WinSniff

WinSniff is the application for capturing packets on the network. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet. In order to keep it simple, I am not dealing with application-level protocols. If you are interested, you can add features to support various application-level protocols, such as SMTP, FTP, NETBIOS, and so forth.

How It Works

When your machine is on the network, packets with different destination assignments arrive. By default (when the network adapter is in normal mode), these packets are rejected by the network adapter because they are intended for a different host. But, if you want, you can receive these packets by putting the network adapter in promiscuous mode. In this mode, it will accept all the packets irrespective of the destination address.

Hence, you can analyse the packets transmitted on your network. This trick is used for network management to determine the network traffic and so forth. However, there is one problem here. You will receive the packets with different destinations if you are using a HUB because a HUB uses a broadcasting technique to transmit packets to all the hosts attached to it. However, if you are using a SWITCH (an intelligent device), you won't receive any packet sent to other hosts on the network. The best place to install this application is on the gateway, where you can keep track of incoming and outgoing packets.

Implementation

First, you have to get the device list and then open the device in promiscuous mode. While opening the device, you also can specify the size of the packet and its time out value.

// Get all devices for capturing the packet
   pcap_findalldevs(&devlist,err);

//Open device in promiscous mode
   hdev=pcap_open_live( devname[index],    //name of the device
                        65536,             //size ->Capture whole packet
                        1,                 //promiscuous mode
                        1000,              //read timeout
                        err
   );

Once you have opened the device, you will receive all packets. If you are interested in a particular packet—for example, only QUAKE packets (port 27960), ARP packets (arp), and the like—you can specify the filter expression. To learn how to specify a filter expression, you can refer to the WinPcap documentation.

//compile the filter
   pcap_compile(hdev,&fcode,filter,1,netmask);

//now set the filter
   pcap_setfilter(hdev,&fcode);

Once you have opened the device and set the filter, you are ready to receive the packets. Once the packet is received, the header contains the length, time, and other information about the packet. pkt_data contains the exact contents of the packet starting from the Ethernet header.

while(true)
{
pcap_next_ex(hdev,&header,&pkt_data);
// Do whatever you want..
}

To analyze the packet contents, you must be familiar with various header formats. Mainly, you must know the format of the following headers: ETHERNET, ARP, IP,TCP, UDP, ICMP, and IGMP. I have included the protocol.h file that contains the format information about all these headers. If you want more details, you can refer RFCs for the respective protocols.

Once you have done the job, it's time to safely close the device.

//close the device...
   pcap_close(hdev);

Requirements

You need Winpcap (Windows version of Libpcap: packet capturing library) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packet in detail. I advise you to go through the WinPcap documentation before going through the source code.

Running the Application

When you run the application, the main window pops up. Click on the startcapture menu item to start the capture. It displays a dialog box; now, select the device. Packets will be displayed in the main window. Click on the packet to see more details. You can save any packet by clicking the SaveFrame menu item. Later, you can open this saved frame.

If you don't have a network adapter or are not on the network, I have included some sample packets in the SamplePackets folder in the source zip file. You can open these files and view their contents.

If you have any queries or suggestions, feel free to drop a mail at nsry2002@yahoo.co.in.



Downloads

Comments

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Java developers know that testing code changes can be a huge pain, and waiting for an application to redeploy after a code fix can take an eternity. Wouldn't it be great if you could see your code changes immediately, fine-tune, debug, explore and deploy code without waiting for ages? In this white paper, find out how that's possible with a Java plugin that drastically changes the way you develop, test and run Java applications. Discover the advantages of this plugin, and the changes you can expect to see …

  • Protecting business operations means shifting the priorities around availability from disaster recovery to business continuity. Enterprises are shifting their focus from recovery from a disaster to preventing the disaster in the first place. With this change in mindset, disaster recovery is no longer the first line of defense; the organizations with a smarter business continuity practice are less impacted when disasters strike. This SmartSelect will provide insight to help guide your enterprise toward better …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds