Jump to content
Sign in to follow this  
FireFox

Winpcap filter and TCP/UDP packet splitter

Recommended Posts

Hi,

I have worked on a project for a friend and it needed to retreive some data in UDP packets, it was a challenge because I didn't know anything about that packets, and after few days of work I have managed to do what I wanted.

The hardest part was to set a very strict filter for the cpu usage and for the script optimisation, so here is one :

;use filters with _PcapStartCapture
;retreive only tcp packets containing AABBCCDD, at the start of 8 and with a length of 4; like the StringMid func.
tcp[8:4] == 0xAABBCCDD ;8th byte from the beginning of the tcp DATA, 4bytes length; always include the 0x to specify you are dealing with hex.

And some funcs to split the different data from packets :

;$hCapture is the handle returned by _PcapStartCapture
; #FUNCTION# ====================================================================================================================
; Name...........: _TCP_Recv
; Description ...: Retreives a TCP Packet and returns its data splitted
; Syntax.........: _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _UDP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aTCPPacket[21]

                $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address
                $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address
                $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number
                $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number
                $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags
                $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value
                $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum
                ;107 to 110 = NULL data
                $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data

                Return $aTCPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_TCP_Recv

; #FUNCTION# ====================================================================================================================
; Name...........: _UDP_Recv
; Description ...: Retreives an UDP Packet and returns its data splitted
; Syntax.........: _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _TCP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aUDPPacket[18]

                $aUDPPacket[0] = StringMid($aPacket[3], 3, 12) ;Source Mac Address
                $aUDPPacket[1] = StringMid($aPacket[3], 15, 12) ;Destination Mac Address
                $aUDPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aUDPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aUDPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aUDPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aUDPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aUDPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aUDPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aUDPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aUDPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aUDPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aUDPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aUDPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aUDPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aUDPPacket[15] = StringMid($aPacket[3], 79, 4) ;Length
                $aUDPPacket[16] = StringMid($aPacket[3], 83, 4) ;Checksum
                $aUDPPacket[17] = StringTrimLeft($aPacket[3], 86) ;Data

                Return $aUDPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_UDP_Recv

;for example convert the packet's source/dest IP Address to text
; #FUNCTION# ====================================================================================================================
; Name...........: _HexIPAddressToText
; Description ...: Converts Hex IP Adress to text
; Syntax.........: _HexIPAddressToText($vhexIPAddress)
; Parameters ....: $vIPAddress    - IP Address v4 (string, int)
; Return values .: Success    - Converted IP Address
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _HexIPAddressToText($vhexIPAddress)
    Local $sIPAddress

    For $iOffset = 1 To 8 Step 2
        $sIPAddress &= Dec(StringMid($vhexIPAddress, $iOffset, 2)) & "."
    Next

    Return StringTrimRight($sIPAddress, 1)
EndFunc   ;==>_UDP_DecodeIPAddress

Ops, almost forgot the Winpcap UDF available here : http://opensource.grisambre.net/pcapau3/

PS : If you find this helpful, please "like"/rate this post.

Enjoy :guitar:

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Nice, I see a great opportunity to use in my project, thank you for sharing with us!

Regards,

João Carlos.


http://forum.autoitbrasil.com/ (AutoIt v3 Brazil!!!)

Somewhere Out ThereJames Ingram

somewh10.png

dropbo10.pngDownload Dropbox - Simplify your life!
Your virtual HD wherever you go, anywhere!

Share this post


Link to post
Share on other sites

@Ontosy

Here you go :

#include <String.au3>
...
Global $aPacket = _TCP_Recv(...)

If Dec($aPacket[13]) = 80 Then ;Source port = 80
$sPacketText = _HexToString($aTCPPacket[20])

... ;process
EndIf

In the $sPacketText you will have the request header where you will be able to retreive the URI.

Br, FireFox.

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • By AoRaToS
      I started working on this program in the summer then I stopped cause I faced some problems I couldn't overcome back then. Now that I've practiced more and have become a better scripter/programmer I'm releasing the program to the public to get some opinions. I know it's not a new concept but it's the first program I started besides some small stuff I did just for practice! I won't post the source code yet because it's still under construction, although I'm sure I've posted early stages of the code with bugs in the past in some topic...
      What I wanted was a simple, small, serverless program that would work without installation cause I wanted it for where I work, so I ended up with this!
       
      I have attached some images of various versions, also visit the forum thread.
       
      The package includes s!mpL3 LAN Messenger, the License Agreement and the change log.
       
      Current version 2.9.9.0! [13/06/2019]
       
      Check the Change Log below!
       
       
      http://www.autoitscript.com/forum/index.php?showtopic=88782
       
       
       
      Read the license before using this software.
       
    • By Rhidlor
      I don't have any experience compiling AutoIt scripts or know of any best practices regarding said scripts so I was wondering, what are some of the options for passing data to complied scripts? Here's an example of what I mean by "option": Writing data to a text file, then running a script which reads the data from that text file.
      Thanks!
      I apologize if this topic is a little lackluster
    • By HansHenrik
      ----------
      edit: this is probably in the wrong place, can a moderator move it to wherever it belongs?
      ----------

      is there any way to completely disable TCPTimeout and make TCPRecv() wait indefinitely? maybe setting it to 0 or -1 or something? 
      the docs doesn't seem to mention any way to disable it

      - the underlying C code would set SO_RCVTIMEO to 0 , aka

      DWORD timeout=0;
      setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
    • By smud
      Currently, I'm working on a program that will display Dialog boxes with either Yes or No.
      For each dialog, I reward the user with X amount of Credits.
      I'm hoping to output the amount of credits to a cell in a column (there will be 20 different columns).
      It will only post to a row that is equal to today's date (first column). If no row exists yet with the current date, it will start a new row.
      Any suggestions?
      Thank you
×
×
  • Create New...