A Little Sniffer that Uses WSA Sockets (Windows Sockets)

Introduction

Many people have used a sniffer at some time. What is a sniffer? A sniffer is an application that catches all network traffic from or to computers attached to a network. Basically, a sniffer pays attention to all traffic by putting a network interface in the promiscuous mode state. Promiscuous mode puts a selected network interface to listening to all packets passing through it.

This article demonstrates how an application can configure a socket connection to pay attention to all network packets, instead of only those addressed to it. It shows how to grab protocols encapsulated by IP (Internet Protocol: network layer protocol), specifically, TCP and ICMP. IP encapsulates up to 100 different protocols. I advise you to take a look at the RFC 1700; there is a complete list of all protocols that IP encapsulates.

You can download the demo project and source code at the end of this article.

Starting to Sniff

The demo project contains a single executable named lsniff.exe, which is a console application. The syntax is:

lsniff [TCP|ICMP]
  • TCP grabs TCP packets only (RFC 793).
  • ICMP grabs ICMP packets only (RFC 792).
  • lsniff, with no arguments, will grab TCP and ICMP packets.

Figure 1: Example of lsniff grabbing only ICMP packets

You also can redirect the output to a file: lsniff icmp >output.txt.

Understanding the Source Code

lsniff is a C/C++ application coded using Visual Studio 2005. It will compile in older compilers, too. It is really simple. In fact, the difficult part is to analyze the packets because you must know the packet structure that depends upon the protocol. Windows Socket API (WSA) offers the tools (functions) to create a simple sniffer.

It is worth mentioning that lsniff will run only if the you are logged on with administrative privileges. By reading lsniff_main.cpp, you will see the four necessary steps to start working in the promiscuous mode state:

  1. Initialize Windows Sockets (Line 107).
  2. Get a RAW socket (Line 111). RAW is a special type of socket that gives you access to packet headers, not only the data.
  3. sniff_socket = socket( AF_INET, SOCK_RAW, IPPROTO_IP );
  4. Bind the socket to the interface you want to sniff (Lines 119-127).
  5. Set the socket to promiscuous mode (Line 135).
  6. if ( WSAIoctl( sniff_socket,
                   SIO_RCVALL,
                   &optval,
                   sizeof(optval),
                   NULL,
                   0,
                   &dwLen,
                   NULL,
                   NULL ) == SOCKET_ERROR )
    
    {
       printf( "Error: WSAIoctl  = %ld\n", WSAGetLastError() );
       exit(-3);
    }
    

After all four steps have been successfully performed, it is time to start reading the packets. Notice that you should provide a buffer big enough (LS_MAX_PACKET_SIZE) to the recv function. The first check made after a packet has been read is the IP version (Line 161):

if ( LS_HI_PART(ip_header->ver_ihl) != 4 )
   continue;

lsniff only parses IPv4 packets, not IPv6. Furthermore, the IP header is parsed to know what protocol is encapsulated. Notice that lsniff does not care about packet data, only packet headers. The rest of the code depends upon your knowledge about the protocol you want to parse. Of course, you can extend lsniff by adding more protocol-parsing routines. It is good practice to use a professional sniffer (like Ethereal) to help you to parse packets:

Figure 2: parsing packets

Enjoy. I hope this helps.



Downloads

Comments

  • good place for practicing

    Posted by billstoneman on 02/22/2009 09:51pm

    wonderful, good place for participating in it to add some other interesting protocols.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: October 29, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you interested in building a cognitive application using the power of IBM Watson? Need a platform that provides speed and ease for rapidly deploying this application? Join Chris Madison, Watson Solution Architect, as he walks through the process of building a Watson powered application on IBM Bluemix. Chris will talk about the new Watson Services just released on IBM bluemix, but more importantly he will do a step by step cognitive …

  • A modern mobile IT strategy is no longer an option, it is an absolute business necessity. Today's most productive employees are not tied to a desk, an office, or a location. They are mobile. And your company's IT strategy has to be ready to support them with easy, reliable, 24/7 access to the business information they need, from anywhere in the world, across a broad range of communication devices. Here's how some of the nation's most progressive corporations are meeting the many needs of their mobile workers …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds