This little tool opens a raw socket and receives all incoming network packets.
Have fun with it..... and report bugs, please.. 8)
Dominik
Have fun with it..... and report bugs, please.. 8)
Dominik
nice. a reizeable window would be great. and a sniffer for outgoing data. and a port filter. thats all ;)
tought about that resizing....but was too lazy :).
Port Filter is no problem, but as I know there is no way to read outgoing packets using the raw-socket-implementation.
Dominik
Port Filter is no problem, but as I know there is no way to read outgoing packets using the raw-socket-implementation.
Dominik
The tool goes into promiscuous mode using WSAIoctl...
under Win2k it works, it even captures the outgoing packets...
under XP pro there is no chance. Can anyone help?
under Win2k it works, it even captures the outgoing packets...
under XP pro there is no chance. Can anyone help?
winsock 2 (ws2_32) supports true rawsockets on xp.
so how to make promicous mode there, homer? any idea?
WSAIoctl with SIO_RECVALL
I assume what you call SIO_RECVALL is already implemented, called SIO_RCVALL. But on xp promiscous mode won't work. Would you take a look at my code, Homer!? What is it that makes p.-mode running on 2k but not on xp!?
Dominik
Dominik
As I mentioned yesterday in another thread here, rawsock on XP works fine for SP1, and for SP2 RC1 (release candidate 1)
But m$ deliberately broke the outgoing side of rawsock under SP2 RC2 and higher, because according to them the ONLY use for forging packet headers is making attack tools.. go figure.
I am happy to report that the incoming side of rawsock works fine under RC2 and higher, it seems it's not evil to listen...
Dom, your application has a major problem that I noticed..
it's to do with the way you fetch the interface ip address.
What if theres more than one ip, and the first ip isnt the internet one?
My machine has two network cards - the first ip reported is my LAN.
I can sniff LAN packets promiscuously on XP SP2 RC2 using your tool all day and night.
Please add a listbox and enumerate the ip addresses PROPERLY so I can CHOOSE which interface to bind to :)
But m$ deliberately broke the outgoing side of rawsock under SP2 RC2 and higher, because according to them the ONLY use for forging packet headers is making attack tools.. go figure.
I am happy to report that the incoming side of rawsock works fine under RC2 and higher, it seems it's not evil to listen...
Dom, your application has a major problem that I noticed..
it's to do with the way you fetch the interface ip address.
What if theres more than one ip, and the first ip isnt the internet one?
My machine has two network cards - the first ip reported is my LAN.
I can sniff LAN packets promiscuously on XP SP2 RC2 using your tool all day and night.
Please add a listbox and enumerate the ip addresses PROPERLY so I can CHOOSE which interface to bind to :)
Hey EvilHomer, thanks for your help and xp-sp report...so as there are several things I wanted to fix you just made me working on a new version...nothing special, but some useful features (including selection of ip interface). So that's what I call pushing someone to coding :) .....thx
Dominik
Dominik
I don't know about you, but I get a hell of a kick out of creating something out of nothing.. for me, coding is a lot like oilpainting - you start with an idea and a fresh canvas, you start adding a dob here and a blob there and then something magical happens - things start to reveal themselves out of the chaos, then you add some more and before you know it those elements are working together to create something which is much greater than its parts... and it all starts with an idea :)
Unfortunately this application is NOT receiving raw incoming packets from SolOS :D
But windows connection properties is showing that the packets have been indeed received aka 100.000 of them :P
and still no item appears in your list ;)
Is there anything that i am doing wrongly ?
SolOS is receiving the packets ok.
Aparently Windows also.
Are you receiving only TCp/IP like packets?
But windows connection properties is showing that the packets have been indeed received aka 100.000 of them :P
and still no item appears in your list ;)
Is there anything that i am doing wrongly ?
SolOS is receiving the packets ok.
Aparently Windows also.
Are you receiving only TCp/IP like packets?
You are requesting winsock v1.01:
invoke WSAStartup, 101h, addr WinsockData ;INIT NETWORK
Under XP on my machine WSADATA returns v 1.01, but still supports raw sockets and SIO_RCVALL. Perhaps this could be a problem on other Versions of Windows. Arent these only supported under Winsock 2.0?
Winsock 2.0 would be:
invoke WSAStartup, 2h, addr WinsockData ;INIT NETWORK
invoke WSAStartup, 101h, addr WinsockData ;INIT NETWORK
Under XP on my machine WSADATA returns v 1.01, but still supports raw sockets and SIO_RCVALL. Perhaps this could be a problem on other Versions of Windows. Arent these only supported under Winsock 2.0?
Winsock 2.0 would be:
invoke WSAStartup, 2h, addr WinsockData ;INIT NETWORK
Yes , absolutely correct, and why not use 0202h as the version major, minor while we are at it? :)
So a little off-topic:
Using this application or another win32 application is there a way to capture all incoming raw packets? And i really mean ALL.
I could use such an application to test my OS intercomunication with Windows...
Using this application or another win32 application is there a way to capture all incoming raw packets? And i really mean ALL.
I could use such an application to test my OS intercomunication with Windows...
My personal experience with full rawsocket support is that it drops incoming packets at the best of times.
It's simply not up to the task of a full session analysing packet logger.
My recommendation is to go with a VxD / SYS style of capture library.
There's several to choose from, and you have the added advantage that your code will execute as expected on ALL Win platforms.
It's simply not up to the task of a full session analysing packet logger.
My recommendation is to go with a VxD / SYS style of capture library.
There's several to choose from, and you have the added advantage that your code will execute as expected on ALL Win platforms.
So after I had no time and the forum was hacked, here is finally the new version. it is now able to sniff both incoming and outgoing packets...
p.s. thx to evilhome for his inspirating words...
as the forum now does not seem to handle attached files i just uploaded it on some sh*tty old tripod host: http://mitglied.lycos.de/darkripper/snf2.zip
Dominik
p.s. thx to evilhome for his inspirating words...
as the forum now does not seem to handle attached files i just uploaded it on some sh*tty old tripod host: http://mitglied.lycos.de/darkripper/snf2.zip
Dominik
Mr. Dom:
snf1.zip is a great source code , we can't access the http://mitglied.lycos.de/ ,Could you move the snf2.zip to another address that we can ?
snf1.zip is a great source code , we can't access the http://mitglied.lycos.de/ ,Could you move the snf2.zip to another address that we can ?
thx for the info...i just posted it on masmforum now...and here is the link:
http://masmforum.com/viewtopic.php?p=31559#31559
Dominik
http://masmforum.com/viewtopic.php?p=31559#31559
Dominik
Mr. Dom:
Thanks you did.
but we still can't access. take a consultation with Mr. Hutch--. Put snf2.zip on somewhere in http://www.movsd.com/ .
Thanks you did.
but we still can't access. take a consultation with Mr. Hutch--. Put snf2.zip on somewhere in http://www.movsd.com/ .