The simple steps would be :
1. Start a loop for the port number range to be scanned.
2. Create a Socket inside the loop.
3. Call the connect function using the socket and the port number to connect to the host.
4. If connect returns SOCKET_ERROR then the connection failed hence port closed, otherwise connection established and port open.

The following code does the same. It should be noted that it scans only TCP ports. For a linux version of the same code view this post.

Code :

/*
 TCP Connect portscanner with winsock
*/

#include<stdio.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib"); //To link the winsock library  

int main(int argc, char **argv)
{
 WSADATA firstsock;
 SOCKET s;
 struct hostent *host;
 int err,i, startport , endport;
 struct sockaddr_in sa; //this stores the destination address
 char hostname[100];

 strncpy((char *)&sa,"",sizeof sa);
 sa.sin_family = AF_INET; //this line must be like this coz internet

 //Initialise winsock
 if (WSAStartup(MAKEWORD(2,0),&firstsock) != 0)  //CHECKS FOR WINSOCK VERSION 2.0
 {
  fprintf(stderr,"WSAStartup() failed"); //print formatted data specify stream and options
  exit(EXIT_FAILURE);        //or exit(1);
 } 

 printf("Enter hostname or ip to scan : ");
 gets(hostname);

 printf("Enter starting port : ");
 scanf("%d" , &startport);

 printf("Enter ending port : ");
 scanf("%d" , &endport);

 if(isdigit(hostname[0]))
 {
  printf("Doing inet_addr...");
  sa.sin_addr.s_addr = inet_addr(hostname); //get ip into s_addr
  printf("Done\n");
 }
 else if( (host=gethostbyname(hostname)) != 0)
 {
  printf("Doing gethostbyname()...");
  strncpy((char *)&sa.sin_addr , (char *)host->h_addr_list[0] , sizeof sa.sin_addr);
  printf("Done\n");
 }
 else
 {
    printf("Error resolving hostname");
       exit(EXIT_FAILURE);
 }

 //Start the portscan loop
 printf("Starting the scan loop...\n");
 for(i = startport ; i<= endport ; i++)
 {

  s = socket(AF_INET , SOCK_STREAM , 0); //make net a valid socket handle
  if(s < 0)  //if not a socket
  {
   perror("\nSocket creation failed");  // perror function prints an error message to stderr
   exit(EXIT_FAILURE);       //or exit(0);
  }

  sa.sin_port = htons(i);
  //connect to the server with that socket
  err = connect(s , (struct sockaddr *)&sa , sizeof sa);

  if(err == SOCKET_ERROR) //connection not accepted
  {
   printf("%s %-5d Winsock Error Code : %d\n" , hostname , i , WSAGetLastError());
   fflush(stdout);
  }
  else  //connection accepted
  {
   printf("%s %-5d accepted            \n" , hostname , i);
   if( shutdown( s ,SD_BOTH ) == SOCKET_ERROR )
   {
    perror("\nshutdown");// perror function prints an error message to stderr
    exit(EXIT_FAILURE);
   }
  }
  closesocket(s);   //closes the net socket
 }

 fflush(stdout); //clears the contents of a buffer or flushes a stream
 return(0);
}

The above can be compiled with vc++ 6.0 for example. Simply create a project and add this file to the project and click run.

Raw means we have to cook the whole packet ourselves. A TCP packet for example consists of:
1. Ethernet header
2. IP header
3. TCP header
4. The data supposed to be send

Each header has its own job to do in the whole transmission process.

Code :

u_char packet[65536];
char *dump = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";

Winpcap gives us one function called pcap_sendpacket() to throw the packet on the network adapter which forwards it. We have to responsibly construct the ethernet , ip and tcp headers and attach the data.

1. Ethernet header looks like

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |       Ethernet destination address (first 32 bits)            |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Ethernet dest (last 16 bits)  |Ethernet source (first 16 bits)|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |       Ethernet source address (last 32 bits)                  |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |        Type code              |                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Ethernet destination address is the mac-address of the primary gateway of the network interface being used.
Ethernet source is the mac-address of the network interface itself.
Type field determines the type of the packet e.g. IP , ARP etc.

Now our first task is to get the source and destination mac address.
Winpcap gives the ip-addresses of all available network interfaces that can be used.

now if srcip has the source ip in in_addr or long format then we can get the mac-address of this ip address using the function

GetMacAddress(s_mac , srcip);
printf("Selected device has mac address : %.2X-%.2X-%.2X-%.2X-%.2X-%.2X",s_mac[0],s_mac[1],s_mac[2],s_mac[3],s_mac[4],s_mac[5]);

GetMacAddress is like :

void GetMacAddress(unsigned char *mac , in_addr destip) {
    DWORD ret;
    in_addr srcip;
    ULONG MacAddr[2];
    ULONG PhyAddrLen = 6;  /* default to length of six bytes */

    srcip.s_addr=0;

    //Now print the Mac address also
    ret = SendArp(destip , srcip , MacAddr , &PhyAddrLen);
    if(PhyAddrLen) {
        BYTE *bMacAddr = (BYTE *) & MacAddr;
        for (int i = 0; i < (int) PhyAddrLen; i++)
            mac[i] = (char)bMacAddr[i];
    }
}

SendArp is the method that is used to retrieve the “mac-address of a IP” ;simple!
The above demonstration is mostly self-explaining. We got the mac-address of the network interface we want to use. Next we need the IP address of the primary gateway of this interface and then it mac-address.

GetGateway gets the gateway :

void GetGateway(struct in_addr ip , char *sgatewayip , int *gatewayip) {
    char pAdapterInfo[5000];
    PIP_ADAPTER_INFO  AdapterInfo;
    ULONG OutBufLen = sizeof(pAdapterInfo) ;

    GetAdaptersInfo((PIP_ADAPTER_INFO) pAdapterInfo, &OutBufLen);
    for(AdapterInfo = (PIP_ADAPTER_INFO)pAdapterInfo; AdapterInfo ; AdapterInfo = AdapterInfo->Next) {
        if(ip.s_addr == inet_addr(AdapterInfo->IpAddressList.IpAddress.String))
     strcpy(sgatewayip , AdapterInfo->GatewayList.IpAddress.String);
    }
    *gatewayip = inet_addr(sgatewayip);
}

GetAdaptersInfo is the function that retrieves a lot of information about a adapter.
This and SendArp are inside iphlpapi.dll ; IP helper api which we shall load and get the function pointers inside!

Buzz!

void loadiphlpapi() {
    HINSTANCE hDll = LoadLibrary("iphlpapi.dll");

    GetAdaptersInfo = (pgetadaptersinfo)GetProcAddress(hDll,"GetAdaptersInfo");
    if(GetAdaptersInfo==NULL)
        printf("Error in iphlpapi.dll%d",GetLastError());
    SendArp = (psendarp)GetProcAddress(hDll,"SendARP");
    if(SendArp==NULL)
 printf("Error in iphlpapi.dll%d",GetLastError());
}

So by now the source-ip , its mac-address , primary-gateway-mac should be into their respective variables. So now we have enough information to build our ethernet header.

Enjoy!

ETHER_HDR *ehdr;
    memcpy(ehdr->source , s_mac , 6); //Source Mac address
    memcpy(ehdr->dest,d_mac,6); //Destination MAC address
    ehdr->type = htons(0x0800); //IP Frames

Next comes the IP Header

RFC 791 gives the structure of an IP header as:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

and our structure for this header :

typedef struct ip_hdr
{
    unsigned char  ip_header_len:4;  // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
    unsigned char  ip_version   :4;  // 4-bit IPv4 version
    unsigned char  ip_tos;           // IP type of service
    unsigned short ip_total_length;  // Total length
    unsigned short ip_id;            // Unique identifier 

    unsigned char  ip_frag_offset   :5;        // Fragment offset field

    unsigned char  ip_more_fragment :1;
    unsigned char  ip_dont_fragment :1;
    unsigned char  ip_reserved_zero :1;

    unsigned char  ip_frag_offset1;    //fragment offset

    unsigned char  ip_ttl;           // Time to live
    unsigned char  ip_protocol;      // Protocol(TCP,UDP etc)
    unsigned short ip_checksum;      // IP checksum
    unsigned int   ip_srcaddr;       // Source address
    unsigned int   ip_destaddr;      // Source address
}   IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR , IPHeader;

and then the TCP Header

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

and our structure for this header :

// TCP header
typedef struct tcp_header
{
 unsigned short source_port;   // source port
 unsigned short dest_port;     // destination port
 unsigned int sequence;        // sequence number - 32 bits
 unsigned int acknowledge;     // acknowledgement number - 32 bits

 unsigned char ns :1;          //Nonce Sum Flag Added in RFC 3540.
 unsigned char reserved_part1:3; //according to rfc
 unsigned char data_offset:4;    /*The number of 32-bit words
                                   in the TCP header.
                                   This indicates where the data begins.
                                   The length of the TCP header
                                   is always a multiple
                                   of 32 bits.*/

 unsigned char fin :1; //Finish Flag
 unsigned char syn :1; //Synchronise Flag
 unsigned char rst :1; //Reset Flag
 unsigned char psh :1; //Push Flag
 unsigned char ack :1; //Acknowledgement Flag
 unsigned char urg :1; //Urgent Flag

 unsigned char ecn :1; //ECN-Echo Flag
 unsigned char cwr :1; //Congestion Window Reduced Flag

 ////////////////////////////////

 unsigned short window; // window
 unsigned short checksum; // checksum
 unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;

Now the headers can be build easily :

// *******************  IP Header *****************
    iphdr = (PIPV4_HDR)(packet + sizeof(ETHER_HDR));

    iphdr->ip_version = 4;
    iphdr->ip_header_len = 5; //In double words thats 4 bytes
    iphdr->ip_tos = 0;
    iphdr->ip_total_length = htons (sizeof(IPV4_HDR) + sizeof(TCP_HDR) + strlen(dump));
    iphdr->ip_id = htons(2);
    iphdr->ip_frag_offset = 0;
    iphdr->ip_reserved_zero=0;
    iphdr->ip_dont_fragment=1;
    iphdr->ip_more_fragment=0;
    iphdr->ip_frag_offset1 = 0;
    iphdr->ip_ttl    = 3;
    iphdr->ip_protocol = IPPROTO_TCP;
    iphdr->ip_srcaddr  = inet_addr("1.2.3.4");   //srcip.s_addr;
    iphdr->ip_destaddr = inet_addr("1.2.3.5");
    iphdr->ip_checksum =0;
    iphdr->ip_checksum = in_checksum((unsigned short*)iphdr, sizeof(IPV4_HDR));

    // *******************  TCP Header *****************
    tcphdr = (PTCP_HDR)(packet + sizeof(ETHER_HDR) + sizeof(IPV4_HDR));

    tcphdr->source_port = htons(SOURCE_PORT);
    tcphdr->dest_port = htons(80);
    tcphdr->sequence=0;
    tcphdr->acknowledge=0;
    tcphdr->reserved_part1=0;
    tcphdr->data_offset=5;
    tcphdr->fin=0;
    tcphdr->syn=1;
    tcphdr->rst=0;
    tcphdr->psh=0;
    tcphdr->ack=0;
    tcphdr->urg=0;
    tcphdr->ecn=0;
    tcphdr->cwr=0;
    tcphdr->window = htons(64240);
    tcphdr->checksum=0;
    tcphdr->urgent_pointer = 0;

almost done

data = (char*)(packet + sizeof(ETHER_HDR) + sizeof(IPV4_HDR) + sizeof(TCP_HDR));
strcpy(data,dump);

pcap_sendpacket(fp , packet , sizeof(ETHER_HDR) + sizeof(IPV4_HDR) + sizeof(TCP_HDR) + strlen(dump));

Thats should send the packet. Use Ethereal to check whether the packet was successfully transmitted. The above was an example of a TCP packet, similarly UDP ICMP or any other packet can be build.

Source Code :
Download

This basic technique is called TCP Connect Port Scanning in which we use something like a loop to connect to ports one by one and check for valid connections on the socket. But this technique has many drawbacks.

Its no new fact that when we type a web address in our browser a dns request is immediately send by our browser to a DNS server to get the IP address of that web address.In winsock applications we achieve this by gethostbyname() and things are pretty simple.In this article we shall do this simple thing without the help of gethostbyname().We shall be sending DNS queries and receive the reply and extract the ipv4 address of the specified hostname.

RFC 1035 shows the structure of DNS message as follows

+---------------------+
| Header              |
+---------------------+
| Question            | the question for the name server
+---------------------+
| Answer              | RRs answering the question
+---------------------+
| Authority           | RRs pointing toward an authority
+---------------------+
| Additional          | RRs holding additional information
+---------------------+

Pretty simple to understand that queries wont have the answer, authority and additional fields.Packets are ofcourse UDP and DNS servers feel comfortable to operate on port 53. So the first thing is to send a query containing the hostname.

Next task is to receive the reply which is expected to contain the information we are expecting. DNS queries are used for a variety of purpose. Apart from getting the ipv4 address of a host we also use DNS for getting the mail exchange/server of a specified domain and etc. All type of queries and response packets are build nearly on the same structure depicted above.

When a DNS server replies it sends the question as it is and along with that are a bunch of RR’s or resource records.All RR’s stand in a queue and certain fields of the header tell that how many of the RR’s are answers , how many authority and how many additionals.

This is the structure of a DNS header :

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                     ID                        |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode    |AA|TC|RD|RA| Z      |  RCODE    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   QDCOUNT                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   ANCOUNT                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   NSCOUNT                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                   ARCOUNT                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

ID :the identifier
QDCOUNT : how many question are there in the packet.
ANCOUNT : how many answers in the RR queue.
NSCOUNT : Authority RR count
ARCOUNT : Additional Count

for explanation of the other fields lookup the RFC

A DNS packet typically looks like this Header-Query-RR-RR-RR-RR-RR-RR……..……..

A Query structure looks like this

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                                               |
/                    QNAME                      /
/                                               /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QTYPE                      |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QCLASS                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Note : QNAME is a variable length field to fit the hostname
QCLASS should be 1 since we are on internet
QTYPE determines what you want to know ; ipv4 address , mx etc.

Resource Record(RR) field looks like this

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                                               |
/                                               /
/                     NAME                      /
|                                               |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                     TYPE                      |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                     CLASS                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                     TTL                       |
|                                               |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                  RDLENGTH                     |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
/                     RDATA                     /
/                                               /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Note again : NAME and RDATA are variable length field

Type field tells how RDATA relates to NAME. e.g. if TYPE is 1 then RDATA
contains the ipv4 address of the NAME.

That’s all about the structures we need.

Now some more food for thought:

1. In DNS query and responses www.google.com is represented as
3www6google3com0 <<hope you got it
if u didnt get that send me a mail

2. And there is a compression scheme followed which is like this -> if
google.com were to occur 10 times in the packet then it will written as
google.com for the first time and after that a pointer will be placed at every
next occurence of google.com to the position offset of the beginning of the
first occurence.The starting of the dns header being the offset 0. For example
if www.google.com is written starting at a offset of say 12 and some where later
ns.google.com is to be written then it will be written as ns.16 which means
point to offset 16(where g of google is).To implement this pointer technique 2
bytes are used where the first 2 bits are 1 and the rest 14 bits are the
offset.so for 16 as offset the number u wud need is 1100000000000000 + 1000 <<thats
it.

Code

The structure for DNS header

typedef struct
{
unsigned short id;       // identification number
unsigned char rd :1;     // recursion desired
unsigned char tc :1;     // truncated message
unsigned char aa :1;     // authoritive answer
unsigned char opcode :4; // purpose of message
unsigned char qr :1;     // query/response flag
unsigned char rcode :4;  // response code
unsigned char cd :1;     // checking disabled
unsigned char ad :1;     // authenticated data
unsigned char z :1;      // its z! reserved
unsigned char ra :1;     // recursion available
unsigned short q_count;  // number of question entries
unsigned short ans_count; // number of answer entries
unsigned short auth_count; // number of authority entries
unsigned short add_count; // number of resource entries
} DNS_HEADER;

Structure for the query ( we wont keep the name in this structure since size
is variable)

typedef struct
{
unsigned short qtype;
unsigned short qclass;
} QUESTION;

Resource Record

typedef struct
{
unsigned short type;
unsigned short _class;
unsigned int ttl;
unsigned short data_len;
} R_DATA;

Once again name and rdata have been kept out.
These two structures will help

typedef struct
{
unsigned char *name;
R_DATA *resource;
unsigned char *rdata;
} RES_RECORD;

typedef struct
{
unsigned char *name;
QUESTION *ques;
} QUERY;

The working will be like

SOCKET s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); //UDP packet for DNS queries
RES_RECORD answers[20],auth[20],addit[20]; //the replies from the DNS server
sockaddr_in dest;

dest.sin_family=AF_INET;

dest.sin_port=htons(53);
dest.sin_addr.s_addr=inet_addr(dns_servers[0]); //use the first dns server

unsigned char buf[65536],*qname,*reader;
DNS_HEADER *dns = NULL;
QUESTION *qinfo = NULL;

//Set the DNS structure to standard queries
dns=(DNS_HEADER*)&buf;

//set up the header
dns->id = (unsigned short)htons(GetCurrentProcessId());
dns->qr = 0; //This is a query
dns->opcode = 0; //This is a standard query
dns->aa = 0; //Not Authoritative
dns->tc = 0; //This message is not truncated
dns->rd = 1; //Recursion Desired
dns->ra = 0; //Recursion not available! hey we dont have it (lol)
dns->z = 0;
dns->ad = 0;
dns->cd = 0;
dns->rcode = 0;
dns->q_count = htons(1); //we have only 1 question
dns->ans_count = 0;
dns->auth_count = 0;
dns->add_count = 0;

//point to the query portion
qname =(unsigned char*)&buf[sizeof(DNS_HEADER)];
ChangetoDnsNameFormat(qname,host);

qinfo =(QUESTION*)&buf[sizeof(DNS_HEADER) + (strlen((const char*)qname) + 1)];

//fill it
qinfo->qtype = htons(1); //we are requesting the ipv4 address
qinfo->qclass = htons(1); //its internet (lol)

sendto(s,(char*)buf,sizeof(DNS_HEADER) + (strlen((const char*)qname)+1) +
sizeof(QUESTION),0,(sockaddr*)&dest,sizeof(dest))==SOCKET_ERROR)
int i=sizeof(dest);
recvfrom (s,(char*)buf,65536,0,(sockaddr*)&dest,&i);
dns=(DNS_HEADER*)buf;

//move ahead of the dns header and the query field
reader=&buf[sizeof(DNS_HEADER) + (strlen((const char*)qname)+1) +
sizeof(QUESTION)];

printf("nThe response contains : ");
printf("n %d Questions.",ntohs(dns->q_count));
printf("n %d Answers.",ntohs(dns->ans_count));
printf("n %d Authoritative Servers.",ntohs(dns->auth_count));
printf("n %d Additional records.nn",ntohs(dns->add_count));

//reading answers
int stop=0;
for(i=0;i<ntohs(dns->ans_count);i++)
{
answers[i].name=ReadName(reader,buf,stop);
reader+=stop;
answers[i].resource=(R_DATA*)(reader);
reader+=sizeof(R_DATA);
if(ntohs(answers[i].resource->type)==1)
{
    answers[i].rdata=new unsigned char[ntohs(answers[i].resource->data_len)];
    for(int j=0;j<ntohs(answers[i].resource->data_len);j++)
        answers[i].rdata[j]=reader[j];
    answers[i].rdata[ntohs(answers[i].resource->data_len)]='';
    reader+=ntohs(answers[i].resource->data_len);
}
else
{
    answers[i].rdata=ReadName(reader,buf,stop);
    reader+=stop;
}
}

and so on….
The IP address in the rdata section will be as numbers which must be converted
to a string and then to the dotted format using inet_ntoa like this

sockaddr_in a;
long *p;
p=(long*)addit[i].rdata;
a.sin_addr.s_addr=(*p);
printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));

Authority RR’s and Additional RR’s need to be read just like we read Answer
RR’s ChangetoDnsNameFormat(qname,host) function will convert the normal
www.google.com in host to 3www6google3com0 and store the result in qname.

The ReadName() functions reads a NAME for query and RR blocks keeping in mind
the compression strategy.

Another function RetrieveDnsServersFromRegistry() in dns.cpp retrieves the DNS
server IP’s stored in the system. DNS servers are stored in the registry.
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces
contains the subkeys for the interfaces and each may contain a field called
nameserver whose value will have the dns server fed by either you or stored
dynamically in case of dialup connections.multiple DNS ip’s may be present in
one nameserver entry and then they are separated by a comma or simply a space.

dfelippa read this post on codeproject and suggested and made some improvements to the code which include :

1. Better memory management
2. Support for MX Query

He modified the code and put it up at :

http://www.infologika.com.br/public/dnsquery_main.cpp

Check it out!

Source Code :
Windows :

//DNS Query Program
//Author : Prasshhant Pugalia (prasshhant.p@gmail.com)
//Dated : 26/2/2007

//Header Files
#include "winsock2.h"
#include "windows.h"
#include "stdio.h"
#include "conio.h"

#pragma comment(lib,"ws2_32.lib") //Winsock Library

//List of DNS Servers registered on the system
char dns_servers[10][100];

//Type field of Query and Answer
#define T_A 1 /* host address */
#define T_NS 2 /* authoritative server */
#define T_CNAME 5 /* canonical name */
#define T_SOA 6 /* start of authority zone */
#define T_PTR 12 /* domain name pointer */
#define T_MX 15 /* mail routing information */

//Function Prototypes
void ngethostbyname (unsigned char*);
void ChangetoDnsNameFormat (unsigned char*,unsigned char*);
unsigned char* ReadName (unsigned char*,unsigned char*,int*);
void RetrieveDnsServersFromRegistry(void);
unsigned char* PrepareDnsQueryPacket (unsigned char*);

//DNS header structure
struct DNS_HEADER
{
unsigned short id; // identification number

unsigned char rd :1; // recursion desired
unsigned char tc :1; // truncated message
unsigned char aa :1; // authoritive answer
unsigned char opcode :4; // purpose of message
unsigned char qr :1; // query/response flag

unsigned char rcode :4; // response code
unsigned char cd :1; // checking disabled
unsigned char ad :1; // authenticated data
unsigned char z :1; // its z! reserved
unsigned char ra :1; // recursion available

unsigned short q_count; // number of question entries
unsigned short ans_count; // number of answer entries
unsigned short auth_count; // number of authority entries
unsigned short add_count; // number of resource entries
};

//Constant sized fields of query structure
struct QUESTION
{
unsigned short qtype;
unsigned short qclass;
};

//Constant sized fields of the resource record structure
#pragma pack(push, 1)
struct R_DATA
{
unsigned short type;
unsigned short _class;
unsigned int ttl;
unsigned short data_len;
};
#pragma pack(pop)

//Pointers to resource record contents
struct RES_RECORD
{
unsigned char *name;
struct R_DATA *resource;
unsigned char *rdata;
};

//Structure of a Query
typedef struct
{
unsigned char *name;
struct QUESTION *ques;
} QUERY;

int main() //do you know what is int main() ?
{
unsigned char hostname[100];

WSADATA firstsock;

RetrieveDnsServersFromRegistry();

printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2),&firstsock) != 0)
{
printf("Failed. Error Code : %d",WSAGetLastError());
return 1;
}
printf("Initialised.");

printf("\nEnter Hostname to Lookup : ");
gets((char*)hostname);
ngethostbyname(hostname);

_getch();
return 0;
}

void ngethostbyname(unsigned char *host)
{
unsigned char buf[65536],*qname,*reader;
int i , j , stop;

SOCKET s;
struct sockaddr_in a;

struct RES_RECORD answers[20],auth[20],addit[20]; //the replies from the DNS server
struct sockaddr_in dest;

struct DNS_HEADER *dns = NULL;
struct QUESTION *qinfo = NULL;

s = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); //UDP packet for DNS queries

dest.sin_family=AF_INET;
dest.sin_port=htons(53);
dest.sin_addr.s_addr=inet_addr(dns_servers[0]); //dns servers

//Set the DNS structure to standard queries
dns = (struct DNS_HEADER *)&buf;

dns->id = (unsigned short) htons(GetCurrentProcessId());
dns->qr = 0; //This is a query
dns->opcode = 0; //This is a standard query
dns->aa = 0; //Not Authoritative
dns->tc = 0; //This message is not truncated
dns->rd = 1; //Recursion Desired
dns->ra = 0; //Recursion not available! hey we dont have it (lol)
dns->z = 0;
dns->ad = 0;
dns->cd = 0;
dns->rcode = 0;
dns->q_count = htons(1); //we have only 1 question
dns->ans_count = 0;
dns->auth_count = 0;
dns->add_count = 0;

//point to the query portion
qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];

ChangetoDnsNameFormat(qname,host);
qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)]; //fill it

qinfo->qtype = htons(1); //we are requesting the ipv4 address
qinfo->qclass = htons(1); //its internet (lol)

printf("\nSending Packet...");
if(sendto(s,(char*)buf,sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION),0,(struct sockaddr*)&dest,sizeof(dest))==SOCKET_ERROR)
{
printf("%d error",WSAGetLastError());
}
printf("Sent");

i=sizeof(dest);
printf("\nReceiving answer...");
if(recvfrom (s,(char*)buf,65536,0,(struct sockaddr*)&dest,&i)==SOCKET_ERROR)
{
printf("Failed. Error Code : %d",WSAGetLastError());
}
printf("Received.");

dns=(struct DNS_HEADER*)buf;

//move ahead of the dns header and the query field
reader=&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION)];

printf("\nThe response contains : ");
printf("\n %d Questions.",ntohs(dns->q_count));
printf("\n %d Answers.",ntohs(dns->ans_count));
printf("\n %d Authoritative Servers.",ntohs(dns->auth_count));
printf("\n %d Additional records.\n\n",ntohs(dns->add_count));

//reading answers
stop=0;

for(i=0;i<ntohs(dns->ans_count);i++)
{
answers[i].name=ReadName(reader,buf,&stop);
reader = reader + stop;

answers[i].resource = (struct R_DATA*)(reader);
reader = reader + sizeof(struct R_DATA);

if(ntohs(answers[i].resource->type) == 1) //if its an ipv4 address
{
answers[i].rdata = (unsigned char*)malloc(ntohs(answers[i].resource->data_len));

for(j=0 ; j<ntohs(answers[i].resource->data_len) ; j++)
answers[i].rdata[j]=reader[j];

answers[i].rdata[ntohs(answers[i].resource->data_len)] = '\0';

reader = reader + ntohs(answers[i].resource->data_len);

}
else
{
answers[i].rdata = ReadName(reader,buf,&stop);
reader = reader + stop;
}

}

//read authorities
for(i=0;i<ntohs(dns->auth_count);i++)
{
auth[i].name=ReadName(reader,buf,&stop);
reader+=stop;

auth[i].resource=(struct R_DATA*)(reader);
reader+=sizeof(struct R_DATA);

auth[i].rdata=ReadName(reader,buf,&stop);
reader+=stop;
}

//read additional
for(i=0;i<ntohs(dns->add_count);i++)
{
addit[i].name=ReadName(reader,buf,&stop);
reader+=stop;

addit[i].resource=(struct R_DATA*)(reader);
reader+=sizeof(struct R_DATA);

if(ntohs(addit[i].resource->type)==1)
{
addit[i].rdata = (unsigned char*)malloc(ntohs(addit[i].resource->data_len));
for(j=0;j<ntohs(addit[i].resource->data_len);j++)
addit[i].rdata[j]=reader[j];

addit[i].rdata[ntohs(addit[i].resource->data_len)]='\0';
reader+=ntohs(addit[i].resource->data_len);

}
else
{
addit[i].rdata=ReadName(reader,buf,&stop);
reader+=stop;
}
}

//print answers
for(i=0;i<ntohs(dns->ans_count);i++)
{
//printf("\nAnswer : %d",i+1);
printf("Name : %s ",answers[i].name);

if(ntohs(answers[i].resource->type)==1) //IPv4 address
{

long *p;
p=(long*)answers[i].rdata;
a.sin_addr.s_addr=(*p); //working without ntohl
printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
}
if(ntohs(answers[i].resource->type)==5) //Canonical name for an alias
printf("has alias name : %s",answers[i].rdata);

printf("\n");
}

//print authorities
for(i=0;i<ntohs(dns->auth_count);i++)
{
//printf("\nAuthorities : %d",i+1);
printf("Name : %s ",auth[i].name);
if(ntohs(auth[i].resource->type)==2)
printf("has authoritative nameserver : %s",auth[i].rdata);
printf("\n");
}

//print additional resource records
for(i=0;i<ntohs(dns->add_count);i++)
{
//printf("\nAdditional : %d",i+1);
printf("Name : %s ",addit[i].name);
if(ntohs(addit[i].resource->type)==1)
{
long *p;
p=(long*)addit[i].rdata;
a.sin_addr.s_addr=(*p); //working without ntohl
printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
}
printf("\n");
}

return;
}

unsigned char* ReadName(unsigned char* reader,unsigned char* buffer,int* count)
{
unsigned char *name;
unsigned int p=0,jumped=0,offset;
int i , j;

*count = 1;
name = (unsigned char*)malloc(256);

name[0]='\0';

//read the names in 3www6google3com format
while(*reader!=0)
{
if(*reader>=192)
{
offset = (*reader)*256 + *(reader+1) - 49152; //49152 = 11000000 00000000 
reader = buffer + offset - 1;
jumped = 1; //we have jumped to another location so counting wont go up!
}
else
name[p++]=*reader;

reader=reader+1;

if(jumped==0) *count = *count + 1; //if we havent jumped to another location then we can count up
}

name[p]='\0'; //string complete
if(jumped==1) *count = *count + 1; //number of steps we actually moved forward in the packet

//now convert 3www6google3com0 to www.google.com
for(i=0;i<(int)strlen((const char*)name);i++)
{
p=name[i];
for(j=0;j<(int)p;j++)
{
name[i]=name[i+1];
i=i+1;
}
name[i]='.';
}
name[i-1]='\0'; //remove the last dot
return name;
}

//Retrieve the DNS servers from the registry
void RetrieveDnsServersFromRegistry()
{
HKEY hkey=0;
char name[256];
char *path="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces";
char *fullpath[256];
unsigned long s=sizeof(name);
int dns_count=0 , err , i , j;
HKEY inter;
unsigned long count;

//Open the registry folder
RegOpenKeyEx(HKEY_LOCAL_MACHINE , path , 0 , KEY_READ , &hkey );

//how many interfaces
RegQueryInfoKey(hkey, 0 , 0 , 0 , &count , 0 , 0 , 0 , 0 , 0 , 0 , 0 );

for(i=0;i<count;i++)
{
s=256;
//Get the interface subkey name
RegEnumKeyEx(hkey , i , (char*)name , &s , 0 , 0 , 0 , 0 );

//Make the full path
strcpy((char*)fullpath,path);
strcat((char*)fullpath,"\\");
strcat((char*)fullpath,name);

//Open the full path name
RegOpenKeyEx(HKEY_LOCAL_MACHINE , (const char*)fullpath , 0 , KEY_READ , &inter );

//Extract the value in Nameserver field
s=256;
err=RegQueryValueEx(inter , "NameServer" , 0 , 0 , (unsigned char*)name , &s );

if(err==ERROR_SUCCESS && strlen(name)>0) strcpy(dns_servers[dns_count++],name);
}

for(i=0;i<dns_count;i++)
{
for(j=0;j<strlen(dns_servers[i]);j++)
{
if(dns_servers[i][j]==',' || dns_servers[i][j]==' ')
{
strcpy(dns_servers[dns_count++],dns_servers[i]+j+1);
dns_servers[i][j]=0;
}
}
}

printf("\nThe following DNS Servers were found on your system...");
for(i=0;i<dns_count;i++)
{
printf("\n%d) %s",i+1,dns_servers[i]);
}
}

//this will convert www.google.com to 3www6google3com ;got it 
void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
{
int lock=0 , i;

strcat((char*)host,".");

for(i=0;i<(int)strlen((char*)host);i++)
{
if(host[i]=='.')
{
*dns++=i-lock;
for(;lock<i;lock++)
{
*dns++=host[lock];
}
lock++; //or lock=i+1;
}
}
*dns++='\0';
}

Linux :

//DNS Query Program on Linux
//Author : Prasshhant Pugalia (prasshhant.p@gmail.com)
//Dated : 29/4/2009

//Header Files
#include<stdio.h>
#include<sys/socket.h>
#include<netinet/in.h>

//List of DNS Servers registered on the system
char dns_servers[10][100];

//Type field of Query and Answer
#define T_A 1 /* host address */
#define T_NS 2 /* authoritative server */
#define T_CNAME 5 /* canonical name */
#define T_SOA 6 /* start of authority zone */
#define T_PTR 12 /* domain name pointer */
#define T_MX 15 /* mail routing information */

//Function Prototypes
void ngethostbyname (unsigned char*);
void ChangetoDnsNameFormat (unsigned char*,unsigned char*);
unsigned char* ReadName (unsigned char*,unsigned char*,int*);
void get_dns_servers();

//DNS header structure
struct DNS_HEADER
{
unsigned short id; // identification number

unsigned char rd :1; // recursion desired
unsigned char tc :1; // truncated message
unsigned char aa :1; // authoritive answer
unsigned char opcode :4; // purpose of message
unsigned char qr :1; // query/response flag

unsigned char rcode :4; // response code
unsigned char cd :1; // checking disabled
unsigned char ad :1; // authenticated data
unsigned char z :1; // its z! reserved
unsigned char ra :1; // recursion available

unsigned short q_count; // number of question entries
unsigned short ans_count; // number of answer entries
unsigned short auth_count; // number of authority entries
unsigned short add_count; // number of resource entries
};

//Constant sized fields of query structure
struct QUESTION
{
unsigned short qtype;
unsigned short qclass;
};

//Constant sized fields of the resource record structure
#pragma pack(push, 1)
struct R_DATA
{
unsigned short type;
unsigned short _class;
unsigned int ttl;
unsigned short data_len;
};
#pragma pack(pop)

//Pointers to resource record contents
struct RES_RECORD
{
unsigned char *name;
struct R_DATA *resource;
unsigned char *rdata;
};

//Structure of a Query
typedef struct
{
unsigned char *name;
struct QUESTION *ques;
} QUERY;

int main()
{
unsigned char hostname[100];

//Get the DNS servers from the resolv.conf file
get_dns_servers();
//Get the hostname
printf("\nEnter Hostname to Lookup : ");
gets((char*)hostname);
//Now get the ip of this hostname
ngethostbyname(hostname);

return 0;
}

void ngethostbyname(unsigned char *host)
{
unsigned char buf[65536],*qname,*reader;
int i , j , stop , s;

struct sockaddr_in a;

struct RES_RECORD answers[20],auth[20],addit[20]; //the replies from the DNS server
struct sockaddr_in dest;

struct DNS_HEADER *dns = NULL;
struct QUESTION *qinfo = NULL;

s = socket(AF_INET , SOCK_DGRAM , IPPROTO_UDP); //UDP packet for DNS queries

dest.sin_family = AF_INET;
dest.sin_port = htons(53);
dest.sin_addr.s_addr = inet_addr(dns_servers[0]); //dns servers

//Set the DNS structure to standard queries
dns = (struct DNS_HEADER *)&buf;

dns->id = (unsigned short) htons(getpid());
dns->qr = 0; //This is a query
dns->opcode = 0; //This is a standard query
dns->aa = 0; //Not Authoritative
dns->tc = 0; //This message is not truncated
dns->rd = 1; //Recursion Desired
dns->ra = 0; //Recursion not available! hey we dont have it (lol)
dns->z = 0;
dns->ad = 0;
dns->cd = 0;
dns->rcode = 0;
dns->q_count = htons(1); //we have only 1 question
dns->ans_count = 0;
dns->auth_count = 0;
dns->add_count = 0;

//point to the query portion
qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];

ChangetoDnsNameFormat(qname , host);
qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)]; //fill it

qinfo->qtype = htons(1); //we are requesting the ipv4 address
qinfo->qclass = htons(1); //its internet (lol)

printf("\nSending Packet...");
if(sendto(s,(char*)buf,sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION),0,(struct sockaddr*)&dest,sizeof(dest)) == 0)
{
printf("Error sending socket");
}
printf("Sent");

i = sizeof dest;
printf("\nReceiving answer...");
if(recvfrom (s,(char*)buf,65536,0,(struct sockaddr*)&dest,&i) == 0)
{
printf("Failed. Error Code ");
}
printf("Received.");

dns = (struct DNS_HEADER*) buf;

//move ahead of the dns header and the query field
reader = &buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION)];

printf("\nThe response contains : ");
printf("\n %d Questions.",ntohs(dns->q_count));
printf("\n %d Answers.",ntohs(dns->ans_count));
printf("\n %d Authoritative Servers.",ntohs(dns->auth_count));
printf("\n %d Additional records.\n\n",ntohs(dns->add_count));

//reading answers
stop=0;

for(i=0;i<ntohs(dns->ans_count);i++)
{
answers[i].name=ReadName(reader,buf,&stop);
reader = reader + stop;

answers[i].resource = (struct R_DATA*)(reader);
reader = reader + sizeof(struct R_DATA);

if(ntohs(answers[i].resource->type) == 1) //if its an ipv4 address
{
answers[i].rdata = (unsigned char*)malloc(ntohs(answers[i].resource->data_len));

for(j=0 ; j<ntohs(answers[i].resource->data_len) ; j++)
answers[i].rdata[j]=reader[j];

answers[i].rdata[ntohs(answers[i].resource->data_len)] = '\0';

reader = reader + ntohs(answers[i].resource->data_len);
}
else
{
answers[i].rdata = ReadName(reader,buf,&stop);
reader = reader + stop;
}
}

//read authorities
for(i=0;i<ntohs(dns->auth_count);i++)
{
auth[i].name=ReadName(reader,buf,&stop);
reader+=stop;

auth[i].resource=(struct R_DATA*)(reader);
reader+=sizeof(struct R_DATA);

auth[i].rdata=ReadName(reader,buf,&stop);
reader+=stop;
}

//read additional
for(i=0;i<ntohs(dns->add_count);i++)
{
addit[i].name=ReadName(reader,buf,&stop);
reader+=stop;

addit[i].resource=(struct R_DATA*)(reader);
reader+=sizeof(struct R_DATA);

if(ntohs(addit[i].resource->type)==1)
{
addit[i].rdata = (unsigned char*)malloc(ntohs(addit[i].resource->data_len));
for(j=0;j<ntohs(addit[i].resource->data_len);j++)
addit[i].rdata[j]=reader[j];

addit[i].rdata[ntohs(addit[i].resource->data_len)]='\0';
reader+=ntohs(addit[i].resource->data_len);
}
else
{
addit[i].rdata=ReadName(reader,buf,&stop);
reader+=stop;
}
}

//print answers
for(i=0;i<ntohs(dns->ans_count);i++)
{
//printf("\nAnswer : %d",i+1);
printf("Name : %s ",answers[i].name);

if(ntohs(answers[i].resource->type)==1) //IPv4 address
{

long *p;
p=(long*)answers[i].rdata;
a.sin_addr.s_addr=(*p); //working without ntohl
printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
}
if(ntohs(answers[i].resource->type)==5) //Canonical name for an alias
printf("has alias name : %s",answers[i].rdata);

printf("\n");
}

//print authorities
for(i=0;i<ntohs(dns->auth_count);i++)
{
//printf("\nAuthorities : %d",i+1);
printf("Name : %s ",auth[i].name);
if(ntohs(auth[i].resource->type)==2)
printf("has authoritative nameserver : %s",auth[i].rdata);
printf("\n");
}

//print additional resource records
for(i=0;i<ntohs(dns->add_count);i++)
{
//printf("\nAdditional : %d",i+1);
printf("Name : %s ",addit[i].name);
if(ntohs(addit[i].resource->type)==1)
{
long *p;
p=(long*)addit[i].rdata;
a.sin_addr.s_addr=(*p); //working without ntohl
printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
}
printf("\n");
}
return;
}

unsigned char* ReadName(unsigned char* reader,unsigned char* buffer,int* count)
{
unsigned char *name;
unsigned int p=0,jumped=0,offset;
int i , j;

*count = 1;
name = (unsigned char*)malloc(256);

name[0]='\0';

//read the names in 3www6google3com format
while(*reader!=0)
{
if(*reader>=192)
{
offset = (*reader)*256 + *(reader+1) - 49152; //49152 = 11000000 00000000 
reader = buffer + offset - 1;
jumped = 1; //we have jumped to another location so counting wont go up!
}
else
name[p++]=*reader;

reader=reader+1;

if(jumped==0)
*count = *count + 1; //if we havent jumped to another location then we can count up
}

name[p]='\0'; //string complete
if(jumped==1)
*count = *count + 1; //number of steps we actually moved forward in the packet

//now convert 3www6google3com0 to www.google.com
for(i=0;i<(int)strlen((const char*)name);i++) {
p=name[i];
for(j=0;j<(int)p;j++) {
name[i]=name[i+1];
i=i+1;
}
name[i]='.';
}
name[i-1]='\0'; //remove the last dot
return name;
}

//Retrieve the DNS servers from the registry
void get_dns_servers()
{
/*
for(i=0;i<dns_count;i++)
{
for(j=0;j<strlen(dns_servers[i]);j++)
{
if(dns_servers[i][j]==',' || dns_servers[i][j]==' ')
{
strcpy(dns_servers[dns_count++],dns_servers[i]+j+1);
dns_servers[i][j]=0;
}
}
}

printf("\nThe following DNS Servers were found on your system...");
for(i=0;i<dns_count;i++)
{
printf("\n%d) %s",i+1,dns_servers[i]);
}
*/
strcpy(dns_servers[0],"208.67.222.222");
strcpy(dns_servers[1],"208.67.220.220");
}

//this will convert www.google.com to 3www6google3com ;got it 
void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host) {
int lock = 0 , i;
strcat((char*)host,".");
for(i = 0 ; i < (int)strlen((char*)host) ; i++) {
if(host[i]=='.') {
*dns++=i-lock;
for(;lock<i;lock++) {
*dns++=host[lock];
}
lock++; //or lock=i+1;
}
}
*dns++='\0';
}

1. Create a raw socket.
2. Bind the socket to the local IP over which the traffic is to be sniffed.
3. WSAIoctl() the socket with SIO_RCVALL to give it sniffing powers.
4. Put the socket in an infinite loop of recvfrom.
5. n’ joy! the Buffer from recvfrom.

Now this feature of winsock is available on all 2000/XP and higher windows. But as usual drawbacks are there.If you have used sniffers like Ethereal then you would realise that ethernet header is not available in winsock sniffing.Secondly you can only sniff incoming data on XP and XP+SP1 but both incoming and outgoing on XP+SP1+SP2 (as far as i could see-actual behavior may vary).I have not checked higher versions of windows. Moreover non IP packets (e.g. arp) may not be captured at all.So if full fledged sniffing is required then packet drivers like winpcap should help.

In the following source code all packets are assumed to be IP packets. VC++ 6.0
on Win XP used here.

Code

SOCKET sniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
bind(sniffer,(struct sockaddr *)&dest,sizeof(dest))
dest must have the details as follows :

memcpy(&dest.sin_addr.s_addr,local->h_addr_list[in],
sizeof(dest.sin_addr.s_addr));
dest.sin_family = AF_INET;
dest.sin_port = 0;
dest.sin_zero = 0;

where HOSTENT *local should have the local IPs

WSAIoctl(sniffer, SIO_RCVALL, &j, sizeof(j), 0, 0, &in,0, 0);

where j must be 1 and in can be any integer

while(1)
{
 recvfrom(sniffer,Buffer,65536,0,0,0); //ring-a-ring-a roses
}

To get the local IP’s associated with the machine all that needs to be done
is:

gethostname(hostname, sizeof(hostname); //its a char hostname[100] for local hostname
HOSTENT *local = gethostbyname(hostname); //now local will have all local ips

Now socket sniffer will receive all incoming packets along with their headers
and all that will be stored in the Buffer.After that some typecasting with
structures representing the headers will help.

typedef struct ip_hdr
{
 unsigned char  ip_header_len:4;  // 4-bit header length (in 32-bit words)
 unsigned char  ip_version   :4;  // 4-bit IPv4 version
 unsigned char  ip_tos;           // IP type of service
 unsigned short ip_total_length;  // Total length
 unsigned short ip_id;            // Unique identifier

 unsigned char  ip_frag_offset   :5; // Fragment offset field

 unsigned char  ip_more_fragment :1;
 unsigned char  ip_dont_fragment :1;
 unsigned char  ip_reserved_zero :1;

 unsigned char  ip_frag_offset1;    //fragment offset

 unsigned char  ip_ttl;           // Time to live
 unsigned char  ip_protocol;      // Protocol(TCP,UDP etc)
 unsigned short ip_checksum;      // IP checksum
 unsigned int   ip_srcaddr;       // Source address
 unsigned int   ip_destaddr;      // Source address
}   IPV4_HDR;

typedef struct udp_hdr
{
 unsigned short source_port;     // Source port no.
 unsigned short dest_port;       // Dest. port no.
 unsigned short udp_length;      // Udp packet length
 unsigned short udp_checksum;    // Udp checksum (optional)
}   UDP_HDR;

typedef struct tcp_header
{
 unsigned short source_port;  // source port
 unsigned short dest_port;    // destination port
 unsigned int   sequence;     // sequence number - 32 bits
 unsigned int   acknowledge;  // acknowledgement number - 32 bits

 unsigned char  ns   :1;          //Nonce Sum Flag Added in RFC 3540.
 unsigned char  reserved_part1:3; //according to rfc
 unsigned char  data_offset:4;    //number of dwords in the TCP header.

 unsigned char  fin  :1;      //Finish Flag
 unsigned char  syn  :1;      //Synchronise Flag
 unsigned char  rst  :1;      //Reset Flag
 unsigned char  psh  :1;      //Push Flag
 unsigned char  ack  :1;      //Acknowledgement Flag
 unsigned char  urg  :1;      //Urgent Flag

 unsigned char  ecn  :1;      //ECN-Echo Flag
 unsigned char  cwr  :1;      //Congestion Window Reduced Flag

 unsigned short window;          // window
 unsigned short checksum;        // checksum
 unsigned short urgent_pointer;  // urgent pointer
}   TCP_HDR;

typedef struct icmp_hdr
{
 BYTE type;          // ICMP Error type
 BYTE code;          // Type sub code
 USHORT checksum;
 USHORT id;
 USHORT seq;
}   ICMP_HDR;

The ip_protocol field of the ip header determines the type of the packet; for
e.g 1 means a icmp packet and 2-igmp 6-tcp 17-udp and so on.RFC 1340 should help
more. Another function in the source code is PrintData() which prints the data
dumps in a hex view fashion as done by other sniffers and looks like this :

IP Header
45 00 03 19 D8 17 00 00 FC 06 85 C0 42 F9 59 63       E...........B.Yc
C0 A8 01 02                                           ....
TCP Header
00 50 0C E4 D6 2B 77 70 9F 0D B1 8D 50 18 1A A8       .P...+wp....P...
71 C1 00 00                                           q...
Data Payload
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D       HTTP/1.1 200 OK.
0A 53 65 74 2D 43 6F 6F 6B 69 65 3A 20 47 6F 6F       .Set-Cookie: Goo
67 6C 65 41 63 63 6F 75 6E 74 73 4C 6F 63 61 6C       gleAccountsLocal
65 5F 73 65 73 73 69 6F 6E 3D 65 6E 0D 0A 53 65       e_session=en..Se
74 2D 43 6F 6F 6B 69 65 3A 20 53 49 44 3D 45 58       t-Cookie: SID=EX
50 49 52 45 44 3B 44 6F 6D 61 69 6E 3D 2E 67 6F       PIRED;Domain=.go
6F 67 6C 65 2E 63 6F 2E 69 6E 3B 50 61 74 68 3D       ogle.co.in;Path=
2F 3B 45 78 70 69 72 65 73 3D 4D 6F 6E 2C 20 30       /;Expires=Mon, 0
31 2D 4A 61 6E 2D 31 39 39 30 20 30 30 3A 30 30       1-Jan-1990 00:00
3A 30 30 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74       :00 GMT..Content
2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C       -Type: text/html
3B 20 63 68 61 72 73 65 74 3D 55 54 46 2D 38 0D       ; charset=UTF-8.
0A 43 61 63 68 65 2D 63 6F 6E 74 72 6F 6C 3A 20       .Cache-control:
70 72 69 76 61 74 65 0D 0A 43 6F 6E 74 65 6E 74       private..Content

……………….and so on To the right we only print the characters which are either
an alphabet or a number.Everything is saved in a log file named log.txt.

Conclusion

The source code demonstrates simple concepts which can be used to develop a
protocol analyzer like Ethereal.In the source code only tcp,udp and icmp packets
have been broken into fields and that too according to normal situations.
Variations in packet structures (for e.g. in case of icmp) are there to which
the program might give inaccurate results.So you have to develop the program in
the relevant way and implement all necessary error checking algorithms etc.
Minor changes in the source code will adapt it to the winpcap environment so
that everything on the wire can be sniffed!

Happy Sniffing!

Source Code :

//Author : Prasshhant Pugalia
//prashant.pugalia@gmail.com
//Simple Sniffer in winsock
//Sniffs only incoming packets//

#include "stdio.h"
#include "winsock2.h"

#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) //this removes the need of mstcpip.h

void StartSniffing (SOCKET Sock); //This will sniff here and there
void ProcessPacket (unsigned char* , int); //This will decide how to digest
void PrintIpHeader (unsigned char* , int);
void PrintIcmpPacket (unsigned char* , int);
void PrintUdpPacket (unsigned char* , int);
void PrintTcpPacket (unsigned char* , int);
void ConvertToHex (unsigned char* , unsigned int);
void PrintData (unsigned char* , int);

typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier

unsigned char ip_frag_offset :5; // Fragment offset field

unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;

unsigned char ip_frag_offset1; //fragment offset

unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR;

typedef struct udp_hdr
{
unsigned short source_port; // Source port no.
unsigned short dest_port; // Dest. port no.
unsigned short udp_length; // Udp packet length
unsigned short udp_checksum; // Udp checksum (optional)
} UDP_HDR;

// TCP header
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits

unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.
This indicates where the data begins.
The length of the TCP header is always a multiple
of 32 bits.*/

unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag

unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag

////////////////////////////////

unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR;

typedef struct icmp_hdr
{
BYTE type; // ICMP Error type
BYTE code; // Type sub code
USHORT checksum;
USHORT id;
USHORT seq;
} ICMP_HDR;

FILE *logfile;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
struct sockaddr_in source,dest;
char hex[2];

//Its free!
IPV4_HDR *iphdr;
TCP_HDR *tcpheader;
UDP_HDR *udpheader;
ICMP_HDR *icmpheader;

int main()
{
SOCKET sniffer;
struct in_addr addr;
int in;

char hostname[100];
struct hostent *local;
WSADATA wsa;

logfile=fopen("log.txt","w");
if(log==NULL) printf("Unable to create file.");

//Initialise Winsock
printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2), &wsa) != 0)
{
printf("WSAStartup() failed.\n");
return 1;
}
printf("Initialised");

//Create a RAW Socket
printf("\nCreating RAW Socket...");
sniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (sniffer == INVALID_SOCKET)
{
printf("Failed to create raw socket.\n");
return 1;
}
printf("Created.");

//Retrive the local hostname
if (gethostname(hostname, sizeof(hostname)) == SOCKET_ERROR)
{
printf("Error : %d",WSAGetLastError());
return 1;
}
printf("\nHost name : %s \n",hostname);

//Retrive the available IPs of the local host
local = gethostbyname(hostname);
printf("\nAvailable Network Interfaces : \n");
if (local == NULL)
{
printf("Error : %d.\n",WSAGetLastError());
return 1;
}

for (i = 0; local->h_addr_list[i] != 0; ++i)
{
memcpy(&addr, local->h_addr_list[i], sizeof(struct in_addr));
printf("Interface Number : %d Address : %s\n",i,inet_ntoa(addr));
}

printf("Enter the interface number you would like to sniff : ");
scanf("%d",&in);

memset(&dest, 0, sizeof(dest));
memcpy(&dest.sin_addr.s_addr,local->h_addr_list[in],sizeof(dest.sin_addr.s_addr));
dest.sin_family = AF_INET;
dest.sin_port = 0;

printf("\nBinding socket to local system and port 0 ...");
if (bind(sniffer,(struct sockaddr *)&dest,sizeof(dest)) == SOCKET_ERROR)
{
printf("bind(%s) failed.\n", inet_ntoa(addr));
return 1;
}
printf("Binding successful");

//Enable this socket with the power to sniff : SIO_RCVALL is the key Receive ALL  

j=1;
printf("\nSetting socket to sniff...");
if (WSAIoctl(sniffer, SIO_RCVALL, &j, sizeof(j), 0, 0, &in,0, 0) == SOCKET_ERROR)
{
printf("WSAIoctl() failed.\n");
return 1;
}
printf("Socket set.");

//Begin
printf("\nStarted Sniffing\n");
printf("Packet Capture Statistics...\n");
StartSniffing(sniffer); //Happy Sniffing

//End
closesocket(sniffer);
WSACleanup();

return 0;
}

void StartSniffing(SOCKET sniffer)
{
unsigned char *Buffer = (char *)malloc(65536); //Its Big!
int mangobyte;

if (Buffer == NULL)
{
printf("malloc() failed.\n");
return;
}

do
{
mangobyte = recvfrom(sniffer,Buffer,65536,0,0,0); //Eat as much as u can
if(mangobyte > 0) ProcessPacket(Buffer, mangobyte);
else printf( "recvfrom() failed.\n");
}
while (mangobyte > 0);

free(Buffer);
}

void ProcessPacket(unsigned char* Buffer, int Size)
{
iphdr = (IPV4_HDR *)Buffer;
++total;
switch (iphdr->ip_protocol) //Check the Protocol and do accordingly...
{
case 1: //ICMP Protocol
++icmp;
PrintIcmpPacket(Buffer,Size);
break;

case 2: //IGMP Protocol
++igmp;
break;

case 6: //TCP Protocol
++tcp;
PrintTcpPacket(Buffer,Size);
break;

case 17: //UDP Protocol
++udp;
PrintUdpPacket(Buffer,Size);
break;

default: //Some Other Protocol like ARP etc.
++others;
break;
}
printf("TCP : %d UDP : %d ICMP : %d IGMP : %d Others : %d Total : %d\r",tcp,udp,icmp,igmp,others,total);
}

void PrintIpHeader (unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;

iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;

memset(&source, 0, sizeof(source));
source.sin_addr.s_addr = iphdr->ip_srcaddr;

memset(&dest, 0, sizeof(dest));
dest.sin_addr.s_addr = iphdr->ip_destaddr;

fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
fprintf(logfile," |-IP Version : %d\n",(unsigned int)iphdr->ip_version);
fprintf(logfile," |-IP Header Length : %d DWORDS or %d Bytes\n",(unsigned int)iphdr->ip_header_len,((unsigned int)(iphdr->ip_header_len))*4);
fprintf(logfile," |-Type Of Service : %d\n",(unsigned int)iphdr->ip_tos);
fprintf(logfile," |-IP Total Length : %d Bytes(Size of Packet)\n",ntohs(iphdr->ip_total_length));
fprintf(logfile," |-Identification : %d\n",ntohs(iphdr->ip_id));
fprintf(logfile," |-Reserved ZERO Field : %d\n",(unsigned int)iphdr->ip_reserved_zero);
fprintf(logfile," |-Dont Fragment Field : %d\n",(unsigned int)iphdr->ip_dont_fragment);
fprintf(logfile," |-More Fragment Field : %d\n",(unsigned int)iphdr->ip_more_fragment);
fprintf(logfile," |-TTL : %d\n",(unsigned int)iphdr->ip_ttl);
fprintf(logfile," |-Protocol : %d\n",(unsigned int)iphdr->ip_protocol);
fprintf(logfile," |-Checksum : %d\n",ntohs(iphdr->ip_checksum));
fprintf(logfile," |-Source IP : %s\n",inet_ntoa(source.sin_addr));
fprintf(logfile," |-Destination IP : %s\n",inet_ntoa(dest.sin_addr));
}

void PrintTcpPacket(unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;

iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;

tcpheader=(TCP_HDR*)(Buffer+iphdrlen);

fprintf(logfile,"\n\n***********************TCP Packet*************************\n");

PrintIpHeader(Buffer,Size);

fprintf(logfile,"\n");
fprintf(logfile,"TCP Header\n");
fprintf(logfile," |-Source Port : %u\n",ntohs(tcpheader->source_port));
fprintf(logfile," |-Destination Port : %u\n",ntohs(tcpheader->dest_port));
fprintf(logfile," |-Sequence Number : %u\n",ntohl(tcpheader->sequence));
fprintf(logfile," |-Acknowledge Number : %u\n",ntohl(tcpheader->acknowledge));
fprintf(logfile," |-Header Length : %d DWORDS or %d BYTES\n"
,(unsigned int)tcpheader->data_offset,(unsigned int)tcpheader->data_offset*4);
fprintf(logfile," |-CWR Flag : %d\n",(unsigned int)tcpheader->cwr);
fprintf(logfile," |-ECN Flag : %d\n",(unsigned int)tcpheader->ecn);
fprintf(logfile," |-Urgent Flag : %d\n",(unsigned int)tcpheader->urg);
fprintf(logfile," |-Acknowledgement Flag : %d\n",(unsigned int)tcpheader->ack);
fprintf(logfile," |-Push Flag : %d\n",(unsigned int)tcpheader->psh);
fprintf(logfile," |-Reset Flag : %d\n",(unsigned int)tcpheader->rst);
fprintf(logfile," |-Synchronise Flag : %d\n",(unsigned int)tcpheader->syn);
fprintf(logfile," |-Finish Flag : %d\n",(unsigned int)tcpheader->fin);
fprintf(logfile," |-Window : %d\n",ntohs(tcpheader->window));
fprintf(logfile," |-Checksum : %d\n",ntohs(tcpheader->checksum));
fprintf(logfile," |-Urgent Pointer : %d\n",tcpheader->urgent_pointer);
fprintf(logfile,"\n");
fprintf(logfile," DATA Dump ");
fprintf(logfile,"\n");

fprintf(logfile,"IP Header\n");
PrintData(Buffer,iphdrlen);

fprintf(logfile,"TCP Header\n");
PrintData(Buffer+iphdrlen,tcpheader->data_offset*4);

fprintf(logfile,"Data Payload\n");
PrintData(Buffer+iphdrlen+tcpheader->data_offset*4
,(Size-tcpheader->data_offset*4-iphdr->ip_header_len*4));

fprintf(logfile,"\n###########################################################");
}

void PrintUdpPacket(unsigned char *Buffer,int Size)
{
unsigned short iphdrlen;

iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;

udpheader = (UDP_HDR *)(Buffer + iphdrlen);

fprintf(logfile,"\n\n***********************UDP Packet*************************\n");

PrintIpHeader(Buffer,Size);

fprintf(logfile,"\nUDP Header\n");
fprintf(logfile," |-Source Port : %d\n",ntohs(udpheader->source_port));
fprintf(logfile," |-Destination Port : %d\n",ntohs(udpheader->dest_port));
fprintf(logfile," |-UDP Length : %d\n",ntohs(udpheader->udp_length));
fprintf(logfile," |-UDP Checksum : %d\n",ntohs(udpheader->udp_checksum));

fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
PrintData(Buffer,iphdrlen);

fprintf(logfile,"UDP Header\n");
PrintData(Buffer+iphdrlen,sizeof(UDP_HDR));

fprintf(logfile,"Data Payload\n");
PrintData(Buffer+iphdrlen+sizeof(UDP_HDR)
,(Size - sizeof(UDP_HDR) - iphdr->ip_header_len*4));

fprintf(logfile,"\n###########################################################");
}

void PrintIcmpPacket(unsigned char* Buffer , int Size)
{
unsigned short iphdrlen;

iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;

icmpheader=(ICMP_HDR*)(Buffer+iphdrlen);

fprintf(logfile,"\n\n***********************ICMP Packet*************************\n");
PrintIpHeader(Buffer,Size);

fprintf(logfile,"\n");

fprintf(logfile,"ICMP Header\n");
fprintf(logfile," |-Type : %d",(unsigned int)(icmpheader->type));

if((unsigned int)(icmpheader->type)==11) fprintf(logfile," (TTL Expired)\n");
else if((unsigned int)(icmpheader->type)==0) fprintf(logfile," (ICMP Echo Reply)\n");

fprintf(logfile," |-Code : %d\n",(unsigned int)(icmpheader->code));
fprintf(logfile," |-Checksum : %d\n",ntohs(icmpheader->checksum));
fprintf(logfile," |-ID : %d\n",ntohs(icmpheader->id));
fprintf(logfile," |-Sequence : %d\n",ntohs(icmpheader->seq));
fprintf(logfile,"\n");

fprintf(logfile,"IP Header\n");
PrintData(Buffer,iphdrlen);

fprintf(logfile,"UDP Header\n");
PrintData(Buffer+iphdrlen,sizeof(ICMP_HDR));

fprintf(logfile,"Data Payload\n");
PrintData(Buffer+iphdrlen+sizeof(ICMP_HDR)
,(Size - sizeof(ICMP_HDR) - iphdr->ip_header_len*4));

fprintf(logfile,"\n###########################################################");
}

void PrintData (unsigned char* data , int Size)
{

for(i=0 ; i < Size ; i++)
{
if( i!=0 && i%16==0) //if one line of hex printing is complete...
{
fprintf(logfile," ");
for(j=i-16 ; j<i ; j++)
{
if(data[j]>=32 && data[j]<=128)
fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet

else fprintf(logfile,"."); //otherwise print a dot
}
fprintf(logfile,"\n");
}

if(i%16==0) fprintf(logfile," ");

ConvertToHex(hex,(unsigned int)data[i]); //now print the hex values
fprintf(logfile," %s",hex);

if( i==Size-1) //print the last spaces
{
for(j=0;j<15-i%16;j++) fprintf(logfile," "); //extra spaces

fprintf(logfile," ");

for(j=i-i%16 ; j<=i ; j++)
{
if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char)data[j]);
else fprintf(logfile,".");
}
fprintf(logfile,"\n");
}
}
}

void ConvertToHex(unsigned char *hex , unsigned int decimal)
{
int rem,k=0,p;
p=decimal;
while(decimal!=0)
{
rem=decimal%16;
decimal=decimal/16;
if(rem>=10) hex[k++]=65 + rem - 10; //65 means A
else if(rem<=9) hex[k++]=rem+48; //48 means 0
}
hex[k++]='\0';
if(p==0) strcpy(hex,"00");
else if(p<16) strcat(hex,"0");
_strrev(hex);
}

sniffer_demo.zip

Hosted by eSnips

Raw sockets, or “Raw Packets”, give you the facility to access the entire contents of a packet or datagram, both for reading and writing purpose. In other words, you can fabricate a whole packet according to your likes and dislikes. For example, a TCP packet would contain an IP header, a TCP header, and then the actual data that needs to be transmitted. When working with normal sockets, whatever we send to a socket is actually the data part. In such a scenario, the OS network stack takes the responsibility of adding the header with all fields set to relevant values. When we send the data to a destination, the stack adds the headers and sends the packet, and when we receive some data, then the stack removes the headers and hands out the data to our application. So we are saved from the work of designing the headers. For normal internet applications, there is no need to be concerned about the header operations as they are there for the safe transmission and reception of data, and once the transfer is complete, their need is over and they are dumped. But the story doesn’t end there, there are some people who need raw sockets. Raw sockets are widely used in the field of network security for creating both security and insecurity! In this article, we will take a look at the contents of a general TCPpacket, and try to make a raw packet and transmit it. We shall do this on Windows XP using the VC++ 6.0 compiler. OK, so let’s have a look at the IP and TCP headers.

RFC 791 gives the structure of an IP header as:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Next comes the TCP header for transmission using the TCP protocol. RFC 793 gives the structure.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

and at the end is your data, bla bla bla bla bla bla…………………..

———————————————————– <<end of packet

To understand the significance of each field, read up the necessary RFC or some other good TCP/IP tutorial on the net as there are plenty. If you have previous knowledge of socket programming, then the headers are self-explanatory. Now, why is the raw socket feature of importance to network security? Well, one important aspect of network security which needs this feature is scanning. Scanning is of many types. For example, scanning for open ports, scanning the type of OS, scanning for vulnerabilities etc.

Raw Sockets and Windows

First of all, it must be understood very clearly that raw sockets is not a feature of the network API (although it must be present there as an option) but of the OS protocol stack. To implement raw sockets, all we have to do is to inform the OS that the packet buffer we are providing will have the header and so the OS should transmit it as is without “adding any header”; that’s all, nothing more to do. The Unix operating system has raw socket support since ancient times. But the problem is with Windows. None of Windows 95, 98, 98SE supported raw sockets.

Raw sockets became available on Windows from Windows 2000; Windows XP continued this. But suddenly, raw socket support was removed from Windows XP through a patch in SP2. Vista doesn’t have it. A security patch called MS05-019 (http://support.microsoft.com/kb/897656) is what disables raw sockets on XP SP2 and can do the same to even SP1. Probably Windows 2003 SP1 also implements the same the result being the end of raw sockets.

An indepth summary is available at http://seclists.org/nmap-hackers/2005/0005.html. Windows 95, 98, 98SE do not support raw sockets, but this doesn’t end the story. If you want the facility, then the solution is to use a third party packet driver like Winpcap. Such packet drivers will do your task irrespective of what the OS likes and dislikes. Windows XP and XP SP1 have full raw socket support and so life is easy. So if you want to do raw socketing on Windows, then either use Winpcap or don’t feel desperate to install SP2, or otherwise use Windows 2003 which, as per my knowledge, has raw socket support. http://technet.microsoft.com/hi-in/library/bb457156(en-us).aspx should tell more. So let’s brief up:

1. Windows 95, 98, 98SE, NT4.0 — Only raw ICMP and IGMP with restricted
features.

2. Windows 2000, XP, XP SP1, 2003 — Full raw socket support for both receiving
and sending purposes.

3. Windows XP SP2 — Only raw ICMP, IGMP, and UDP with proper source address
(IP spoofing restricted) can be sent. But, full raw sockets can be received,
which means you can sniff all incoming data and read their headers.

Note : Winsock Ver. >=2.0

So if your system doesn’t support raw sockets, then switch to Linux or use
Winpcap.

The Code

SOCKET s;
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); //Create a RAW socket
int optval=1;
setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval,
sizeof optval);  //Set it to include the header

The last line, setsockopt, tells the OS that the socket s will have the
header included (IP_HDRINCL) at the IP (IPPROTO_IP) level in the data buffer
it sends. IPPROTO_RAW creates an absolutely raw socket, and you have to write
all headers yourself. IPPROTO_UDP, IPROTO_TCP are also available for the
respective types of packets.

Now, we shall need two structures like this:

typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words)
// normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4;   // 4-bit IPv4 version
unsigned char ip_tos;          // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id;          // Unique identifier

unsigned char ip_frag_offset :5; // Fragment offset field

unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;

unsigned char ip_frag_offset1; //fragment offset

unsigned char ip_ttl;          // Time to live
unsigned char ip_protocol;     // Protocol(TCP,UDP etc)
unsigned short ip_checksum;    // IP checksum
unsigned int ip_srcaddr;       // Source address
unsigned int ip_destaddr;      // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;

// TCP header
typedef struct tcp_header
{
unsigned short source_port;   // source port
unsigned short dest_port;     // destination port
unsigned int sequence;        // sequence number - 32 bits
unsigned int acknowledge;     // acknowledgement number - 32 bits

unsigned char ns :1;          //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4;    /*The number of 32-bit words
in the TCP header.
This indicates where the data begins.
The length of the TCP header
is always a multiple
of 32 bits.*/

unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag

unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag

////////////////////////////////

unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;

Little/Big Endian

Did you notice a difference between the RFC specification and the structures declared above? IP header and version have swapped their positions.The urg, ack, and psh flags of the TCP header are all in reverse order? Mistake? Well, this depends on the byte order that is implemented in the machine architecture. There are two types: Little Endian and Big Endian. In Big Endian, the bytes and bits are arranged in their normal order as we read them, which means the MSB (most significant byte) comes first and the LSB (least significant byte) last. But in Little Endian, the thing is totally
reversed. And it must be remembered that all bits are byte wise reversed, which means they are reversed in groups of 8. That’s the rule for making segments of sizes 3 or 5 etc. If it’s a long or int, then a htons() will do the job. Well, enough said, now let’s make our packet.

char packet[65536];   //thats big!
IPV4_HDR *v4hdr=NULL;
TCP_HDR *tcphdr=NULL;

v4hdr = (IPV4_HDR *)packet; //lets point to the ip header portion
v4hdr->ip_version=4;
v4hdr->ip_header_len=5;
v4hdr->ip_tos = 0;
v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );
v4hdr->ip_id = htons(2);

……………and so on

tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)];
//get the pointer to the tcp header in the packet

tcphdr->source_port = htons(1234);
tcphdr->dest_port = htons(50000);

tcphdr->cwr=0;
tcphdr->ecn=1;
tcphdr->urg=0;
tcphdr->ack=0;

………………and so on

// Initialize the TCP payload to some rubbish
data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
memset(data, '^', payload);

Get the remote host details in a sockaddr_in dest and call:

sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) +
payload, 0,(SOCKADDR *)&dest, sizeof(dest));

where payload is the size of the data after the TCP header. That’s it! We
are done.

To check whether the packets went out as you expected them to, use a
sniffer like Ethereal and sniff them. Note: If you have any firewall running,
then raw packets may be blocked.

Source Code :

//raw tcp packet crafter

#include "stdio.h"
#include "winsock2.h"
#include "ws2tcpip.h" //IP_HDRINCL is here
#include "conio.h"

#pragma comment(lib,"ws2_32.lib") //winsock 2.2 library

typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier

unsigned char ip_frag_offset :5; // Fragment offset field

unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;

unsigned char ip_frag_offset1; //fragment offset

unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;

// TCP header
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits

unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.
This indicates where the data begins.
The length of the TCP header is always a multiple
of 32 bits.*/

unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag

unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag

////////////////////////////////

unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER;

int main()
{
char host[100],buf[1000],*data=NULL,source_ip[20]; //buf is the complete packet
SOCKET s;
int k=1;

IPV4_HDR *v4hdr=NULL;
TCP_HDR *tcphdr=NULL;

int payload=512 , optval;
SOCKADDR_IN dest;
hostent *server;

//Initialise Winsock
WSADATA wsock;
printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2),&wsock) != 0)
{
fprintf(stderr,"WSAStartup() failed");
exit(EXIT_FAILURE);
}
printf("Initialised successfully.");
////////////////////////////////////////////////

//Create Raw TCP Packet
printf("\nCreating Raw TCP Socket...");
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==SOCKET_ERROR)
{
printf("Creation of raw socket failed.");
return 0;
}
printf("Raw TCP Socket Created successfully.");
////////////////////////////////////////////////

//Put Socket in RAW Mode.
printf("\nSetting the socket in RAW mode...");
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)
{
printf("failed to set socket in raw mode.");
return 0;
}
printf("Successful.");
////////////////////////////////////////////////

//Target Hostname
printf("\nEnter hostname : ");
gets(host);
printf("\nResolving Hostname...");
if((server=gethostbyname(host))==0)
{
printf("Unable to resolve.");
return 0;
}
dest.sin_family = AF_INET;
dest.sin_port = htons(50000); //your destination port
memcpy(&dest.sin_addr.s_addr,server->h_addr,server->h_length);
printf("Resolved.");
/////////////////////////////////////////////////

printf("\nEnter Source IP : ");
gets(source_ip);

v4hdr = (IPV4_HDR *)buf; //lets point to the ip header portion
v4hdr->ip_version=4;
v4hdr->ip_header_len=5;
v4hdr->ip_tos = 0;
v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );
v4hdr->ip_id = htons(2);
v4hdr->ip_frag_offset = 0;
v4hdr->ip_frag_offset1 = 0;
v4hdr->ip_reserved_zero = 0;
v4hdr->ip_dont_fragment = 1;
v4hdr->ip_more_fragment = 0;
v4hdr->ip_ttl = 8;
v4hdr->ip_protocol = IPPROTO_TCP;
v4hdr->ip_srcaddr = inet_addr(source_ip);
v4hdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));
v4hdr->ip_checksum = 0;

tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet

tcphdr->source_port = htons(1234);
tcphdr->dest_port = htons(50000);

tcphdr->cwr=0;
tcphdr->ecn=1;
tcphdr->urg=0;
tcphdr->ack=0;
tcphdr->psh=0;
tcphdr->rst=1;
tcphdr->syn=0;
tcphdr->fin=0;
tcphdr->ns=1;

tcphdr->checksum = 0;

// Initialize the TCP payload to some rubbish
data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
memset(data, '^', payload);

printf("\nSending packet...\n");

while(!_kbhit())
{
printf(" %d packets send\r",k++);
if((sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payload, 0,
(SOCKADDR *)&dest, sizeof(dest)))==SOCKET_ERROR)
{

printf("Error sending Packet : %d",WSAGetLastError());
break;
}
}

return 0;
}

VC++ can be used to compile this code. Simply create a project and put this file in it and click run.