Hello guys.
Soo... i have some knowledge about C++, i read (and understand) some networking, and i want to implement my own packet sniffer. The problem is that nowhere is a well explained one. So my answer is... how can i learn to make my own packet sniffer and where to learn it... what steps to follow?
Best regards.
Some would question why you would be interested in learning how to make a packet sniffer. Since there are some legitimate uses to them, I won't ask you those questions. Have you tried looking up WinPcap?
Well.. there are a couple of reasons. First of all i want to learn, maybe in the future write my own firewall. I would like to grow my knowledge.Originally Posted by Swarvy
Second... i would like to demonstrate to some guy that i can do something we placed a bet on.
But the main reason is that i really want to learn more about programming.
Yes i checked WinPcap, but it doesn't explain how to focus on certain application that has higher risks than other.
Thank you for your reply.
There are probably more legitimate reasons to use a packet sniffer than illegitimate ones, esp. if you are doing network programming -- it is more or less essential.
Wireshark is open source and available for all platforms. You probably don't need to go thru wireshark unless you are really interested, tho. I wrote a packet sniffer a few years ago after reading this:
Programming with pcap
WinPcap is a windows port of libpcap, so that might help.
Or, of course, if you just need a packet sniffer, use wireshark. WRT "how to focus on certain application that has higher risks", this is below the application layer. You can focus on whatever you want, the packet sniffer exposes everything indescriminately. If you want to focus on a particular application, you will have to figure out how to differentiate its messages from anything else, and write a filter or something.
Last edited by MK27; 07-11-2011 at 07:41 AM.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Thank you for your reply.
I should have told that i tried to follow the libpcap tutorials seeing them a little more explained than the ones from winpcap but the methods used by one weren't the same for the other. Or i just messed up somewhere.
Thank you for the link.
L.E. : I come with a brand new question. (excuse my english)
if for filtering one port is something like:
char filter_exp[] = "port 80";
pcap_compile(handle, &fp, filter_exp, 0, net)
how should i do for 2 or 3 ports?
can i use:
char filter_exp[] = "port 80 || port 8080";
or
char filter_exp[] = "port 80 port 8080";
Best regards.
Last edited by Balta Romeo; 07-11-2011 at 09:34 AM.
I just managed to do a sniffer. And it works. After hours of deep concentration.
My next problem is : i can't edit the packets. I need to somehow modify some of the packets.
So i need to be guided in the way of learning how to add a packet injection option to my packet sniffer.
Last edited by Balta Romeo; 07-12-2011 at 12:41 PM.
hello. me again.
i want to know if there's a possibility to decode this packet i sniffed from my pc traffic:
17 03 01 01 1A 8D 30 F1 80 32 36 FF F3 65 20 31 ......0.€26..e 1
1E 65 47 24 65 14 83 84 DF 84 0D 4D 54 46 B8 98 .eG$e......MTF..
76 E1 F9 A4 6B 6F 1C E5 41 93 B9 DB 4A F9 B6 95 v...ko..A...J...
21 F4 71 BF DF 57 5F 75 C4 2F 69 39 2F C1 6F 9D !.q..W_u./i9/.o.
AC 1D 09 EB 2C FA 86 05 BD 67 F1 E3 E4 A8 DE 1E ....,....g......
BE 0A 74 21 39 AC 08 C0 60 B0 44 CD AF 9E 85 4A ..t!9...`.D....J
3A 0D F9 50 B4 06 11 4E 08 70 17 D3 C4 DA 49 02 :..P...N.p....I.
2A 73 78 99 8B 39 6F AD 40 CD 0D 2F B5 CD 1E AA *sx..9o.@../....
54 F2 02 E4 A9 2D AE 84 83 A3 FA 09 46 85 D5 FC T....-......F...
F8 0B 5F 36 2A 40 D7 4F 9A E5 32 49 D4 B5 E4 07 .._6*@.O..2I....
A7 8E BB 18 10 57 6E 63 39 40 5C 67 48 CE EB 15 .....Wnc9@\gH...
CF 18 56 3E BA 3B F3 4C 90 1E 7E E9 56 3F 60 F9 ..V>.;.L..~.V?`.
86 93 09 B2 14 74 E7 7C E0 18 9B C8 31 5D 0B BF .....t.|....1]..
1E 24 40 2D 4A 5E 69 48 97 04 77 9E 1C D2 90 E0 .$@-J^iH..w.....
22 58 6F F0 AD 66 99 69 CC 2C E0 EE 0D A5 4C 27 "Xo..f.i.,....L'
31 B9 F3 36 09 4D 6F 65 82 0E FC BA 6A C4 02 3F 1..6.Moe....j..?
B6 61 14 BD DB CF D1 86 05 EA 49 2F 77 7F 92 03 .a........I/w..
FE 03 0D 4A D6 B0 65 B2 DD 72 3F B2 31 02 E9 ...J..e..r?.1..
there's no specific packet just a random one. i just want to know if there is a possibility to decode data. and if it is, can you explain me that possibility?
in the left are the hex values and in the right some decoding i tried to do
Last edited by Balta Romeo; 07-18-2011 at 03:10 AM.
Use wireshark and see how it decodes the packet (assuming that it can).
Besides, a few random bytes is meaningless.
Seeing the packet in context of an overall protocol exchange would tell you more than simply looking at the bytes could.
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
Why on earth would you need to modify some of the packets? It almost soujnd like you intend to retransmit them with their modifications...
My homepage
Advice: Take only as directed - If symptoms persist, please see your debugger
Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"
