IP Packet Monitor for Windows 2000

Environment: VC6 with Platform SDK , W2K ( only )

This program was developed because of the demand to have custom packet
monitoring utility for purposes of application system .
But it shows too how easy, it is to write sniffer in a modern operation system
like Windows 2000. When I first time read this wonderful ( IMHO ) book
of Jon C. Snader “Effective TCP/IP Programming. 44 Tips to Improve Your Network
Programs” with envy I read the lines how simple is to write
the sniffer in Linux. You simply put the line
s = socket( AF_NET , SOCK_PACKET , htons( ETH_P_ALL ) ) ;
and sniffer is ready. Simple and elegant decision . No need in NDIS , DDK ,
pcaplib and all this stuff , well known to everyone , who tried to do it
in Win9x or NT. But in Windows 2000 to write sniffer is quicker then saying
Jack Robinson. WSAIoctl from WinSock2 with SIO_RCVALL parameter do the job ,
so from this moment only knowledge of IP,TCP,ICMP packets are needed
to make your own custom sniffer.

I will show here such monitoring utility which was build on standard MFC dialog box
application. I did such an app with VC6 application wizard and add two
IP address controls , one start/stop button , check box and listbox to show
the packet’s contents. First IP Address control is for IP of this monitoring
computer. I have multihomed computers in LAN both Servers and Professional
Windows 2000 , so I need to enter one of few IP’s of monitoring computer.
Next IP Address control is for IP of host you want to monitor
( in Windump it’s like with parameter ‘host hostname’) , only if
this IP is zero, I verify the check box and if it’s empty I show data from
all packets of all computers in the system , otherwise I show the data of
IP packets of monitoring computer( in Windump it’s like with parameter
‘host thishostname’).

When all needed data exists , it is possible to press the Start button ,
which changes it’s text to ‘Stop’ ( from this moment this button is to stop
the monitoring thread ). Pressing the button next time changes the text to Start.
For monitoring I use working thread , so I decided to use synchronous socket.
Because I use WinSock2 , I have the opportunity to reduce receiving time-out.
I set timeout to 5 second , usually it’s 45.
This thread function I announced as a friend of main dialog class to simplify
setting/receiving data in class-members of main dialog class where I set few
class members for application functioning.
Because my main thread is doing almost nothing , only start or stop worker
thread or close dialog , I’m writing data from packets directly to the listbox.
But be careful in the case of some work of main thread with controls it can
cause the deadlock. This happened to me when I used WaitForSingleObject with
time-out INFINITE after I did PostThreadMessage with WM_CLOSE and in the
worker thread tried to write in the listbox “Monitoring stopped”. Such
situation caused the deadlock , and I needed to change such behavior with
disabling/enabling the Start/Stop button in the periods of posting WM_CLOSE
to worker thread and it’s finish.

The class-members and class-functions, I added , is self described and the
the only one class-member CDWordArray m_IPArr needs little explanation.
This is array of DWORDs , where every element is IP address of adapter
in the multihome configuration.
To receive all these IP addresses I used IPHLPAPI library from
Platform SDK .

One last note connected to the AfxSock.h in mfc\include directory.
There exist a line #include <winsock.h>. But I need winsock2.h
for my application. To decide this problem I copied AfxSock.h
to ipmon directory , change #include <winsock.h> to
#include <winsock2.h> and in the StdAfx.h in ipmon directory
changed the line #include <afxsock.h> to the line : #include “afxsock.h”
to use my afxsock.h.

MSTCPIP.h,iphlpapi.h and lib exists on Platform SDK. You have to install it.
Happy sniffing !

Downloads

Download source code – 40 Kb

Download application – 8 Kb

More by Author

Must Read