Application Security Testing: An Integral Part of DevOps
Environment: VC6 with Platform SDK , W2K ( only )
This program was developed because of the demand to have custom packet monitoring utility for purposes of application system . But it shows too how easy, it is to write sniffer in a modern operation system like Windows 2000. When I first time read this wonderful ( IMHO ) book of Jon C. Snader "Effective TCP/IP Programming. 44 Tips to Improve Your Network Programs" with envy I read the lines how simple is to write the sniffer in Linux. You simply put the line s = socket( AF_NET , SOCK_PACKET , htons( ETH_P_ALL ) ) ; and sniffer is ready. Simple and elegant decision . No need in NDIS , DDK , pcaplib and all this stuff , well known to everyone , who tried to do it in Win9x or NT. But in Windows 2000 to write sniffer is quicker then saying Jack Robinson. WSAIoctl from WinSock2 with SIO_RCVALL parameter do the job , so from this moment only knowledge of IP,TCP,ICMP packets are needed to make your own custom sniffer.
When all needed data exists , it is possible to press the Start button , which changes it's text to 'Stop' ( from this moment this button is to stop the monitoring thread ). Pressing the button next time changes the text to Start. For monitoring I use working thread , so I decided to use synchronous socket. Because I use WinSock2 , I have the opportunity to reduce receiving time-out. I set timeout to 5 second , usually it's 45. This thread function I announced as a friend of main dialog class to simplify setting/receiving data in class-members of main dialog class where I set few class members for application functioning. Because my main thread is doing almost nothing , only start or stop worker thread or close dialog , I'm writing data from packets directly to the listbox. But be careful in the case of some work of main thread with controls it can cause the deadlock. This happened to me when I used WaitForSingleObject with time-out INFINITE after I did PostThreadMessage with WM_CLOSE and in the worker thread tried to write in the listbox "Monitoring stopped". Such situation caused the deadlock , and I needed to change such behavior with disabling/enabling the Start/Stop button in the periods of posting WM_CLOSE to worker thread and it's finish.
The class-members and class-functions, I added , is self described and the the only one class-member CDWordArray m_IPArr needs little explanation. This is array of DWORDs , where every element is IP address of adapter in the multihome configuration. To receive all these IP addresses I used IPHLPAPI library from Platform SDK .
One last note connected to the AfxSock.h in mfc\include directory. There exist a line #include <winsock.h>. But I need winsock2.h for my application. To decide this problem I copied AfxSock.h to ipmon directory , change #include <winsock.h> to #include <winsock2.h> and in the StdAfx.h in ipmon directory changed the line #include <afxsock.h> to the line : #include "afxsock.h" to use my afxsock.h.
MSTCPIP.h,iphlpapi.h and lib exists on Platform SDK. You have to install it. Happy sniffing !
DownloadsDownload source code - 40 Kb
Download application - 8 Kb