DaniWeb IT Discussion Community - View Single Post

struct is wrong, I guess...

Jul 17th, 2008

Hello,

On a website I found the next source code "sniffer.cpp"

Sniffer.cpp

 Help with Code Tags 
 C++ Syntax (Toggle Plain Text) 
/*
 
  OoOoOoOoOoOoOoOoOoO
  o HTTP-Sniffer    o
  O www.1plus.se    O
  oOoOoOoOoOoOoOoOoOo
 
  INFO: The trick is to use raw packets with SIO_RCVALL
 
 */
 
#include <iostream>
#include <fstream>
#include <string>
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include "packet_headers.h"
 
using namespace std;
 
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) 
 
/*
	Init Winsock
	Startup winsock, version 2.
*/
 
bool fInitWinsock(){
	WSADATA lWsa;
 
	if ( WSAStartup(MAKEWORD(2,0), &lWsa) != 0 )
		return false;
 
	return true;
}
 
void LogToFile(const char *log, ... )
{
	va_list va_alist;
	char buff[1024]="";
	va_start (va_alist, log);
	_vsnprintf (buff, sizeof(buff), log, va_alist);
	va_end (va_alist);
 
	ofstream lOutput;
	lOutput.open("packetlog.txt",ios::app);
	if(lOutput.fail()) return;
	lOutput << buff;
	lOutput.close();
}
 
/*
	Init Raw Sockets
	!!SIO_RCVALL!!
  */
 
SOCKET fInitSocket(){
	SOCKET lSock;
	DWORD  lpBuffer[255]; // Should be enough if you dont have like 100 adapters. :P
	DWORD  lSize;
	SOCKET_ADDRESS_LIST *lSaddrlist;
 
	// RAW SOCKET, PROTOCOL IP
	if( (lSock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_IP,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET){
       return -1;
    }
 
	/*
	MSDN: 
	The SIO_ADDRESS_LIST_QUERY socket I/O control operation allows a
	WSK application to query the current list of local transport
	addresses for a socket's address family. 
 
    OutputBuffer A pointer to the buffer that receives the current list of local transport addresses 
	*/
	WSAIoctl(lSock,SIO_ADDRESS_LIST_QUERY,NULL,0,lpBuffer,sizeof(lpBuffer),&lSize,NULL,NULL);
	lSaddrlist = (SOCKET_ADDRESS_LIST*)lpBuffer;
 
	// Assume its the first. 
	// Dont know how many got more then one network adapter in use.
	// TODO: Fix ? 
	const sockaddr *lSockAddr=lSaddrlist->Address[0].lpSockaddr;
 
	/* Bind socket to first address */
    if(bind(lSock,lSockAddr,sizeof(SOCKADDR_IN)) == SOCKET_ERROR) {
        printf("bind() error");
        return -1;
    }
 
	/* Heres where the fun happens ;) */
	unsigned int  optval = 1;
	if(WSAIoctl(lSock,SIO_RCVALL,&optval,sizeof(optval),NULL,0,&lSize,NULL,NULL) == SOCKET_ERROR){
		printf("ERROR!\n");
        return -1;
    }
 
	return lSock;
 
}
 
int main(void){
	char lPacket[1024];
	SOCKET lSock;
	IP *lIP;
	TCP *lTCP;
 
	// Same as packet. :)
	// Pointer never changes, so we can set it at the begging.
	lIP = (IP*)lPacket;
 
	// Print Banner.
	printf("  OoOoOoOoOoOoOoOoOoO\n");
	printf("  o HTTP-Sniffer    o\n");
	printf("  O www.1plus.se    O\n");
	printf("  oOoOoOoOoOoOoOoOoOo\n\n");
 
	LogToFile("  OoOoOoOoOoOoOoOoOoO\n");
	LogToFile("  o HTTP-Sniffer    o\n");
	LogToFile("  O www.1plus.se    O\n");
	LogToFile("  oOoOoOoOoOoOoOoOoOo\n\n");
	SYSTEMTIME lol;
	GetSystemTime(&lol);
	LogToFile("  Started at: %i:%i:%i\n\n",lol.wDay,lol.wMonth,lol.wYear);
 
 
	// Init Winsock.
	if(!fInitWinsock()) return -1;
 
	// Init socket to recieve all packets.
	lSock = fInitSocket();
 
	// Failed to initialize socket
	if(lSock==-1){
		printf("Failed to initialize socket\n");
		return -1;
	}
 
 
	// Main loop
	while(1){
		// NOTE: Usually you should check if RECV is 0. but connection is never closed, so no need!
		int lRecv=recv(lSock,lPacket,1024,0);
 
 
		// TCP-Packet.
		if(lIP->protocol==6){
 
			// Get Ip Header Length.
			unsigned short lHeaderLength=lIP->ihl*4;
 
			// Change TCP-Header pointer to corect address
			lTCP = (TCP*)(lPacket+lHeaderLength);
 
 
			// Port 80?
			if(ntohs((unsigned short)lTCP->dest_port)==80){
				// Get data offset.
				unsigned short lDataStart=lTCP->data*4;
 
				// The data part.
				char *lData = (char*)(lPacket+lHeaderLength+lDataStart);
 
				// End the string :)
				char *lEndPtr = (char*)(lPacket+lRecv);
				*lEndPtr='\0';
 
				// Dont log SYN/ACK packets
				if(lTCP->flags == 24){
					LogToFile("%s\n",lData);
					printf("%s\n",lData);
				}
			}
		}
	}
 
}
/*

  OoOoOoOoOoOoOoOoOoO
  o HTTP-Sniffer    o
  O www.1plus.se    O
  oOoOoOoOoOoOoOoOoOo

  INFO: The trick is to use raw packets with SIO_RCVALL

 */

#include <iostream>
#include <fstream>
#include <string>
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include "packet_headers.h"

using namespace std;

#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) 

/*
	Init Winsock
	Startup winsock, version 2.
*/

bool fInitWinsock(){
	WSADATA lWsa;

	if ( WSAStartup(MAKEWORD(2,0), &lWsa) != 0 )
		return false;
	
	return true;
}

void LogToFile(const char *log, ... )
{
	va_list va_alist;
	char buff[1024]="";
	va_start (va_alist, log);
	_vsnprintf (buff, sizeof(buff), log, va_alist);
	va_end (va_alist);

	ofstream lOutput;
	lOutput.open("packetlog.txt",ios::app);
	if(lOutput.fail()) return;
	lOutput << buff;
	lOutput.close();
}

/*
	Init Raw Sockets
	!!SIO_RCVALL!!
  */

SOCKET fInitSocket(){
	SOCKET lSock;
	DWORD  lpBuffer[255]; // Should be enough if you dont have like 100 adapters. :P
	DWORD  lSize;
	SOCKET_ADDRESS_LIST *lSaddrlist;

	// RAW SOCKET, PROTOCOL IP
	if( (lSock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_IP,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET){
       return -1;
    }

	/*
	MSDN: 
	The SIO_ADDRESS_LIST_QUERY socket I/O control operation allows a
	WSK application to query the current list of local transport
	addresses for a socket's address family. 

    OutputBuffer A pointer to the buffer that receives the current list of local transport addresses 
	*/
	WSAIoctl(lSock,SIO_ADDRESS_LIST_QUERY,NULL,0,lpBuffer,sizeof(lpBuffer),&lSize,NULL,NULL);
	lSaddrlist = (SOCKET_ADDRESS_LIST*)lpBuffer;

	// Assume its the first. 
	// Dont know how many got more then one network adapter in use.
	// TODO: Fix ? 
	const sockaddr *lSockAddr=lSaddrlist->Address[0].lpSockaddr;

	/* Bind socket to first address */
    if(bind(lSock,lSockAddr,sizeof(SOCKADDR_IN)) == SOCKET_ERROR) {
        printf("bind() error");
        return -1;
    }

	/* Heres where the fun happens ;) */
	unsigned int  optval = 1;
	if(WSAIoctl(lSock,SIO_RCVALL,&optval,sizeof(optval),NULL,0,&lSize,NULL,NULL) == SOCKET_ERROR){
		printf("ERROR!\n");
        return -1;
    }

	return lSock;

}

int main(void){
	char lPacket[1024];
	SOCKET lSock;
	IP *lIP;
	TCP *lTCP;

	// Same as packet. :)
	// Pointer never changes, so we can set it at the begging.
	lIP = (IP*)lPacket;

	// Print Banner.
	printf("  OoOoOoOoOoOoOoOoOoO\n");
	printf("  o HTTP-Sniffer    o\n");
	printf("  O www.1plus.se    O\n");
	printf("  oOoOoOoOoOoOoOoOoOo\n\n");

	LogToFile("  OoOoOoOoOoOoOoOoOoO\n");
	LogToFile("  o HTTP-Sniffer    o\n");
	LogToFile("  O www.1plus.se    O\n");
	LogToFile("  oOoOoOoOoOoOoOoOoOo\n\n");
	SYSTEMTIME lol;
	GetSystemTime(&lol);
	LogToFile("  Started at: %i:%i:%i\n\n",lol.wDay,lol.wMonth,lol.wYear);


	// Init Winsock.
	if(!fInitWinsock()) return -1;

	// Init socket to recieve all packets.
	lSock = fInitSocket();

	// Failed to initialize socket
	if(lSock==-1){
		printf("Failed to initialize socket\n");
		return -1;
	}


	// Main loop
	while(1){
		// NOTE: Usually you should check if RECV is 0. but connection is never closed, so no need!
		int lRecv=recv(lSock,lPacket,1024,0);


		// TCP-Packet.
		if(lIP->protocol==6){
			
			// Get Ip Header Length.
			unsigned short lHeaderLength=lIP->ihl*4;

			// Change TCP-Header pointer to corect address
			lTCP = (TCP*)(lPacket+lHeaderLength);


			// Port 80?
			if(ntohs((unsigned short)lTCP->dest_port)==80){
				// Get data offset.
				unsigned short lDataStart=lTCP->data*4;

				// The data part.
				char *lData = (char*)(lPacket+lHeaderLength+lDataStart);
			
				// End the string :)
				char *lEndPtr = (char*)(lPacket+lRecv);
				*lEndPtr='\0';

				// Dont log SYN/ACK packets
				if(lTCP->flags == 24){
					LogToFile("%s\n",lData);
					printf("%s\n",lData);
				}
			}
		}
	}

}

But in the rar on the website, the file "packet_headers.h" was NOT included

so I had to recover it myself.... There I have no experience with C++, I'm shure there the mistake is....

packet_headers.h

 Help with Code Tags 
 C++ Syntax (Toggle Plain Text) 
#pragma once
#pragma comment(lib, "ws2_32.lib")
 
#ifndef _WIN32_WINNT            // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600     // Change this to the appropriate value to target other versions of Windows.
#endif
 
 
typedef struct lIP
{
	unsigned char ihl; // Version and IP Header Length
	unsigned int protocol;
} IP;
 
typedef struct lTCP
{
	unsigned short flags; //Flags 3 bits and Fragment offset 13 bits
	unsigned short data;
	unsigned long dest_port;
} TCP;
#pragma once
#pragma comment(lib, "ws2_32.lib")

#ifndef _WIN32_WINNT            // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600     // Change this to the appropriate value to target other versions of Windows.
#endif


typedef struct lIP
{
	unsigned char ihl; // Version and IP Header Length
	unsigned int protocol;
} IP;

typedef struct lTCP
{
	unsigned short flags; //Flags 3 bits and Fragment offset 13 bits
	unsigned short data;
	unsigned long dest_port;
} TCP;

With these files I am capable to make an executable, but it doesn't do what it is supposed to do

On line 147 of Sniffer.cpp ther is standing " if(lIP->protocol==6){" This checks if the protocol is TCP, as I need it to be...
Unfortunately, when I print lIP->protocol on the screen it returns 1,2 and 5 but not the needed 6 as it should do when I brows the internet with IE...

Can anyone help me with finding a solution for this lIP->protocol problem, so the correct value is inthere?
The source of "packet_headers.h" Is all "scripted" by me, and not (as far as I know) the original source......
The source of "Sniffer.cpp" is downloaded and should be working perfectly (in combination with "packet_headers.h" ofcourse)

Also I'm working with C++ for 2 days now, so there is a realy big change I made a mistake somewhere!

Thanks in advance,
Jeffrey