Packet Sniffer Code in C using Winsock
Introduction
Ever since windows 2000/XP when IP_HDRINCL became a valid option for setsockopt() , WSAIoctl() had another option called SIO_RCVALL which enabled a raw socket to sniff all incoming traffic over the selected interface to whose IP the socket was bound.Hence to make a sniffer in Winsock he simple steps are :
1. Create a raw socket.
2. Bind the socket to the local IP over which the traffic is to be sniffed.
3. WSAIoctl() the socket with SIO_RCVALL to give it sniffing powers.
4. Put the socket in an infinite loop of recvfrom.
5. n’ joy! the Buffer from recvfrom.
Now this feature of winsock is available on all 2000/XP and higher windows. But as usual drawbacks are there.If you have used sniffers like Ethereal then you would realise that ethernet header is not available in winsock sniffing.Secondly you can only sniff incoming data on XP and XP+SP1 but both incoming and outgoing on XP+SP1+SP2 (as far as i could see-actual behavior may vary).I have not checked higher versions of windows. Moreover non IP packets (e.g. arp) may not be captured at all.So if full fledged sniffing is required then packet drivers like winpcap should help.
In the following source code all packets are assumed to be IP packets. VC++ 6.0
on Win XP used here.
Code
SOCKET sniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP); bind(sniffer,(struct sockaddr *)&dest,sizeof(dest)) dest must have the details as follows : memcpy(&dest.sin_addr.s_addr,local->h_addr_list[in], sizeof(dest.sin_addr.s_addr)); dest.sin_family = AF_INET; dest.sin_port = 0; dest.sin_zero = 0;
where HOSTENT *local should have the local IPs
WSAIoctl(sniffer, SIO_RCVALL, &j, sizeof(j), 0, 0, &in,0, 0);
where j must be 1 and in can be any integer
while(1)
{
recvfrom(sniffer,Buffer,65536,0,0,0); //ring-a-ring-a roses
}
To get the local IP’s associated with the machine all that needs to be done
is:
gethostname(hostname, sizeof(hostname); //its a char hostname[100] for local hostname HOSTENT *local = gethostbyname(hostname); //now local will have all local ips
Now socket sniffer will receive all incoming packets along with their headers
and all that will be stored in the Buffer.After that some typecasting with
structures representing the headers will help.
typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier
unsigned char ip_frag_offset :5; // Fragment offset field
unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;
unsigned char ip_frag_offset1; //fragment offset
unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR;
typedef struct udp_hdr
{
unsigned short source_port; // Source port no.
unsigned short dest_port; // Dest. port no.
unsigned short udp_length; // Udp packet length
unsigned short udp_checksum; // Udp checksum (optional)
} UDP_HDR;
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits
unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; //number of dwords in the TCP header.
unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag
unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag
unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR;
typedef struct icmp_hdr
{
BYTE type; // ICMP Error type
BYTE code; // Type sub code
USHORT checksum;
USHORT id;
USHORT seq;
} ICMP_HDR;
The ip_protocol field of the ip header determines the type of the packet; for
e.g 1 means a icmp packet and 2-igmp 6-tcp 17-udp and so on.RFC 1340 should help
more. Another function in the source code is PrintData() which prints the data
dumps in a hex view fashion as done by other sniffers and looks like this :
IP Header 45 00 03 19 D8 17 00 00 FC 06 85 C0 42 F9 59 63 E...........B.Yc C0 A8 01 02 .... TCP Header 00 50 0C E4 D6 2B 77 70 9F 0D B1 8D 50 18 1A A8 .P...+wp....P... 71 C1 00 00 q... Data Payload 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 53 65 74 2D 43 6F 6F 6B 69 65 3A 20 47 6F 6F .Set-Cookie: Goo 67 6C 65 41 63 63 6F 75 6E 74 73 4C 6F 63 61 6C gleAccountsLocal 65 5F 73 65 73 73 69 6F 6E 3D 65 6E 0D 0A 53 65 e_session=en..Se 74 2D 43 6F 6F 6B 69 65 3A 20 53 49 44 3D 45 58 t-Cookie: SID=EX 50 49 52 45 44 3B 44 6F 6D 61 69 6E 3D 2E 67 6F PIRED;Domain=.go 6F 67 6C 65 2E 63 6F 2E 69 6E 3B 50 61 74 68 3D ogle.co.in;Path= 2F 3B 45 78 70 69 72 65 73 3D 4D 6F 6E 2C 20 30 /;Expires=Mon, 0 31 2D 4A 61 6E 2D 31 39 39 30 20 30 30 3A 30 30 1-Jan-1990 00:00 3A 30 30 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 :00 GMT..Content 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C -Type: text/html 3B 20 63 68 61 72 73 65 74 3D 55 54 46 2D 38 0D ; charset=UTF-8. 0A 43 61 63 68 65 2D 63 6F 6E 74 72 6F 6C 3A 20 .Cache-control: 70 72 69 76 61 74 65 0D 0A 43 6F 6E 74 65 6E 74 private..Content
……………….and so on To the right we only print the characters which are either
an alphabet or a number.Everything is saved in a log file named log.txt.
Conclusion
The source code demonstrates simple concepts which can be used to develop a
protocol analyzer like Ethereal.In the source code only tcp,udp and icmp packets
have been broken into fields and that too according to normal situations.
Variations in packet structures (for e.g. in case of icmp) are there to which
the program might give inaccurate results.So you have to develop the program in
the relevant way and implement all necessary error checking algorithms etc.
Minor changes in the source code will adapt it to the winpcap environment so
that everything on the wire can be sniffed!
Happy Sniffing!
Source Code :
//Author : Prasshhant Pugalia
//prashant.pugalia@gmail.com
//Simple Sniffer in winsock
//Sniffs only incoming packets//
#include "stdio.h"
#include "winsock2.h"
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) //this removes the need of mstcpip.h
void StartSniffing (SOCKET Sock); //This will sniff here and there
void ProcessPacket (unsigned char* , int); //This will decide how to digest
void PrintIpHeader (unsigned char* , int);
void PrintIcmpPacket (unsigned char* , int);
void PrintUdpPacket (unsigned char* , int);
void PrintTcpPacket (unsigned char* , int);
void ConvertToHex (unsigned char* , unsigned int);
void PrintData (unsigned char* , int);
typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier
unsigned char ip_frag_offset :5; // Fragment offset field
unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1;
unsigned char ip_frag_offset1; //fragment offset
unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR;
typedef struct udp_hdr
{
unsigned short source_port; // Source port no.
unsigned short dest_port; // Dest. port no.
unsigned short udp_length; // Udp packet length
unsigned short udp_checksum; // Udp checksum (optional)
} UDP_HDR;
// TCP header
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits
unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.
This indicates where the data begins.
The length of the TCP header is always a multiple
of 32 bits.*/
unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag
unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag
////////////////////////////////
unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR;
typedef struct icmp_hdr
{
BYTE type; // ICMP Error type
BYTE code; // Type sub code
USHORT checksum;
USHORT id;
USHORT seq;
} ICMP_HDR;
FILE *logfile;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
struct sockaddr_in source,dest;
char hex[2];
//Its free!
IPV4_HDR *iphdr;
TCP_HDR *tcpheader;
UDP_HDR *udpheader;
ICMP_HDR *icmpheader;
int main()
{
SOCKET sniffer;
struct in_addr addr;
int in;
char hostname[100];
struct hostent *local;
WSADATA wsa;
logfile=fopen("log.txt","w");
if(log==NULL) printf("Unable to create file.");
//Initialise Winsock
printf("nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2), &wsa) != 0)
{
printf("WSAStartup() failed.n");
return 1;
}
printf("Initialised");
//Create a RAW Socket
printf("nCreating RAW Socket...");
sniffer = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (sniffer == INVALID_SOCKET)
{
printf("Failed to create raw socket.n");
return 1;
}
printf("Created.");
//Retrive the local hostname
if (gethostname(hostname, sizeof(hostname)) == SOCKET_ERROR)
{
printf("Error : %d",WSAGetLastError());
return 1;
}
printf("nHost name : %s n",hostname);
//Retrive the available IPs of the local host
local = gethostbyname(hostname);
printf("nAvailable Network Interfaces : n");
if (local == NULL)
{
printf("Error : %d.n",WSAGetLastError());
return 1;
}
for (i = 0; local->h_addr_list[i] != 0; ++i)
{
memcpy(&addr, local->h_addr_list[i], sizeof(struct in_addr));
printf("Interface Number : %d Address : %sn",i,inet_ntoa(addr));
}
printf("Enter the interface number you would like to sniff : ");
scanf("%d",&in);
memset(&dest, 0, sizeof(dest));
memcpy(&dest.sin_addr.s_addr,local->h_addr_list[in],sizeof(dest.sin_addr.s_addr));
dest.sin_family = AF_INET;
dest.sin_port = 0;
printf("nBinding socket to local system and port 0 ...");
if (bind(sniffer,(struct sockaddr *)&dest,sizeof(dest)) == SOCKET_ERROR)
{
printf("bind(%s) failed.n", inet_ntoa(addr));
return 1;
}
printf("Binding successful");
//Enable this socket with the power to sniff : SIO_RCVALL is the key Receive ALL 
j=1;
printf("nSetting socket to sniff...");
if (WSAIoctl(sniffer, SIO_RCVALL, &j, sizeof(j), 0, 0, &in,0, 0) == SOCKET_ERROR)
{
printf("WSAIoctl() failed.n");
return 1;
}
printf("Socket set.");
//Begin
printf("nStarted Sniffingn");
printf("Packet Capture Statistics...n");
StartSniffing(sniffer); //Happy Sniffing
//End
closesocket(sniffer);
WSACleanup();
return 0;
}
void StartSniffing(SOCKET sniffer)
{
unsigned char *Buffer = (char *)malloc(65536); //Its Big!
int mangobyte;
if (Buffer == NULL)
{
printf("malloc() failed.n");
return;
}
do
{
mangobyte = recvfrom(sniffer,Buffer,65536,0,0,0); //Eat as much as u can
if(mangobyte > 0) ProcessPacket(Buffer, mangobyte);
else printf( "recvfrom() failed.n");
}
while (mangobyte > 0);
free(Buffer);
}
void ProcessPacket(unsigned char* Buffer, int Size)
{
iphdr = (IPV4_HDR *)Buffer;
++total;
switch (iphdr->ip_protocol) //Check the Protocol and do accordingly...
{
case 1: //ICMP Protocol
++icmp;
PrintIcmpPacket(Buffer,Size);
break;
case 2: //IGMP Protocol
++igmp;
break;
case 6: //TCP Protocol
++tcp;
PrintTcpPacket(Buffer,Size);
break;
case 17: //UDP Protocol
++udp;
PrintUdpPacket(Buffer,Size);
break;
default: //Some Other Protocol like ARP etc.
++others;
break;
}
printf("TCP : %d UDP : %d ICMP : %d IGMP : %d Others : %d Total : %dr",tcp,udp,icmp,igmp,others,total);
}
void PrintIpHeader (unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;
iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;
memset(&source, 0, sizeof(source));
source.sin_addr.s_addr = iphdr->ip_srcaddr;
memset(&dest, 0, sizeof(dest));
dest.sin_addr.s_addr = iphdr->ip_destaddr;
fprintf(logfile,"n");
fprintf(logfile,"IP Headern");
fprintf(logfile," |-IP Version : %dn",(unsigned int)iphdr->ip_version);
fprintf(logfile," |-IP Header Length : %d DWORDS or %d Bytesn",(unsigned int)iphdr->ip_header_len,((unsigned int)(iphdr->ip_header_len))*4);
fprintf(logfile," |-Type Of Service : %dn",(unsigned int)iphdr->ip_tos);
fprintf(logfile," |-IP Total Length : %d Bytes(Size of Packet)n",ntohs(iphdr->ip_total_length));
fprintf(logfile," |-Identification : %dn",ntohs(iphdr->ip_id));
fprintf(logfile," |-Reserved ZERO Field : %dn",(unsigned int)iphdr->ip_reserved_zero);
fprintf(logfile," |-Dont Fragment Field : %dn",(unsigned int)iphdr->ip_dont_fragment);
fprintf(logfile," |-More Fragment Field : %dn",(unsigned int)iphdr->ip_more_fragment);
fprintf(logfile," |-TTL : %dn",(unsigned int)iphdr->ip_ttl);
fprintf(logfile," |-Protocol : %dn",(unsigned int)iphdr->ip_protocol);
fprintf(logfile," |-Checksum : %dn",ntohs(iphdr->ip_checksum));
fprintf(logfile," |-Source IP : %sn",inet_ntoa(source.sin_addr));
fprintf(logfile," |-Destination IP : %sn",inet_ntoa(dest.sin_addr));
}
void PrintTcpPacket(unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;
iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;
tcpheader=(TCP_HDR*)(Buffer+iphdrlen);
fprintf(logfile,"nn***********************TCP Packet*************************n");
PrintIpHeader(Buffer,Size);
fprintf(logfile,"n");
fprintf(logfile,"TCP Headern");
fprintf(logfile," |-Source Port : %un",ntohs(tcpheader->source_port));
fprintf(logfile," |-Destination Port : %un",ntohs(tcpheader->dest_port));
fprintf(logfile," |-Sequence Number : %un",ntohl(tcpheader->sequence));
fprintf(logfile," |-Acknowledge Number : %un",ntohl(tcpheader->acknowledge));
fprintf(logfile," |-Header Length : %d DWORDS or %d BYTESn"
,(unsigned int)tcpheader->data_offset,(unsigned int)tcpheader->data_offset*4);
fprintf(logfile," |-CWR Flag : %dn",(unsigned int)tcpheader->cwr);
fprintf(logfile," |-ECN Flag : %dn",(unsigned int)tcpheader->ecn);
fprintf(logfile," |-Urgent Flag : %dn",(unsigned int)tcpheader->urg);
fprintf(logfile," |-Acknowledgement Flag : %dn",(unsigned int)tcpheader->ack);
fprintf(logfile," |-Push Flag : %dn",(unsigned int)tcpheader->psh);
fprintf(logfile," |-Reset Flag : %dn",(unsigned int)tcpheader->rst);
fprintf(logfile," |-Synchronise Flag : %dn",(unsigned int)tcpheader->syn);
fprintf(logfile," |-Finish Flag : %dn",(unsigned int)tcpheader->fin);
fprintf(logfile," |-Window : %dn",ntohs(tcpheader->window));
fprintf(logfile," |-Checksum : %dn",ntohs(tcpheader->checksum));
fprintf(logfile," |-Urgent Pointer : %dn",tcpheader->urgent_pointer);
fprintf(logfile,"n");
fprintf(logfile," DATA Dump ");
fprintf(logfile,"n");
fprintf(logfile,"IP Headern");
PrintData(Buffer,iphdrlen);
fprintf(logfile,"TCP Headern");
PrintData(Buffer+iphdrlen,tcpheader->data_offset*4);
fprintf(logfile,"Data Payloadn");
PrintData(Buffer+iphdrlen+tcpheader->data_offset*4
,(Size-tcpheader->data_offset*4-iphdr->ip_header_len*4));
fprintf(logfile,"n###########################################################");
}
void PrintUdpPacket(unsigned char *Buffer,int Size)
{
unsigned short iphdrlen;
iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;
udpheader = (UDP_HDR *)(Buffer + iphdrlen);
fprintf(logfile,"nn***********************UDP Packet*************************n");
PrintIpHeader(Buffer,Size);
fprintf(logfile,"nUDP Headern");
fprintf(logfile," |-Source Port : %dn",ntohs(udpheader->source_port));
fprintf(logfile," |-Destination Port : %dn",ntohs(udpheader->dest_port));
fprintf(logfile," |-UDP Length : %dn",ntohs(udpheader->udp_length));
fprintf(logfile," |-UDP Checksum : %dn",ntohs(udpheader->udp_checksum));
fprintf(logfile,"n");
fprintf(logfile,"IP Headern");
PrintData(Buffer,iphdrlen);
fprintf(logfile,"UDP Headern");
PrintData(Buffer+iphdrlen,sizeof(UDP_HDR));
fprintf(logfile,"Data Payloadn");
PrintData(Buffer+iphdrlen+sizeof(UDP_HDR)
,(Size - sizeof(UDP_HDR) - iphdr->ip_header_len*4));
fprintf(logfile,"n###########################################################");
}
void PrintIcmpPacket(unsigned char* Buffer , int Size)
{
unsigned short iphdrlen;
iphdr = (IPV4_HDR *)Buffer;
iphdrlen = iphdr->ip_header_len*4;
icmpheader=(ICMP_HDR*)(Buffer+iphdrlen);
fprintf(logfile,"nn***********************ICMP Packet*************************n");
PrintIpHeader(Buffer,Size);
fprintf(logfile,"n");
fprintf(logfile,"ICMP Headern");
fprintf(logfile," |-Type : %d",(unsigned int)(icmpheader->type));
if((unsigned int)(icmpheader->type)==11) fprintf(logfile," (TTL Expired)n");
else if((unsigned int)(icmpheader->type)==0) fprintf(logfile," (ICMP Echo Reply)n");
fprintf(logfile," |-Code : %dn",(unsigned int)(icmpheader->code));
fprintf(logfile," |-Checksum : %dn",ntohs(icmpheader->checksum));
fprintf(logfile," |-ID : %dn",ntohs(icmpheader->id));
fprintf(logfile," |-Sequence : %dn",ntohs(icmpheader->seq));
fprintf(logfile,"n");
fprintf(logfile,"IP Headern");
PrintData(Buffer,iphdrlen);
fprintf(logfile,"UDP Headern");
PrintData(Buffer+iphdrlen,sizeof(ICMP_HDR));
fprintf(logfile,"Data Payloadn");
PrintData(Buffer+iphdrlen+sizeof(ICMP_HDR)
,(Size - sizeof(ICMP_HDR) - iphdr->ip_header_len*4));
fprintf(logfile,"n###########################################################");
}
void PrintData (unsigned char* data , int Size)
{
for(i=0 ; i < Size ; i++)
{
if( i!=0 && i%16==0) //if one line of hex printing is complete...
{
fprintf(logfile," ");
for(j=i-16 ; j<i ; j++)
{
if(data[j]>=32 && data[j]<=128)
fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet
else fprintf(logfile,"."); //otherwise print a dot
}
fprintf(logfile,"n");
}
if(i%16==0) fprintf(logfile," ");
ConvertToHex(hex,(unsigned int)data[i]); //now print the hex values
fprintf(logfile," %s",hex);
if( i==Size-1) //print the last spaces
{
for(j=0;j<15-i%16;j++) fprintf(logfile," "); //extra spaces
fprintf(logfile," ");
for(j=i-i%16 ; j<=i ; j++)
{
if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char)data[j]);
else fprintf(logfile,".");
}
fprintf(logfile,"n");
}
}
}
void ConvertToHex(unsigned char *hex , unsigned int decimal)
{
int rem,k=0,p;
p=decimal;
while(decimal!=0)
{
rem=decimal%16;
decimal=decimal/16;
if(rem>=10) hex[k++]=65 + rem - 10; //65 means A
else if(rem<=9) hex[k++]=rem+48; //48 means 0
}
hex[k++]='�';
if(p==0) strcpy(hex,"00");
else if(p<16) strcat(hex,"0");
_strrev(hex);
}
 |
| sniffer_demo.zip |
| Hosted by eSnips |
Popularity: 8% [?]
hi there, this article was of great help
, i’m just playing around with Ragnarok Online (an MMORPG) and thanks to this I made a custom message logger, but I have got a problem.
Today I tried to open the program in a Windows Vista machine, and it didn’t logged anything, I recompiled it with some printfs in several parts of the code just to know where the program was not working and I noticed it was not reaching this if
void ProcessPacket(unsigned char* Buffer, int Size)
{
iphdr = (IPV4_HDR *)Buffer;
if(iphdr->ip_protocol==6){
InterceptPacket(Buffer,Size);
}
}
it only checks if it is tcp because those are the packets I’m interested on, but I think the problem is that the machine could probably be using ipv6, so, my question is, how different are ipv6 headers and how can I distinguish ipv6 from ipv4?
thanks for yout time
I have tested the code and it works great. I would also like to be able to display the whole packet including the Ethernet frame (preamble, MAC dest. , MAC source and soon).
Do you know ho to configure the port to get the whole package?
Thanks
Tomas Matousek
To sniff the ethernet header and its fields a packet sniffing library like winpcap can be used.