[Winpcap-users] Is it possible to capture messages on Socket
using WinPcap?
Guy Harris
guy at alum.mit.edu
Wed Aug 24 17:55:36 GMT 2005
Abdul Shahzad wrote:
> I need to know whether we can use WinPCap to monitor the messages
> flowing on Socket specifying the IP address and Port number.
> My requirement is that , the client is talking with server using Socket
> and I want to capture all the messages flowing to and fro on the socket.
That's possible, *IF* the client and server are running on different
machines.
> If it is possible then how?
windump -s 0 "(host {client IP} and {server IP}) and port {port number}"
will capture, on the default network interface, traffic going between
the client and server IP addresses, using the port number in question,
and print out some information about it. (The "-s 0" is important - if
you omit it, WinDump will only capture the first 96 bytes or so of the
packet, which might not include all of the information in the message.)
That's a bit of a "lazy" filter, because it'll capture traffic going to
that port number on the server *or* the client, but it's probably good
enough. (The "correct" filter is a lot more work, and probably won't
discard much more "uninteresting" traffic.)
WinDump might not know about the protocol those messages are using; you
can see the raw bytes of the traffic in hex if you also use the "-x"
flag to WinDump, or the raw bytes in hex and ASCII if you use "-X".
If the default network interface isn't the right one, that won't do what
you want. Run
windump -D
to get a list of interfaces; the list will include numbers before the
names and descriptions of the interfaces - you would use the number with
the "-i" option:
windump -i 2 -s 0 "(host {client IP} and {server IP}) and port {port
number}"
if the right interface had the number 2.
Ethereal and Tethereal might include a dissector for your protocol; they
use the same syntax, for capture filters, as WinDump. The same is true
of Analyzer.
If they don't, you'll have to write your own code for WinDump, or for
Ethereal and Tethereal or Analyzer, to decode your protocol.
> Can you provide me with sample.
If you want to write your own code to capture those messages, you might
want to look at
http://www.tcpdump.org/pcap.htm
and at the "sniffex.c" example file to which it refers, but note that
1) that code hasn't (yet) been tested on Windows
and
2) more importantly, the hardest part is not going to be capturing the
traffic, it'll be doing something with the data you've captured - when
you capture with libpcap/WinPcap, what you get is *raw* packet data,
complete with the link-layer header and any other protocol headers that
come before your protocol's header, such as the IPv4 header or IPv6
header(s) and the TCP header. sniffex.c will process those headers,
skip past them, and dump the data in hex and ASCII, but doing anything
more than that would require code to be written to decode the protocol
running on top of TCP (or whatever protocol is being used). In that
case, you might as well use the existing infrastructure of WinDump,
Ethereal/Tethereal, or Analyzer, rather than writing your own code to do
all the work.
More information about the Winpcap-users
mailing list