Sign in to follow this  
Followers 0
FireFox

Winpcap filter and TCP/UDP packet splitter

5 posts in this topic

#1 ·  Posted (edited)

Hi,

I have worked on a project for a friend and it needed to retreive some data in UDP packets, it was a challenge because I didn't know anything about that packets, and after few days of work I have managed to do what I wanted.

The hardest part was to set a very strict filter for the cpu usage and for the script optimisation, so here is one :

;use filters with _PcapStartCapture
;retreive only tcp packets containing AABBCCDD, at the start of 8 and with a length of 4; like the StringMid func.
tcp[8:4] == 0xAABBCCDD ;8th byte from the beginning of the tcp DATA, 4bytes length; always include the 0x to specify you are dealing with hex.

And some funcs to split the different data from packets :

;$hCapture is the handle returned by _PcapStartCapture
; #FUNCTION# ====================================================================================================================
; Name...........: _TCP_Recv
; Description ...: Retreives a TCP Packet and returns its data splitted
; Syntax.........: _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _UDP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aTCPPacket[21]

                $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address
                $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address
                $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number
                $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number
                $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags
                $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value
                $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum
                ;107 to 110 = NULL data
                $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data

                Return $aTCPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_TCP_Recv

; #FUNCTION# ====================================================================================================================
; Name...........: _UDP_Recv
; Description ...: Retreives an UDP Packet and returns its data splitted
; Syntax.........: _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _TCP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aUDPPacket[18]

                $aUDPPacket[0] = StringMid($aPacket[3], 3, 12) ;Source Mac Address
                $aUDPPacket[1] = StringMid($aPacket[3], 15, 12) ;Destination Mac Address
                $aUDPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aUDPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aUDPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aUDPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aUDPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aUDPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aUDPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aUDPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aUDPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aUDPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aUDPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aUDPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aUDPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aUDPPacket[15] = StringMid($aPacket[3], 79, 4) ;Length
                $aUDPPacket[16] = StringMid($aPacket[3], 83, 4) ;Checksum
                $aUDPPacket[17] = StringTrimLeft($aPacket[3], 86) ;Data

                Return $aUDPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_UDP_Recv

;for example convert the packet's source/dest IP Address to text
; #FUNCTION# ====================================================================================================================
; Name...........: _HexIPAddressToText
; Description ...: Converts Hex IP Adress to text
; Syntax.........: _HexIPAddressToText($vhexIPAddress)
; Parameters ....: $vIPAddress    - IP Address v4 (string, int)
; Return values .: Success    - Converted IP Address
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _HexIPAddressToText($vhexIPAddress)
    Local $sIPAddress

    For $iOffset = 1 To 8 Step 2
        $sIPAddress &= Dec(StringMid($vhexIPAddress, $iOffset, 2)) & "."
    Next

    Return StringTrimRight($sIPAddress, 1)
EndFunc   ;==>_UDP_DecodeIPAddress

Ops, almost forgot the Winpcap UDF available here : http://opensource.grisambre.net/pcapau3/

PS : If you find this helpful, please "like"/rate this post.

Enjoy :guitar:

Edited by FireFox
3 people like this

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites



How do I get uri of HTTP packet with winpcap?

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

@Ontosy

Here you go :

#include <String.au3>
...
Global $aPacket = _TCP_Recv(...)

If Dec($aPacket[13]) = 80 Then ;Source port = 80
$sPacketText = _HexToString($aTCPPacket[20])

... ;process
EndIf

In the $sPacketText you will have the request header where you will be able to retreive the URI.

Br, FireFox.

Edited by FireFox
1 person likes this

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

ty

Edited by Ontosy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • wakillon
      By wakillon
      HttpHeaderWatcher v1.0.1.3
       

      Some time ago, some members asked how to see the Http Requests.
      There are quite a few external applications but not in AutoIt!
      HttpHeaderWatcher in association with WinPcap, very modestly solves this lack.
       
      Once done this http watcher, i asked me : why not Re-build a WinHttp Request in AutoIt from a selected Request in one Click ?
      So i have added a "Create au3" button who open the WinHttp Request of your choice in AutoIt format in SciTE Editor.
      Voila voila, hope it can help ! 
      Buttons were made online with chimply.com the easy and free buttons generator !
      See Help for more infos.
      previous downloads : 253
      source and executable are available in the Download Section
      Hope you like it !
    • Shirdish_chakravarthi
      By Shirdish_chakravarthi
      in need the path/text present int above shown input box to be copied or retrieved into a variable .. how can i do that?
       
      Thanks
       
    • FrancescoDiMuro
      By FrancescoDiMuro
      Good morning
      I'm working on a little project, and I was wondering if there's a way ( sure there is ) to insert data to a ComboBox control everytime the user insert some text in the ComboBox which is not in the ComboBox data. I'll try to explain with an example:
      - Form with some data ( ComboBox is empty );
      - User prompt something in the ComboBox: if what the user prompts is not in the ComboBox values ( at the moment empty ), then insert the value in the ComboBox values, in order to have, next time the user prompts the form, the value that he entered.
      More pratical example:
      - First call of the form, ComboBox empty;
      - I prompt "A" in the ComboBox;
      - Second call, in the ComboBox I should see "A";
      - I prompt "B" in the ComboBox;
      - Third call, I should see "A"
                                                 "B";
      - And so on...
      Everytime the form is called, I re-create it, so I think I can't use _GUICtrlComboBox_AddStrings().
      I tried with
      Global $strCboStrings = "" ; When the user prompt the form, the code below is executed. ; I.E. : User prompt "A", after the if I should have "A"; ; In the second call, If I write "B", I should see "A" ; "B"; ; If I write "A" again, in the combobox values should not be any changes. If Not StringInStr($strCboStrings, GUICtrlRead($cboVoiceCategory)) <> 0 Then $strCboStrings &= $strCboStrings & "|" & GUICtrlRead($cboVoiceCategory) EndIf Any suggestion?
      Thanks
    • tarretarretarre
      By tarretarretarre
      AutoIt-SocketIo
      Yep yep, this is pretty much an attempt to port the existing project's concept https://socket.io/ to AutoIt's Codebase. So i will not go in to so much detail.
      This is how the communication is done http://i.imgur.com/0mMfsBD.png Each client is isolated to the server http://i.imgur.com/rVO2LFb.png Features
      Easy API VarType Translation (Example: If the server sends an int, the client will receive an int and vice versa) Fully featured examples Data encryption (Using Autoit's UDF Crypt.au3) Limitations / Drawbacks
      Every Broadcast/Emit is limited to a maximum of 16 parameters Every Callback Function has to have the same number of parameters as the Broadcasted/Emited event It is not possible to Broadcast/Emit objects Only 1D-arrays are allowed to be Broadcasted/Emitted (2D arrays will probably never be supported) Changelog
      Version 1.4.0 (This update DOES NOT break scripts)
      Added a new server method: _Io_getSockets which will return an array of all sockets. See more in the doc Added a banning-system, see more at: _Io_getBanlist, _Io_Ban, _Io_Sanction, _Io_IsBanned Added a new default event for clients banned. See more at default events Added two new client and server methods _Io_setEventPreScript And _Io_setEventPostScript. The intent for these is to not DRY when doing debug \ tasks that requires to be ran before or after events. Added a new client and server method _Io_ClearEvents. Added a third optional parameter to _Io_On called $socket, you may only pass the socket returned from _Io_Listen or _Io_Connect. The intent for this change is to allow for server + client in the same envoirment. Added a second parameter to _Io_Loop called $WhoAmI which should used with the new enums $_IO_SERVER and $_IO_CLIENT. The intent for this change is to allow for server + client in the same envoirment. Added a new client method _Io_TransferSocket. Added a new server method _Io_getActiveSocketCount. Optimations, avoiding Redims and unnecessary nested arrays as good as possible etc. Version 1.3.0 (This update DOES NOT break scripts)
      Got rid of unnecessary Redims with sockets and subscriptions in the main loop (This increased write performence greatly) Changed $iMaxDeadSocketsBeforeTidy from 100 to 1000 Changed _Io_setRecvPackageSize($nPackageSize = 2048) to _Io_setRecvPackageSize($nPackageSize = 4096) because 2017. Added Tests for both subscriptions and the automatic TidyUp Added a new server method: _Io_getMaxConnections Added a new server method: _Io_getMaxDeadSocketsCount Added a fifth parameter to the _Io_Listen method called $iMaxConnections which defaults to 100000. If the iMaxConnection + 1 user connects, they will be instantly disconnected. Added a parameter to _Io_Disconnect called $socket which defaults to null. If the iMaxConnections + 1 client connects, they will be instantly disconnected. Version 1.2.0 (This update DOES NOT break scripts)
      Added an option to set the packet-size of TCP-transports, see _Io_setRecvPackageSize Got rid of unnecessary StringLen's in _Io_loop Changed __Io_TidyUp to _Io_TidyUp and added it to the public Api reference list. Changed $iMaxDeadSocketsBeforeTidy default value from 1000 to 100 and added an option to disable it, read more at _Io_Listen Changed $bAutoReconnect from False to True. Fixed gitignore epicZ fail Improvemend Documentation Version 1.1.0 (This update DOES NOT break scripts)
      Fixed bug when Emitting / Broadcasting without any parameters causing a $fCallback crash Optimized Package-handling once again. Added 1D-Array support (Endless nestning). Added Subscriptions (See _Io_Subscribe _Io_Unsubscribe and _Io_BroadcastToRoom). Added new example for subscriptions (Be sure to use different room names when joining with clients) Added Unit testing (See Tests\Runner.au3 and Tests\Tests.au3, to run tests you need a udf found here: https://github.com/tarreislam/Autoit-Unit-Tester) Version 1.0.0
      (This update DOES NOT break scripts) Added data encryption (Using Autoit's UDF Crypt.au3) See more at _Io_EnableEncryption Added new method _Io_Disconnect which can be used with both servers and clients Improved package-handling to increase performance Increased the limit of Broadcasted/Emit parameters from 10 to 16 Api methods
      Server methods
      _Io_Listen($iPort, $iAddress = @IPAddress1, $iMaxPendingConnections = Default, $iMaxDeadSocketsBeforeTidy = 1000, $iMaxConnections = 100000) _Io_Subscribe(ByRef $socket, $sRoomName) _Io_Unsubscribe(ByRef $socket, $sRoomName = null) _Io_Broadcast(ByRef $socket, $sEventName, $p1, $p2, ...$p16)  
      _Io_BroadcastToAll(ByRef $socket, $sEventName, $p1, $p2, ...$p16) _Io_BroadcastToRoom(ByRef $socket, $sDesiredRoomName, $sEventName, $p1, $p2, ...$p16) _Io_socketGetProperty(ByRef $socket, $sProp = Default) _Io_getSockets($bForceUpdate = False, $socket = $__g_io_mySocket, $whoAmI = $__g_io_whoami) _Io_getDeadSocketCount() _Io_getSocketsCount() _Io_getActiveSocketCount() _Io_getMaxConnections() _Io_getMaxDeadSocketsCount() _Io_getBanlist($iEntry = Default) _Io_Ban($socketOrIp, $nTime = 3600, $sReason = "Banned", $sIssuedBy = "system") _Io_Sanction($socketOrIp) _Io_IsBanned($socketOrIp) _Io_TidyUp() Client methods
      _Io_Connect($iAddress, $iPort, $bAutoReconnect = True) _Io_Reconnect(ByRef $socket) Server and Client methods
      _Io_setEventPreScript($fCallback) _Io_setEventPostScript($fCallback) _Io_getVer() _Io_On(Const $sEventName, Const $fCallback, $socket = $__g_io_mySocket) _Io_Emit(ByRef $socket, $sEventName, $p1, $p2, ...$p16) _Io_Loop(ByRef $socket, $whoAmI = $__g_io_whoami) _Io_LoopFacade() _Io_EnableEncryption($sFileOrKey, $CryptAlgId = $CALG_AES_256) _Io_Disconnect($socket = null) _Io_setRecvPackageSize($nPackageSize = 4096) _Io_ClearEvents() _Io_TransferSocket(ByRef $from, ByRef $to) Default events
      Server events
      connection Client events
      banned Server and Client events
      disconnect View source on github
       
      Autoit-Socket-IO-1.0.0.zip (OLD!)
      Autoit-Socket-IO-1.1.0.zip (OLD)
      Autoit-Socket-IO-1.3.0.zip (OLD)
      Autoit-Socket-IO-1.4.0.zip (NEWEST 2017-08-11)
    • timmalos
      By timmalos
      Hello all.
      In case this is interesting few of you, I share my AMCP 2.1 protocol UDF in AutoIT. This protocol is used by CasparCG server, which is a Windows and Linux software used to play out professional graphics, audio and video to multiple outputs as a layerbased real-time compositor. It has been in 24/7 broadcast production since 2006. It's free and opensource.
      The UDF I share allows communication between an AutoIt based client and the CasparCG, based on following documentation : http://casparcg.com/wiki/CasparCG_2.1_AMCP_Protocol
      If you want more details on CasparCG :  official WebSite or have a look to this video
      I'm currently building a full Client based on AutoIt, with many features like drag-and-drop layers, but sadly I can't share it right now, might come later. Don't hesitate to ask questions if you have any or need a basic example.
      The only requirement for this UDF is the other Event-driven TCP UDF by Kip
       
       

      AMCP_shared.au3
      TCP.au3