Introduction
This article describes a sniffer for Windows. WinSniff is an application for capturing packets on the network. It displays all the packets that are transmitted on the local network and gives detailed information about each header in the packet. In order to keep it simple, I am not dealing with application level protocols. If you are interested, you can add features to support various application level protocols such as SMTP, FTP, NETBIOS etc.
Environment
Visual C++ 6.0, Win98/WinXP.
How it works?
When your machine is on the network, packets with different destinations arrive. By default (i.e., when the network adapter is in normal mode) these packets are rejected by the network adapter since they are intended to different hosts. But if you want, you can receive these packets by putting the network adapter in promiscuous mode. In this mode, it will accept all the packets irrespective of the destination address.
Hence you can analyze the packets transmitted on your network. This trick is used for network management to determine the network traffic... etc. However, there is one problem here...!!! You will receive the packets with different destinations if you are using HUB. Since, HUB uses broadcasting technique for transmitting packets to all the hosts attached to it. However, if you are using SWITCH (an intelligent device), then you won't receive any packet sent to other hosts on the network. Best place to install this application is on the gateway where you can keep track of incoming and outgoing packets.
Implementation
Firstly, you have to get the device list and then open the device in promiscuous mode. While opening the device, you can also specify the size of the packet and time out value.
pcap_findalldevs(&devlist,err);
hdev=pcap_open_live( devname[index],
65536,
1,
1000,
err
);
Once you have opened the device, you will receive all packets. If you are interested in a particular packet, for example, only QUAKE packets (port 27960), ARP packets (ARP) etc., then you can specify the filter expression. For how to specify filter expression, you can refer WinPcap documentation.
pcap_compile(hdev,&fcode,filter,1,netmask);
pcap_setfilter(hdev,&fcode);
Once you have opened the device and set the filter, now you are ready to receive the packets. Once the packet is received, header contains the length, time and other information about the packet. And pkt_data contains the exact contents of the packet starting from Ethernet header.
while(true)
{
pcap_next_ex(hdev,&header,&pkt_data);
}
In order to analyze the packet contents, you must be familiar with various header formats. Mainly, you must know the format of the following headers... ETHERNET, ARP, IP, TCP, UDP, ICMP and IGMP. I have included the file protocol.h which contains the format information about all these headers. If you want more details, you can refer RFCs for respective protocols.
Once you have done the job, it's time to safely close the device.
pcap_close(hdev);
Requirement
You need WinPcap (Windows version of Libpcap: packet capturing library) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packets in detail. I advice you to go through the WinPcap documentation before going through the source code.
Running the application
When you run the application, the main window pops up. Click on the startcapture menu item to start the capture. It displays a dialog box, now select the device. Packets will be displayed in the main window. Click on the packet to see more details. You can save any packet by clicking SaveFrame menu item. Later, you can open this saved frame.
If you don't have a network adapter or you are not on the network, I have included some sample packets in SamplePackets folder in the source zip file. You can open these files and view their contents.
If you have any queries or suggestions, feel free to drop a mail at nsry2002@yahoo.co.in.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
