Jump to content
Sign in to follow this  
Apocalypse

c++ packet reading

Recommended Posts

Apocalypse

I have been using wireshark to track the packets coming from a port and ip of my choice and I think I have figured out how to decript the packet data. I would like to write a c++ (with or without AutoItX) program to read the packets from a prespecified port and ip, run my decription algorithm, and out put it to a log.txt file. I can do everything except read the packets. So any advise or tutorials would be appreciated. Thank You.

Share this post


Link to post
Share on other sites
Richard Robertson

First of all, the word is "decrypt." Also, "advice" is the noun, "advise" is the verb.

Have you bothered to search the internet for anything like this? I just found the source code for Wireshark on SourceForge. http://sourceforge.net/project/showfiles.p...lease_id=483259

Share this post


Link to post
Share on other sites
zatorg

Hey Apocalypse,

have just read your post, maybe you've already figured it out, but I'll still explain it a bit.

So as I understand, you're trying to write some sort of a sniffer (by 'prespecified IP' you mean a local interface IP?). If so, well, some time ago I've written a minisniffer for my classmate... It's in Lithuanian besides being commented in Lithuanian as well... Whatever.

Here are the microsources :)k.jakeliunas.com/sniukst

Anyway, I will tell you how sniffing is done. Basically, you create a RAW (not a TCP nor UDP) socket:

SOCKET s = socket( AF_INET, SOCK_RAW, IPPROTO_IP );
(You have to be an admin to create a RAW socket).

Next, you bind() it to your preferred local interface.

char name[ 256 ];
 hostent * pHE;
 sockaddr_in sa;
 gethostbyname( name ); // get the name of localhost
 pHE = gethostbyname( name ); // get info about localhost inc. the local IP
 
 ZeroMemory( &sa, sizeof( sockaddr_in ) );
 sa.sin_family = AF_INET;
 sa.sin_addr.s_addr =       // fill the struct: the IP to bind to
 (  (in_addr *) // cast
 pHE->h_addr_list[ 0 ] // the first occurence
  ) -> s_addr; // it holds various info. We need the IP
 // then you bind() like this:
 bind( s, (SOCKADDR *) /* cast again */ &sa, sizeof( SOCKADDR ) )

And then, you put the socket into promiscous mode. When the socket is in promiscous mode, it receives ALL the data that passes through your LAN/WLAN card. Pretty nifty :)

[see the sources for how it is done, I'm too lazy to comment... Or refer to MSDN instead...]

And then, you poll for data with the usual recv():

for(;; )
     {
         i /* how much received */ = recv( s, Buffer, sizeOfTheBuffer, 0 );
         if( i <= 0 )
         {
             // end of the game.
         }
         
         printf( "\n <<< A new packet has arrived >>>\n" );
         for( j = 0; j < i; j ++ )
         {
             if( (unsigned int) Buffer[ j ] >= 32 &&
                 (unsigned int) Buffer[ j ] <= 126
             ) // if it's a writable char
             {
                 putchar( Buffer[ j ] );
             }
             else
             {
                 putchar( '?' );
             }
         }
         printf( "\n [End of Packet]\n" );
     }
You can change it to log everything to a file (with std.C's fprintf() or with C++'s <iostream>, should be pretty simple). As you can see, it's more like an example/PoC than a real program... Anyway, hope everything goes well (for some reason WSAIoctl() didn't work on my PC whereas it worked on my friend's. Anyway, if you remove WSAIoctl() you will only sniff the incoming traffic).

Cheers

Kostas

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×