C++ packet sniffer

This is a discussion on C++ packet sniffer within the C++ Programming forums, part of the General Programming Boards category; Hello guys. Soo... i have some knowledge about C++, i read (and understand) some networking, and i want to implement ...

  1. #1
    Registered User
    Join Date
    Jul 2011
    Posts
    5

    C++ packet sniffer

    Hello guys.
    Soo... i have some knowledge about C++, i read (and understand) some networking, and i want to implement my own packet sniffer. The problem is that nowhere is a well explained one. So my answer is... how can i learn to make my own packet sniffer and where to learn it... what steps to follow?

    Best regards.

  2. #2
    Registered User Swarvy's Avatar
    Join Date
    Apr 2008
    Location
    United Kingdom
    Posts
    195
    Some would question why you would be interested in learning how to make a packet sniffer. Since there are some legitimate uses to them, I won't ask you those questions. Have you tried looking up WinPcap?

  3. #3
    Registered User
    Join Date
    Jul 2011
    Posts
    5
    Quote Originally Posted by Swarvy View Post
    Some would question why you would be interested in learning how to make a packet sniffer. Since there are some legitimate uses to them, I won't ask you those questions. Have you tried looking up WinPcap?
    Well.. there are a couple of reasons. First of all i want to learn, maybe in the future write my own firewall. I would like to grow my knowledge.
    Second... i would like to demonstrate to some guy that i can do something we placed a bet on.
    But the main reason is that i really want to learn more about programming.

    Yes i checked WinPcap, but it doesn't explain how to focus on certain application that has higher risks than other.

    Thank you for your reply.

  4. #4
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    There are probably more legitimate reasons to use a packet sniffer than illegitimate ones, esp. if you are doing network programming -- it is more or less essential.

    Wireshark is open source and available for all platforms. You probably don't need to go thru wireshark unless you are really interested, tho. I wrote a packet sniffer a few years ago after reading this:

    Programming with pcap

    WinPcap is a windows port of libpcap, so that might help.

    Or, of course, if you just need a packet sniffer, use wireshark. WRT "how to focus on certain application that has higher risks", this is below the application layer. You can focus on whatever you want, the packet sniffer exposes everything indescriminately. If you want to focus on a particular application, you will have to figure out how to differentiate its messages from anything else, and write a filter or something.
    Last edited by MK27; 07-11-2011 at 07:41 AM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  5. #5
    Registered User
    Join Date
    Jul 2011
    Posts
    5
    Quote Originally Posted by MK27 View Post
    There are probably more legitimate reasons to use a packet sniffer than illegitimate ones, esp. if you are doing network programming -- it is more or less essential.

    Wireshark is open source and available for all platforms. You probably don't need to go thru wireshark unless you are really interested, tho. I wrote a packet sniffer a few years ago after reading this:

    Programming with pcap

    WinPcap is a windows port of libpcap, so that might help.

    Or, of course, if you just need a packet sniffer, use wireshark. WRT "how to focus on certain application that has higher risks", this is below the application layer. You can focus on whatever you want, the packet sniffer exposes everything indescriminately. If you want to focus on a particular application, you will have to figure out how to differentiate its messages from anything else, and write a filter or something.
    Thank you for your reply.

    I should have told that i tried to follow the libpcap tutorials seeing them a little more explained than the ones from winpcap but the methods used by one weren't the same for the other. Or i just messed up somewhere.

    Thank you for the link.


    L.E. : I come with a brand new question. (excuse my english)

    if for filtering one port is something like:
    char filter_exp[] = "port 80";
    pcap_compile(handle, &fp, filter_exp, 0, net)

    how should i do for 2 or 3 ports?

    can i use:
    char filter_exp[] = "port 80 || port 8080";
    or
    char filter_exp[] = "port 80 port 8080";

    Best regards.
    Last edited by Balta Romeo; 07-11-2011 at 09:34 AM.

  6. #6
    Registered User
    Join Date
    Jul 2011
    Posts
    5
    I just managed to do a sniffer. And it works. After hours of deep concentration.

    My next problem is : i can't edit the packets. I need to somehow modify some of the packets.

    So i need to be guided in the way of learning how to add a packet injection option to my packet sniffer.
    Last edited by Balta Romeo; 07-12-2011 at 12:41 PM.

  7. #7
    Registered User
    Join Date
    Jul 2011
    Posts
    5
    hello. me again.

    i want to know if there's a possibility to decode this packet i sniffed from my pc traffic:

    17 03 01 01 1A 8D 30 F1 80 32 36 FF F3 65 20 31 ......0.26..e 1
    1E 65 47 24 65 14 83 84 DF 84 0D 4D 54 46 B8 98 .eG$e......MTF..
    76 E1 F9 A4 6B 6F 1C E5 41 93 B9 DB 4A F9 B6 95 v...ko..A...J...
    21 F4 71 BF DF 57 5F 75 C4 2F 69 39 2F C1 6F 9D !.q..W_u./i9/.o.
    AC 1D 09 EB 2C FA 86 05 BD 67 F1 E3 E4 A8 DE 1E ....,....g......
    BE 0A 74 21 39 AC 08 C0 60 B0 44 CD AF 9E 85 4A ..t!9...`.D....J
    3A 0D F9 50 B4 06 11 4E 08 70 17 D3 C4 DA 49 02 :..P...N.p....I.
    2A 73 78 99 8B 39 6F AD 40 CD 0D 2F B5 CD 1E AA *sx..9o.@../....
    54 F2 02 E4 A9 2D AE 84 83 A3 FA 09 46 85 D5 FC T....-......F...
    F8 0B 5F 36 2A 40 D7 4F 9A E5 32 49 D4 B5 E4 07 .._6*@.O..2I....
    A7 8E BB 18 10 57 6E 63 39 40 5C 67 48 CE EB 15 .....Wnc9@\gH...
    CF 18 56 3E BA 3B F3 4C 90 1E 7E E9 56 3F 60 F9 ..V>.;.L..~.V?`.
    86 93 09 B2 14 74 E7 7C E0 18 9B C8 31 5D 0B BF .....t.|....1]..
    1E 24 40 2D 4A 5E 69 48 97 04 77 9E 1C D2 90 E0 .$@-J^iH..w.....
    22 58 6F F0 AD 66 99 69 CC 2C E0 EE 0D A5 4C 27 "Xo..f.i.,....L'
    31 B9 F3 36 09 4D 6F 65 82 0E FC BA 6A C4 02 3F 1..6.Moe....j..?
    B6 61 14 BD DB CF D1 86 05 EA 49 2F 77 7F 92 03 .a........I/w..
    FE 03 0D 4A D6 B0 65 B2 DD 72 3F B2 31 02 E9 ...J..e..r?.1..

    there's no specific packet just a random one. i just want to know if there is a possibility to decode data. and if it is, can you explain me that possibility?

    in the left are the hex values and in the right some decoding i tried to do
    Last edited by Balta Romeo; 07-18-2011 at 03:10 AM.

  8. #8
    and the hat of wrongness Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    32,452
    Use wireshark and see how it decodes the packet (assuming that it can).

    Besides, a few random bytes is meaningless.
    Seeing the packet in context of an overall protocol exchange would tell you more than simply looking at the bytes could.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.
    I support http://www.ukip.org/ as the first necessary step to a free Europe.

  9. #9
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,295
    Quote Originally Posted by Balta Romeo View Post
    My next problem is : i can't edit the packets. I need to somehow modify some of the packets.
    Why on earth would you need to modify some of the packets? It almost soujnd like you intend to retransmit them with their modifications...
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. How to make a Packet sniffer/filter?
    By shown in forum C++ Programming
    Replies: 2
    Last Post: 02-22-2009, 08:51 PM
  2. Little sniffer
    By Makiz0rz in forum C Programming
    Replies: 8
    Last Post: 12-11-2008, 08:26 PM
  3. packet sniffer
    By l2u in forum Networking/Device Communication
    Replies: 6
    Last Post: 09-20-2007, 08:53 PM
  4. My packet sniffer
    By Mad_guy in forum A Brief History of Cprogramming.com
    Replies: 0
    Last Post: 04-14-2007, 11:56 PM
  5. WinPcap Sniffer App Prob
    By GUI_XP in forum C++ Programming
    Replies: 3
    Last Post: 12-01-2002, 04:31 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21