Nytro Posted July 5, 2010 Report Posted July 5, 2010 (edited) HZVSNIFFWe are going to talk about “how to make your own sniffer ?”. At first, i have to tell you that this paper is more a development guide which should help you to make your own program, and to understand sniffing concepts in a raw level mode.So this paper will only be usefull to people who already something about C programming, as well as in networking.What is a sniffer ?It is a tool which can be used to read all network packets going through your network card. The aim is originally to detect some problems which may occurs on a lan / wan. But another way to use such a program is to be able to read all packets' content after having hijacking them on your computer... For what ? In order to intercept some logins/passwords ... We don't explain in this article how to hijack a connection, but only how to read and decode all packets going through your network cards.Moreover, if you are on a broadcast network (meaning that each packet are sent to every computers on the Lan), it won't be necessary to set up an hijacking attack : all packets from the network are received on your network card. But how make them “accepted” by your card, and how to read them ?Promiscious mode:Let's talk about the default communication process between two computers : the first one send through its network card one packet, which contains MAC address of the target. A system just takes care about packets its MAC address as the destination, and drops all others. So on a broadcasted network, all computers receive all sent packets, and drop all those for which they are not the destination. Promiscious allow to escape that process in order to catch every packets, whatever MAC destination is.You really want to use a library to develop the sniffer to don't deal directly with the network raw level. The libpcap is designed to used in this way, to develop your soft, and is moreover present onto Unix and Windows. Maybe you already know tcpdump or ethereal, and guess what : both of them have been developed onto it.First, you have to install this lib :$> tar xvzf libpcap-0.6.2.tar.gz.......$> cd libpcap-0.6.2$> ./configure$> make$> make installYou won't forget to include the good header in your sources :#includeHave a look on the development manpages$> man libpcapLets now have a look on APIs' syntax :pcap_open_liveIt is tha main function, used to set up one sniffing session by using that lib. It returns a file descriptor you can use to read intercepted packets, to create and apply some filters ... Of course, you have to call this function !!pcap_t *pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)Char *device : Network interface you used to intercept data. You have to give its character string representation (eth0, eth1, wlan0 ...)int snaplen : Max size of information which will be read in one packet. In general, you can use 1500 bytes on an ethernet Lan.int promisc: do you want to enable the promiscious mode (1), or not (0) ... You probably want to use it.Int to_ms: timeoutchar *ebuf : In case of errors, they are returned onto that address. On success case, NULL is returned.You should know that the file descriptor is given as an argument of the pcap_t structure, returned by the main API pcap_open_live.pcap_next :This function is used to return address of each intercepted packet written in a queue. Each returned pointer points to an usigned character string, which are one captured packets in the queue.u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)pcap_t *p : File descriptor returned by pcap_open_live.pcap_pkhdr *p : pointer on to pcap_pkhdr structure, into which headers of received packets are formated to be read. You find it in the pcap.h file.pcap_lookupnet :This function returns the network's address and subnet.int pcap_lookupnet(char *device,bpf_u_int32 *netp,bpf_u_int32 *maskp, char *errbuf);Char *device : Network interface used to capture traffic.bpf_u_int32 *netp : Address where is saved the network addressbpf_u_int32 *maskp : Address where is saved the sbnet addresschar *errbuf: Address where are returned errors.pcap_stats :Get some statistics on received packets. These informations are saved, and formated to be read in a pcap_stat structure.int pcap_stats(pcap_t *p, struct pcap_stat *ps)pcap_t *p : file desciptor return by pcap_open_livestruct pcap_stat *ps : Target where are wrote statistics about trafficstruct pcap_stat {u_int ps_recv; // Number of received packetu_int ps_drop; // Number of dropped packetu_int ps_ifdrop; // Not yet supported};pcap_lookupdev :Return default network interface.u_char pcap_lookupdev(char *errbuf)Char *errbuf : Address where are return errors, NULL otherwise.We have shown all functions you have to use in your sniffer, and to make it work well. But, you will find lots of more functions in development manpages.-----------------------------------------------start---------------------------------------------------#include /* Some basic libraries */#includeint main(void){int i,a=0,nbrpaquets;/* variable (counter)i as a counter on received packetsa as the number of received packetsnbrpaquets number of packets already captured*/char interface[10];/* Network interface used to sniff */bpf_u_int32 netp,maskp;/* Network and subnet addresses */int affichage=0;/* Define the desired formatting to display captured packets */char erreur[PCAP_ERRBUF_SIZE];/* Buffer use to write errors, max sie defined in pcap.h as the macro PCAP_ERRBUF_SIZE */pcap_t *descriptPaquet = NULL;/* File descriptor returned by pcap_open_live */struct pcap_stat *statistiques;/* Statistics ' structure */struct pcap_pkthdr paquethdr;/* Header structure used by pcap_next. */u_char *paquet;/* content of captured packets */statistiques = (struct pcap_stat*)malloc(sizeof(struct pcap_stat));/* Memory allocation to write statistic structure */printf("\n\n\n-+-+-+-+-+-+-+-+HZVSniff+-+-+-+-+-+-+-+-\n");printf(" CoDeD By ReDiLs For HZVManual\n\n");printf("Interface to sniff (default :0) ");scanf("%10s",interface);/* we get a character string representation of the used to sniff interface*/printf("\nHow many packets to intercept: ");scanf("%d",&nbrpaquets);/* We get number of packets to sniff.*/printf("\nChoisissez le type d'affichage des données :\n");printf(" 1 -> Display : Characters Modeprintf(" 2-> Display hexa mode\n");scanf("%d",&affichage);while((affichage!=1) && (affichage!=2)){printf("Choose 1 oo 2 \n");scanf("%d",&affichage);}if(strcmp(interface,"0")==0)strcpy(interface,pcap_lookupdev(erreur));/* We check if user want to call pcap_lookupdev to find default network interface*/if ((descriptPaquet = pcap_open_live(interface, 1500, 0, 1000, erreur))==NULL)/* File descriptor allocation*/{printf("Erreur : %s\n",erreur);/* If errors, we display them*/exit(1);}pcap_lookupnet(interface,&netp,&maskp,erreur);/* We get network's address and subnet */printf("\nNetwork : %x\n",netp);/* We display network in hexa mode.*/printf("\nMask : %x\n",maskp);/* Display Mask in hexa mode*/pcap_stats(descriptPaquet, statistiques);/* We call the statistics' function*/printf("Displaying network traffic : %s\n",interface);while (a!=nbrpaquets)/* Until desired number of captured packet is not done, we get them */{paquet = (u_char *) pcap_next(descriptPaquet, &paquethdr);/* We get packets'content*/if (paquet != NULL)/* If content is not emty (some times, it may be), we don't display it.*/{for (i=0; i<500; i++)/* We display the first 500 bytes of packets*/{if(affichage==1)printf("%c",*paquet);/* Which format to display output ?*/elsepaquet++;}printf("\n*********************************************************************\n");}++;}pcap_stats(descriptPaquet, statistiques);printf("Statistis :\n");printf("Received packets : %d\n",statistiques->ps_recv);printf("Dropped packets : %d\n",statistiques->ps_drop);}--------------------------------------end---------------------------------------------------------To compile your code :gcc -lpcap -o hzvsniff hzvsniff.cSource: http://www.thehackademy.net/ Edited July 5, 2010 by Nytro Quote
