This little tool opens a raw socket and receives all incoming network packets.
Have fun with it..... and report bugs, please.. 8)
Dominik
Posted on 2004-10-13 19:21:19 by Dom
nice. a reizeable window would be great. and a sniffer for outgoing data. and a port filter. thats all ;)
Posted on 2004-10-14 10:06:00 by diablo2oo2
tought about that resizing....but was too lazy :).
Port Filter is no problem, but as I know there is no way to read outgoing packets using the raw-socket-implementation.

Dominik
Posted on 2004-10-14 10:35:23 by Dom
The tool goes into promiscuous mode using WSAIoctl...
under Win2k it works, it even captures the outgoing packets...
under XP pro there is no chance. Can anyone help?
Posted on 2004-11-03 02:35:47 by Dom
winsock 2 (ws2_32) supports true rawsockets on xp.
Posted on 2004-11-11 07:30:30 by Homer
so how to make promicous mode there, homer? any idea?
Posted on 2004-11-15 06:47:33 by Dom
WSAIoctl with SIO_RECVALL
Posted on 2004-11-16 20:09:49 by Homer
I assume what you call SIO_RECVALL is already implemented, called SIO_RCVALL. But on xp promiscous mode won't work. Would you take a look at my code, Homer!? What is it that makes p.-mode running on 2k but not on xp!?
Dominik
Posted on 2004-11-18 04:29:57 by Dom
As I mentioned yesterday in another thread here, rawsock on XP works fine for SP1, and for SP2 RC1 (release candidate 1)
But m$ deliberately broke the outgoing side of rawsock under SP2 RC2 and higher, because according to them the ONLY use for forging packet headers is making attack tools.. go figure.
I am happy to report that the incoming side of rawsock works fine under RC2 and higher, it seems it's not evil to listen...

Dom, your application has a major problem that I noticed..
it's to do with the way you fetch the interface ip address.
What if theres more than one ip, and the first ip isnt the internet one?
My machine has two network cards - the first ip reported is my LAN.
I can sniff LAN packets promiscuously on XP SP2 RC2 using your tool all day and night.
Please add a listbox and enumerate the ip addresses PROPERLY so I can CHOOSE which interface to bind to :)
Posted on 2004-11-18 06:43:58 by Homer
Hey EvilHomer, thanks for your help and xp-sp report...so as there are several things I wanted to fix you just made me working on a new version...nothing special, but some useful features (including selection of ip interface). So that's what I call pushing someone to coding :) .....thx
Dominik
Posted on 2004-11-19 13:31:05 by Dom
I don't know about you, but I get a hell of a kick out of creating something out of nothing.. for me, coding is a lot like oilpainting - you start with an idea and a fresh canvas, you start adding a dob here and a blob there and then something magical happens - things start to reveal themselves out of the chaos, then you add some more and before you know it those elements are working together to create something which is much greater than its parts... and it all starts with an idea :)
Posted on 2004-11-20 22:20:46 by Homer
Unfortunately this application is NOT receiving raw incoming packets from SolOS :D

But windows connection properties is showing that the packets have been indeed received aka 100.000 of them :P
and still no item appears in your list ;)

Is there anything that i am doing wrongly ?

SolOS is receiving the packets ok.
Aparently Windows also.

Are you receiving only TCp/IP like packets?
Posted on 2004-11-21 05:54:23 by BogdanOntanu
You are requesting winsock v1.01:

invoke WSAStartup, 101h, addr WinsockData ;INIT NETWORK

Under XP on my machine WSADATA returns v 1.01, but still supports raw sockets and SIO_RCVALL. Perhaps this could be a problem on other Versions of Windows. Arent these only supported under Winsock 2.0?

Winsock 2.0 would be:

invoke WSAStartup, 2h, addr WinsockData ;INIT NETWORK
Posted on 2004-11-21 21:46:10 by The Dude of Dudes
Yes , absolutely correct, and why not use 0202h as the version major, minor while we are at it? :)
Posted on 2004-11-21 23:09:02 by Homer
So a little off-topic:

Using this application or another win32 application is there a way to capture all incoming raw packets? And i really mean ALL.

I could use such an application to test my OS intercomunication with Windows...
Posted on 2004-11-22 03:24:00 by BogdanOntanu
My personal experience with full rawsocket support is that it drops incoming packets at the best of times.
It's simply not up to the task of a full session analysing packet logger.
My recommendation is to go with a VxD / SYS style of capture library.
There's several to choose from, and you have the added advantage that your code will execute as expected on ALL Win platforms.
Posted on 2004-11-22 03:56:38 by Homer
So after I had no time and the forum was hacked, here is finally the new version. it is now able to sniff both incoming and outgoing packets...

p.s. thx to evilhome for his inspirating words...

as the forum now does not seem to handle attached files i just uploaded it on some sh*tty old tripod host: http://mitglied.lycos.de/darkripper/snf2.zip

Dominik
Posted on 2004-11-30 12:22:06 by Dom
Mr. Dom:
snf1.zip is a great source code , we can't access the http://mitglied.lycos.de/ ,Could you move the snf2.zip to another address that we can ?
Posted on 2004-12-02 06:12:19 by dcskm4200
thx for the info...i just posted it on masmforum now...and here is the link:
http://masmforum.com/viewtopic.php?p=31559#31559

Dominik
Posted on 2004-12-02 08:20:07 by Dom
Mr. Dom:
Thanks you did.
but we still can't access. take a consultation with Mr. Hutch--. Put snf2.zip on somewhere in http://www.movsd.com/ .
Posted on 2004-12-02 09:33:11 by dcskm4200