[Winpcap-users] Need help for capture packets on winxp box

yunshu at ph4nt0m.org yunshu at ph4nt0m.org
Thu May 25 11:23:15 GMT 2006 

Hello,could you help me for this code?I'll be crazy!!It workd yesterday noon.
But in afternoon,I did some change,it can't capture any IP Protocol packets.
I don't know if I did the wrong judge at decoding ethernet packets.when it run,
the protocol number is very strange.

you can also see http://www.icylife.net/simple_capture.cpp

#include <stdio.h>
#include <winsock2.h>
#include <iphlpapi.h>
#include "../WpdPack/Include/packet32.h"

#define DEBUG

#define ETH_IP   0x0800      //IP Protocol
#define ETH_ARP   0x0806      //ARP Protocol

#define TERMINAL_PORT 3389
#define MAX_ADAPTER_NUM 10                          //number of network adapter 

#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020  //promiscuous mode

typedef struct ethdr        //ethernet packet
{
 unsigned char  eth_dst[16];      //mac address of destination host
 unsigned char  eth_src[16];      //mac address of source host
 unsigned short eth_type;      //ethernet type
}ETH_HDR;

typedef struct iphdr        //IP packet
{
 unsigned char  h_lenver;      //4 bytes Version,4 bytes IP header length 
 unsigned char  tos;        //8 bytes TOS
 unsigned short total_len;      //16 bytes total length
 unsigned short ident;       //16 bytes Identification
 unsigned short frag_and_flags;     //3 bytes flag
 unsigned char  ttl;        //8 bytes TTL
 unsigned char  protocol;      //8 bytes protocol(TCP, UDP or other)
 unsigned short checksum;      //16 bytes IP header checksum
 unsigned int   sourceip;      //32 bytes source IP address
 unsigned int   destip;       //32 bytes distination ip address
}IP_HDR;

typedef struct tcp_hdr        //TCP header
{
    USHORT   th_sport;      //16 source port
    USHORT   th_dport;      //16 distination port
    unsigned int    th_seq;       //32 bytes sequence number
    unsigned int    th_ack;       //32 bytes acknowledgment number
    unsigned char th_lenres;      //4 bytes header length / reserved
    unsigned char th_flag;      //6 bytes flag
    USHORT   th_win;       //16 bytes window 
    USHORT   th_sum;       //16 bytes checksum
    USHORT   th_urp;       //16 bytes data offset
}TCP_HDR;

int main( )
{
    
 PIP_ADAPTER_INFO pAdapterInfo;
 
    pAdapterInfo = (IP_ADAPTER_INFO *)malloc( sizeof(IP_ADAPTER_INFO) );
 ULONG ulOutBufLen = sizeof(IP_ADAPTER_INFO);
    
    //Get the buffer
 if( GetAdaptersInfo( pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW )
 {
  free(pAdapterInfo);
  pAdapterInfo = (IP_ADAPTER_INFO *) malloc (ulOutBufLen);
 }

 //Get network adapter information
 int ret = 0;
 if( (ret = GetAdaptersInfo( pAdapterInfo, &ulOutBufLen)) == NO_ERROR )
 {
  #ifdef DEBUG
   
   PIP_ADAPTER_INFO pAdapter = pAdapterInfo;

   int i = 1;
  
   while(pAdapter)
   {
    printf( "MAC%d\n", i++ );
    printf( "Adapter Name: \t%s\n", pAdapter->AdapterName );
    printf( "Adapter Desc: \t%s\n", pAdapter->Description );
    printf( "Adapter Addr: \t%ld\n", pAdapter->Address );
    printf( "IP Address: \t%s\n", pAdapter->IpAddressList.IpAddress.String );
    
    pAdapter = pAdapter->Next;
   }

  #endif
 }
 else
 {
  printf( "GetAdaptersInfo error: %d\n", GetLastError() );

  return -1;
 }
 
    char openName[128] = "\\Device\\NPF_";
    
 //if the adapter is wrong,please change pAdapterInfo->AdapterName to pAdapterInfo->Next->AdapterName 
 //or more Next, ^_^
    strcat( openName, pAdapterInfo->AdapterName );
    
 #ifdef DEBUG
  printf( "Will open:%s\n", openName );
 #endif

    //Open adapter
 LPADAPTER hAdapter = PacketOpenAdapter( openName );

 if( !hAdapter || ( hAdapter->hFile == INVALID_HANDLE_VALUE ) )
 {
  printf( "PacketOpenAdapter error: %d\n", GetLastError() );

  return -1;
 }
 
 #ifdef DEBUG
  printf( "PacketOpenAdapter successful\n" );
 #endif

 //set promiscuous type
 if( PacketSetHwFilter( hAdapter, NDIS_PACKET_TYPE_PROMISCUOUS ) == FALSE )
 {
  printf( "PacketSetHwFilter promiscuous error: %d\n", GetLastError() );

  return -1;
 }
 
 #ifdef DEBUG
  printf( "PacketSetHwFilter promiscuous successful\n" );
 #endif

 //set the size of buffer
 if( PacketSetBuff( hAdapter, 600*1024 ) == FALSE )
 {
  printf( "PacketSetBuff error: %d\n", GetLastError() );

  return -1;
 }

 #ifdef DEBUG
  printf( "PacketSetBuff successful\n" );
 #endif

 //set time out
 if( PacketSetReadTimeout( hAdapter, 1) == FALSE )
 {
  printf("PacketSetReadTimeout error: %d\n", GetLastError() );

  return -1;
 }

 #ifdef DEBUG
  printf( "PacketSetReadTimeout successful\n" );
 #endif

 LPPACKET hPacket;

 if( (hPacket = PacketAllocatePacket()) == FALSE )
 {
  printf( "PacketAllocatePacket error: %d\n", GetLastError() );

  return -1;
 }
 
 #ifdef DEBUG
  printf( "PacketAllocatePackesuccessful\n" );
 #endif

 char recvBuff[1024 * 500] = { 0 };

 //init
 PacketInitPacket( hPacket, (char *)recvBuff, sizeof(recvBuff) );

 ETH_HDR    *ethr;
 IP_HDR    *ipr;
 TCP_HDR    *tcpr;

 int     bytesReceived;  //bytes of received
 char    *pBuff;    //buffer of data
 int     off;    //offset
 struct bpf_hdr  *hdr;    //the structure of packet
 char    *pchar;    //the real data!!

 while( 1 )
 {
  //recevie data
  if( PacketReceivePacket( hAdapter,hPacket,TRUE ) == FALSE )
  {
      break;   
  }
  
  //received length
     bytesReceived = hPacket->ulBytesReceived;
     
  //data
  pBuff = (char *)hPacket->Buffer;

     off = 0;

  //real data's structure |bpf_hdr|data|Padding|bpf_hdr|data|Padding|
      while( off < bytesReceived )
  {
   //change type
       hdr = (struct bpf_hdr *)( pBuff+off );

   //hdr->bh_hdrlen is the length of recevied packet
      off += hdr->bh_hdrlen;
   
   #ifdef DEBUG
    printf( "\nlength of packet header:%d\n", hdr->bh_hdrlen );
   #endif

   //jump to real data
        pchar = (char *)( pBuff+off );

   #ifdef DEBUG
    printf( "length of data:%d\n", strlen(pchar) );
   #endif

   //jump to next packet
      off = Packet_WORDALIGN(off+hdr->bh_caplen);

   //get ethernet header
      ethr = (ETH_HDR *)pchar;
      
   #ifdef DEBUG
    printf( "Protocol:%04x\n", ntohs(ethr->eth_type) );
    printf( "Source MAC:%02x:%02x:%02x:%02x:%02x:%02x\n", *(ethr->eth_src),*(ethr->eth_src+1),*(ethr->eth_src+2),*(ethr->eth_src+3),*(ethr->eth_src+4),*(ethr->eth_src+5) );
    printf( "Destination MAC:%02x:%02x:%02x:%02x:%02x:%02x\n", *(ethr->eth_dst),*(ethr->eth_dst+1),*(ethr->eth_dst+2),*(ethr->eth_dst+3),*(ethr->eth_dst+4),*(ethr->eth_dst+5) );
            #endif

        //if IP Protocol
       if( ethr->eth_type == htons(ETH_IP) )
   {
                #ifdef DEBUG
     printf( "recevied IP packet\n" );
                #endif
                      
    //get ip header
         ipr = (IP_HDR *)(pchar+sizeof(ETH_HDR));

    if( ipr->protocol == IPPROTO_TCP )
    {
                    printf( "recevied TCP packet\n" );
                    
     tcpr = (TCP_HDR *)( pchar+sizeof(ETH_HDR)+sizeof(IP_HDR) );

     if( tcpr->th_dport == htons(TERMINAL_PORT) )
     {
      #ifdef DEBUG
       printf( "recevied 3389 packet\n" );
      #endif
      
      printf( "MAC:%s\n", ethr->eth_src );
      printf( "MAC:%s\n", ethr->eth_dst );
      printf( "IP:%d\n", ipr->sourceip );
     }
    }
   }
   else if( ethr->eth_type == htons(ETH_ARP) )
   {
                #ifdef DEBUG
     printf( "recevied ARP packet\n" );
                #endif
   }
  }
 }

 return 0;
}






yunshu at ph4nt0m.org
2006-05-25
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060525/023f2483/attachment-0001.htm

More information about the Winpcap-users mailing list