n",ntohs(icmph->id));
	//fprintf(logfile,"   |-Sequence : %d\n",ntohs(icmph->sequence));
	fprintf(logfile,"\n");

	fprintf(logfile,"IP Header\n");
	PrintData(Buffer,iphdrlen);

	fprintf(logfile,"UDP Header\n");
	PrintData(Buffer + iphdrlen , sizeof icmph);

	fprintf(logfile,"Data Payload\n");
	PrintData(Buffer + iphdrlen + sizeof icmph , (Size - sizeof icmph - iph->ihl * 4));

	fprintf(logfile,"\n###########################################################");
}

void PrintData (unsigned char* data , int Size)
{

	for(i=0 ; i < Size ; i++)
	{
		if( i!=0 && i%16==0)   //if one line of hex printing is complete...
		{
			fprintf(logfile,"         ");
			for(j=i-16 ; j<i ; j++)
			{
				if(data[j]>=32 && data[j]<=128)
					fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet

				else fprintf(logfile,"."); //otherwise print a dot
			}
			fprintf(logfile,"\n");
		} 

		if(i%16==0) fprintf(logfile,"   ");
			fprintf(logfile," %02X",(unsigned int)data[i]);

		if( i==Size-1)  //print the last spaces
		{
			for(j=0;j<15-i%16;j++) fprintf(logfile,"   "); //extra spaces

			fprintf(logfile,"         ");

			for(j=i-i%16 ; j<=i ; j++)
			{
				if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char)data[j]);
				else fprintf(logfile,".");
			}
			fprintf(logfile,"\n");
		}
	}
}

Compile : gcc sniffer.c

The program must be run as root user or superuser privileges. e.g. sudo ./a.out in ubuntu
The program creates raw sockets which require root access.

Raw sockets, or “Raw Packets”, give you the facility to access the entire contents of a packet or datagram, both for reading and writing purpose. In other words, you can fabricate a whole packet according to your likes and dislikes. For example, a TCP packet would contain an IP header, a TCP header, and then the actual data that needs to be transmitted. When working with normal sockets, whatever we send to a socket is actually the data part. In such a scenario, the OS network stack takes the responsibility of adding the header with all fields set to relevant values. When we send the data to a destination, the stack adds the headers and sends the packet, and when we receive some data, then the stack removes the headers and hands out the data to our application. So we are saved from the work of designing the headers. For normal internet applications, there is no need to be concerned about the header operations as they are there for the safe transmission and reception of data, and once the transfer is complete, their need is over and they are dumped. But the story doesn’t end there, there are some people who need raw sockets. Raw sockets are widely used in the field of network security for creating both security and insecurity! In this article, we will take a look at the contents of a general TCPpacket, and try to make a raw packet and transmit it. We shall do this on Windows XP using the VC++ 6.0 compiler. OK, so let’s have a look at the IP and TCP headers.

RFC 791 gives the structure of an IP header as:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Next comes the TCP header for transmission using the TCP protocol. RFC 793 gives the structure.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

and at the end is your data, bla bla bla bla bla bla…………………..

———————————————————– <<end of packet

To understand the significance of each field, read up the necessary RFC or some other good TCP/IP tutorial on the net as there are plenty. If you have previous knowledge of socket programming, then the headers are self-explanatory. Now, why is the raw socket feature of importance to network security? Well, one important aspect of network security which needs this feature is scanning. Scanning is of many types. For example, scanning for open ports, scanning the type of OS, scanning for vulnerabilities etc.

Raw Sockets and Windows

First of all, it must be understood very clearly that raw sockets is not a feature of the network API (although it must be present there as an option) but of the OS protocol stack. To implement raw sockets, all we have to do is to inform the OS that the packet buffer we are providing will have the header and so the OS should transmit it as is without “adding any header”; that’s all, nothing more to do. The Unix operating system has raw socket support since ancient times. But the problem is with Windows. None of Windows 95, 98, 98SE supported raw sockets.

Raw sockets became available on Windows from Windows 2000; Windows XP continued this. But suddenly, raw socket support was removed from Windows XP through a patch in SP2. Vista doesn’t have it. A security patch called MS05-019 (http://support.microsoft.com/kb/897656) is what disables raw sockets on XP SP2 and can do the same to even SP1. Probably Windows 2003 SP1 also implements the same the result being the end of raw sockets.

An indepth summary is available at http://seclists.org/nmap-hackers/2005/0005.html. Windows 95, 98, 98SE do not support raw sockets, but this doesn’t end the story. If you want the facility, then the solution is to use a third party packet driver like Winpcap. Such packet drivers will do your task irrespective of what the OS likes and dislikes. Windows XP and XP SP1 have full raw socket support and so life is easy. So if you want to do raw socketing on Windows, then either use Winpcap or don’t feel desperate to install SP2, or otherwise use Windows 2003 which, as per my knowledge, has raw socket support. http://technet.microsoft.com/hi-in/library/bb457156(en-us).aspx should tell more. So let’s brief up:

1. Windows 95, 98, 98SE, NT4.0 — Only raw ICMP and IGMP with restricted
features.

2. Windows 2000, XP, XP SP1, 2003 — Full raw socket support for both receiving
and sending purposes.

3. Windows XP SP2 — Only raw ICMP, IGMP, and UDP with proper source address
(IP spoofing restricted) can be sent. But, full raw sockets can be received,
which means you can sniff all incoming data and read their headers.

Note : Winsock Ver. >=2.0

So if your system doesn’t support raw sockets, then switch to Linux or use
Winpcap.

The Code

SOCKET s;
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); //Create a RAW socket
int optval=1;
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval,
sizeof optval);  //Set it to include the header

The last line, setsockopt, tells the OS that the socket s will have the
header included (IP_HDRINCL) at the IP (IPPROTO_IP) level in the data buffer
it sends. IPPROTO_RAW creates an absolutely raw socket, and you have to write
all headers yourself. IPPROTO_UDP, IPROTO_TCP are also available for the
respective types of packets.

Now, we shall need two structures like this:

typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words)
// normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4;   // 4-bit IPv4 version
unsigned char ip_tos;          // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id;          // Unique identifier

unsigned char ip_frag_offset :5; // Fragment offset field

unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;

unsigned char ip_frag_offset1; //fragment offset

unsigned char ip_ttl;          // Time to live
unsigned char ip_protocol;     // Protocol(TCP,UDP etc)
unsigned short ip_checksum;    // IP checksum
unsigned int ip_srcaddr;       // Source address
unsigned int ip_destaddr;      // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;

// TCP header
typedef struct tcp_header
{
unsigned short source_port;   // source port
unsigned short dest_port;     // destination port
unsigned int sequence;        // sequence number - 32 bits
unsigned int acknowledge;     // acknowledgement number - 32 bits

unsigned char ns :1;          //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4;    /*The number of 32-bit words
in the TCP header.
This indicates where the data begins.
The length of the TCP header
is always a multiple
of 32 bits.*/

unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag

unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag

////////////////////////////////

unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;

Little/Big Endian

Did you notice a difference between the RFC specification and the structures declared above? IP header and version have swapped their positions.The urg, ack, and psh flags of the TCP header are all in reverse order? Mistake? Well, this depends on the byte order that is implemented in the machine architecture. There are two types: Little Endian and Big Endian. In Big Endian, the bytes and bits are arranged in their normal order as we read them, which means the MSB (most significant byte) comes first and the LSB (least significant byte) last. But in Little Endian, the thing is totally
reversed. And it must be remembered that all bits are byte wise reversed, which means they are reversed in groups of 8. That’s the rule for making segments of sizes 3 or 5 etc. If it’s a long or int, then a htons() will do the job. Well, enough said, now let’s make our packet.

char packet[65536];   //thats big!
IPV4_HDR *v4hdr=NULL;
TCP_HDR *tcphdr=NULL;

v4hdr = (IPV4_HDR *)packet; //lets point to the ip header portion
v4hdr->ip_version=4;
v4hdr->ip_header_len=5;
v4hdr->ip_tos = 0;
v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );
v4hdr->ip_id = htons(2);

……………and so on

tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)];
//get the pointer to the tcp header in the packet

tcphdr->source_port = htons(1234);
tcphdr->dest_port = htons(50000);

tcphdr->cwr=0;
tcphdr->ecn=1;
tcphdr->urg=0;
tcphdr->ack=0;

………………and so on

// Initialize the TCP payload to some rubbish
data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
memset(data, '^', payload);

Get the remote host details in a sockaddr_in dest and call:

sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) +
payload, 0,(SOCKADDR *)&dest, sizeof(dest));

where payload is the size of the data after the TCP header. That’s it! We
are done.

To check whether the packets went out as you expected them to, use a
sniffer like Ethereal and sniff them. Note: If you have any firewall running,
then raw packets may be blocked.

Source Code :

//raw tcp packet crafter

#include "stdio.h"
#include "winsock2.h"
#include "ws2tcpip.h" //IP_HDRINCL is here
#include "conio.h"

#pragma comment(lib,"ws2_32.lib") //winsock 2.2 library

typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier

unsigned char ip_frag_offset :5; // Fragment offset field

unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;

unsigned char ip_frag_offset1; //fragment offset

unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;

// TCP header
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits

unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.
This indicates where the data begins.
The length of the TCP header is always a multiple
of 32 bits.*/

unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag

unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag

////////////////////////////////

unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;

int main()
{
char host[100],buf[1000],*data=NULL,source_ip[20]; //buf is the complete packet
SOCKET s;
int k=1;

IPV4_HDR *v4hdr=NULL;
TCP_HDR *tcphdr=NULL;

int payload=512 , optval;
SOCKADDR_IN dest;
hostent *server;

//Initialise Winsock
WSADATA wsock;
printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2),&wsock) != 0)
{
fprintf(stderr,"WSAStartup() failed");
exit(EXIT_FAILURE);
}
printf("Initialised successfully.");
////////////////////////////////////////////////

//Create Raw TCP Packet
printf("\nCreating Raw TCP Socket...");
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==SOCKET_ERROR)
{
printf("Creation of raw socket failed.");
return 0;
}
printf("Raw TCP Socket Created successfully.");
////////////////////////////////////////////////

//Put Socket in RAW Mode.
printf("\nSetting the socket in RAW mode...");
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)
{
printf("failed to set socket in raw mode.");
return 0;
}
printf("Successful.");
////////////////////////////////////////////////

//Target Hostname
printf("\nEnter hostname : ");
gets(host);
printf("\nResolving Hostname...");
if((server=gethostbyname(host))==0)
{
printf("Unable to resolve.");
return 0;
}
dest.sin_family = AF_INET;
dest.sin_port = htons(50000); //your destination port
memcpy(&dest.sin_addr.s_addr,server->h_addr,server->h_length);
printf("Resolved.");
/////////////////////////////////////////////////

printf("\nEnter Source IP : ");
gets(source_ip);

v4hdr = (IPV4_HDR *)buf; //lets point to the ip header portion
v4hdr->ip_version=4;
v4hdr->ip_header_len=5;
v4hdr->ip_tos = 0;
v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );
v4hdr->ip_id = htons(2);
v4hdr->ip_frag_offset = 0;
v4hdr->ip_frag_offset1 = 0;
v4hdr->ip_reserved_zero = 0;
v4hdr->ip_dont_fragment = 1;
v4hdr->ip_more_fragment = 0;
v4hdr->ip_ttl = 8;
v4hdr->ip_protocol = IPPROTO_TCP;
v4hdr->ip_srcaddr = inet_addr(source_ip);
v4hdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));
v4hdr->ip_checksum = 0;

tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet

tcphdr->source_port = htons(1234);
tcphdr->dest_port = htons(50000);

tcphdr->cwr=0;
tcphdr->ecn=1;
tcphdr->urg=0;
tcphdr->ack=0;
tcphdr->psh=0;
tcphdr->rst=1;
tcphdr->syn=0;
tcphdr->fin=0;
tcphdr->ns=1;

tcphdr->checksum = 0;

// Initialize the TCP payload to some rubbish
data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
memset(data, '^', payload);

printf("\nSending packet...\n");

while(!_kbhit())
{
printf(" %d packets send\r",k++);
if((sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payload, 0,
(SOCKADDR *)&dest, sizeof(dest)))==SOCKET_ERROR)
{

printf("Error sending Packet : %d",WSAGetLastError());
break;
}
}

return 0;
}

VC++ can be used to compile this code. Simply create a project and put this file in it and click run.