WinSniff

[Nytro]

About WinSniff

WinSniff is the basic network packets sniffer for Windows developed using Winpcap library. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet. In order to keep it simple, I am not dealing with application level protocols. If you are interested, you can add features to support various application level protocols such as SMTP, FTP, NETBIOS etc.

Working of WinSniff

When your machine is on the network, packets with different destinations arrive. By default (i.e., when the network adapter is in normal mode) these packets are rejected by the network adapter since they are intended to different hosts. But if you want, you can receive these packets by putting the network adapter in promiscuous mode. In this mode, it will accept all the packets irrespective of the destination address. Hence you can analyze the packets transmitted on your network.

This trick is used for network management to determine the network traffic... etc. However, there is one problem here...!!! You will receive the packets with different destinations if you are using HUB. Since, HUB uses broadcasting technique for transmitting packets to all the hosts attached to it. However, if you are using SWITCH (an intelligent device), then you won't receive any packet sent to other hosts on the network. Best place to install this application is on the gateway where you can keep track of incoming and outgoing packets

Implementation

This part is meant for developers who are interested in coding their own sniffer. You may wants read to understand the internals of WinSniff.

To start with, first step is to find out the right network interface and and then open it in promiscuous mode. While opening the device, you can also specify the size of the packet and time out value.

//Get all devices for capturing the packet
     pcap_findalldevs(&devlist,err);

//Open device in promiscous mode
     hdev=pcap_open_live( devname[index], //name of the device
                         65536,           //size ->Capture whole packet
                         1,               //promiscous mode 
                         1000,            //read timeout
                         err
                        );

Once you have opened the device, you will receive all packets. If you are interested in a particular packet, for example, only QUAKE packets (port 27960), ARP packets (ARP) etc., then you can specify the filter expression. For more details on filter expression, you can refer WinPcap documentation.

// compile the filter
pcap_compile(hdev,&fcode,filter,1,netmask);
// now set the filter
pcap_setfilter(hdev,&fcode);

Once you have opened the device and set the filter, now you are ready to receive the packets. Once the packet is received, header contains the length, time and other information about the packet. Structure pkt_data contains the exact contents of the packet starting from Ethernet header.

while(true)
{
   pcap_next_ex(hdev,&header,&pkt_data);
   /* play with the captured packet */
}

In order to analyze the packet contents, you must be familiar with various header formats. Mainly, you must know the format of the following headers... ETHERNET, ARP, IP, TCP, UDP, ICMP and IGMP. I have included the file 'protocol.h' which contains the format information about all these headers. If you want more details, you can refer RFCs for respective protocols. Once you have done the job, it's time to safely close the device.

//close the device...
pcap_close(hdev);

Requirements

1) Developers can find all the header files and libraries in 'Winpcap developer pack' 3.0 or higher version. Don't forget to specify the include and lib files within the project settings.

2) Before running this application you need to install Winpcap version 3.0 or higher.

Download:

http://securityxploded.com/getfile.php?id=9121

Source code:

http://securityxploded.com/getfile.php?id=9155

[alexalghisi]

si.... cu ce e mai bun decat cain & abel ?

[Nytro]

Nu cred ca e mai bun nici decat Cain & Abel nici decat Wireshark, nici decat CommView sau altele. E simplu si asta imi place cel mai mult la el. In plus, e open-source.

Oricum, nu am spus ca este mai bun decat Cain & Abel.