The easiest way to get up and running with using WinPcap is to download the library\u00a0from the WinPCap site<\/a> and follow this tutorial<\/a>, which gives you a good starting point for making an application using the WinPcap. (Also, it is worth noting that I’ve been using\u00a0Visual Studio 2015<\/strong> for this – not sure how non-Microsoft compilers would handle things but there shouldn’t be anything specific here that would cause any issues.)<\/p>\n This first post deals with the specifics of getting\u00a0WinPcap\u00a0<\/strong>working in a way that we want it to. An important thing to note is that this codes provides absolutely no error checking – I stripped it all out to make the code more easy to follow, but you really should try and capture errors! Read on for the breakdown, or skip to the end to grab the whole code.<\/p>\n So first of all, here are the\u00a0libraries, headers etc to use. Also a few global variables.<\/p>\n <\/p>\n First, within the main function, you need to\u00a0select the right adapter <\/strong>(in other words, the network card. A system can have lots of these. Some of ours definitely do) to initiate a capture on. First we need to store all devices and then iterate through them to find how many adapters there actually are.\u00a0pcap_findalldevs_ex<\/em> will return the list to be stored in allAdapters.<\/p>\n <\/p>\n The next step identifies the correct adapter number by incrementing selectedAdapterNumber<\/em>\u00a0until a separate function, testTargetNetwork<\/em>, returns\u00a0true<\/strong><\/p>\n <\/p>\n The function that this code uses,\u00a0testTargetNetwork<\/em> – below, stores the IP addresses of a single adapter.\u00a0We are only testing for the sa_family being AF_INET, so no MAC or IPv6 addresses get stored.\u00a0Then I decided to make a bit of a dodgy way to convert the IP address – stored as characters – to a decimal value, by storing each part as “hundreds”, “tens” and “units”, multiplying them by their position, and then adding them together to determine if the detected IP address is on the correct network we want (this last test returns true or false).<\/p>\n <\/p>\n If this returns true<\/strong>, then we know the number of the adapter we want. To select that adapter, again, you can perform allAdapters->next\u00a0<\/em>for that many times.<\/p>\n The next step is go back to the main function to create a filter that will be used to capture only specific packets on the\u00a0adapter specified. WinPCap\u00a0<\/i>does all this magic for you, you just have to specify the filter as a string of text, stored in\u00a0packet_filter.<\/em><\/p>\n <\/p>\n The two ethernet frames we are looking to capture are CDP<\/em> and LLDP. CDP\u00a0<\/em>data is stored in an Ethernet frame, in an LLC wrapper with SNAP extensions.\u00a0LLDP\u00a0<\/em>data is stored in an Ethernet II frame. Because CDP\u00a0<\/em>doesn’t use a (now standard) Ethernet II frame, we can’t specifically filter by saying “if the protocol is LLDP..” – because the place where the type is\u00a0expected to be determined is actually going to be the length of the packet, rather than the type. So we have to tell it where to look for the type and then work out for ourselves what that that type should be specified as.<\/p>\n The string says that either bytes 12 and 13 of a packet should be 0x88cc (which is the type for LLDP) or bytes 20 and 21 should be 0x2000 (which is the protocol ID for CDP). The filter will then get compiled into binary and passed to the packet capture driver at runtime so that only the packets we want get passed to the application.<\/p>\n Now we need to actually capture a packet; the right adapter has been selected, the filter has been set up and the device opened – all we need to do now is to retrieve a packet. You can make a new function and call it from\u00a0main()<\/em> after setting up the filter which, to begin with, will free the device list created earlier, since we don’t need it anymore.<\/p>\n Then add in code to start the loop off. What happens, is that the function\u00a0pcap_next_ex<\/em> will attempt to retrieve the next packet available on the specified capture instance.<\/p>\n When it receives a packet, it will store a pointer to the header of the packet, a pointer to the start of the packet’s data and return a value of “1” as its code, which we can use to mean “a packet was found”.<\/p>\n If no packet is found, however,\u00a0the program should time out – which returns a 0 instead (well, it will actually return -1 as well, if there’s an error, which will break out of the\u00a0while<\/em> loop altogether). Back above, when calling pcap_open<\/em>,\u00a0<\/em>a value of 1000 (ms) was specified for the timeout parameter, which means that – if no packets have been captured by the system in that time – a value of 0 is returned. Note that this timeout is more like a “countdown” – nothing will happen within that time, but several packets may have accumulated in that period, before being retrieved by the application.<\/p>\n We can then handle it appropriately by exiting the loop if we want, with break;<\/span>\u00a0– although, in this instance, continue;<\/span>\u00a0is used instead, which continues the loop but steps over the rest of the code in the current cycle. It would probably be better to just increase the timeout to 1 minute, but even then, it could be a long time before CDP and LLDP packets are received (by default, they are sent out every 1 minute and 30 seconds, respectively, on Cisco devices).<\/p>\n When a packet is received, the date and length of the packet is printed out. I’m not sure if there’s an easier way to date and time from seconds, but the above way works fine. Anyway, all the program\u00a0then does is print out each byte of data, formatted to be read as a character. If the byte’s value is either “14” or “\\0”, then it is going to be a new line, otherwise, it will simply list the entire contents of the packet.<\/p>\n Here is the final code, put together, with a pause so you can see what happens. What you should get out is a load of gibberish characters and some human-readable ones. Next post will look at\u00a0how to properly handle the packets and get something far more readable on screen; until then, if anyone has any questions about the code or using WinPcap libraries (although I’m hardly an expert!), please feel free to ask in the comments!<\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" I’ll categorise and change the order of posts later perhaps, but here is the first in a series on how I made an application to record the switchport and vlan, of a switch, that a computer is connected to.\u00a0This setup will work where: You have a Windows PC with Winsock installed (Windows XP or later […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[21],"tags":[30,34],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6PQZ3-5p","_links":{"self":[{"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/posts\/335"}],"collection":[{"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.troliver.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=335"}],"version-history":[{"count":9,"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/posts\/335\/revisions"}],"predecessor-version":[{"id":409,"href":"https:\/\/www.troliver.com\/index.php?rest_route=\/wp\/v2\/posts\/335\/revisions\/409"}],"wp:attachment":[{"href":"https:\/\/www.troliver.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.troliver.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.troliver.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Headers, libraries and variables<\/h2>\n
#define HAVE_REMOTE\r\n#include \"pcap.h\"\r\n#pragma comment (lib, \"wpcap.lib\")\r\n#pragma comment (lib, \"Packet.lib\")\r\n#pragma comment (lib, \"Ws2_32.lib\")\r\n\r\n\/\/Used to store all the adapters in a list (by storing references to next adapters)\r\npcap_if_t * allAdapters; \r\n\r\n\/\/Used to store a single adapters from the above list.\r\npcap_if_t * adapter; \r\n\r\n\/\/Used for referencing a capture session\r\npcap_t * captureInstance;\r\n\r\n\/\/You'll need these later to store a reference to a packet and its header \r\nstruct pcap_pkthdr * packetHeader;\r\nconst u_char * packetData;\r\n\r\n\/\/This stores errors. We won't use it much in this example.\r\nchar errorBuffer[PCAP_ERRBUF_SIZE];\r\n<\/pre>\n
Selecting the capture interface<\/h2>\n
int totalAdapters = 0;\r\n\r\n for (adapter = allAdapters; adapter; adapter = adapter->next)\r\n {\r\n ++totalAdapters; \r\n printf(\"\\n%d %s) \", totalAdapters, adapter->name);\r\n printf(\"-- %s\\n\", adapter->description);\r\n }\r\n \/\/Just add a blank line. Makes it look pretty.\r\n printf(\"\\n\");<\/pre>\n int selectedAdapterNumber = 0;\r\n\r\n for (adapter = allAdapters; adapter; adapter = adapter->next)\r\n {\r\n ++selectedAdapterNumber;\r\n if (testTargetNetwork(adapter))\r\n {\r\n printf(\"\\nComputer is currently attached to the network through adapter %d\", selectedAdapterNumber);\r\n printf(\"\\n\");\r\n }\r\n }\r\n\r\n<\/pre>\nbool testTargetNetwork(pcap_if_t * adapter)\r\n{\r\n char ipAddress[INET6_ADDRSTRLEN];\r\n pcap_addr_t * adapterAddress;\r\n\r\n for (adapterAddress = adapter->addresses; adapterAddress; adapterAddress = adapterAddress->next)\r\n {\r\n if (adapterAddress->addr->sa_family == AF_INET)\r\n { \r\n inet_ntop(adapterAddress->addr->sa_family,\r\n &(((struct sockaddr_in*)adapterAddress->addr)->sin_addr),\r\n ipAddress,\r\n sizeof(ipAddress));\r\n }\r\n }\r\n\r\n int hundreds;\r\n int tens;\r\n int units;\r\n\r\n if (ipAddress[2] == '.')\r\n {\r\n hundreds = (ipAddress[0] - '0') * 10;\r\n tens = (ipAddress[1] - '0') * 1;\r\n units = 0;\r\n }\r\n else\r\n {\r\n hundreds = (ipAddress[0] - '0') * 100;\r\n tens = (ipAddress[1] - '0') * 10;\r\n units = (ipAddress[2] - '0') * 1;\r\n }\r\n\r\n int temp4 = hundreds + tens + units;\r\n int network = 10;\r\n return (temp4 == network);\r\n}<\/pre>\nPreparing the\u00a0filter<\/h2>\n
captureInstance = pcap_open(adapter->name, 65535, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errorBuffer);\r\n\r\nchar packet_filter[] = \"ether[12:2] = 0x88cc or ether[20:2] = 0x2000\";\r\n\r\nstruct bpf_program fcode;\r\npcap_compile(captureInstance, &fcode, packet_filter, 1, ((struct sockaddr_in *)(adapter->addresses->netmask))->sin_addr.S_un.S_addr);\r\npcap_setfilter(captureInstance, &fcode);<\/pre>\n
![\"proto\"](\"http:\/\/www.troliver.com\/wp-content\/uploads\/2015\/11\/proto.png\")
<\/p>\nInitiating the capture<\/h2>\n
void capture()\r\n{\r\n pcap_freealldevs(allAdapters);\r\n\r\n<\/pre>\n\tprintf(\"\\nCapture session started (%s)\\n\", adapter->name);\r\n\r\n\r\n\tint packetFound;\r\n\twhile ((packetFound = pcap_next_ex(captureInstance, &packetHeader, &packetData)) >= 0)\r\n\t{\r\n\t\tif (packetFound == 0)\r\n\t\t{\r\n\t\t\tprintf(\"\\nPacket timed out! Trying again..\");\r\n\t\t\tcontinue;\r\n\t\t}\r\n\r\n\r\n\t\tprintf(\"\\n%d:%d:%d length of packet: %d\\n\", (packetHeader->ts.tv_sec % 86400) \/ 3600, (packetHeader->ts.tv_sec % 3600) \/ 60, packetHeader->ts.tv_sec % 60, packetHeader->len);\r\n\t\t\t\t\t\t\r\n\t\tprintf(\"\\n\");\r\n\r\n\t\tfor (int x = 0; x < packetHeader->len; x++)\r\n\t\t{\r\n\t\t\tif ((packetData[x] == 0x0e) || (packetData[x] == '\\0'))\r\n\t\t\t{\r\n\t\t\t\tprintf(\"\\n\");\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tprintf(\"%c\", packetData[x]);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}<\/pre>\nSummary (full code)<\/h2>\n
#include \"stdafx.h\"\r\n\r\n#define HAVE_REMOTE\r\n\r\n\/\/WinPcap libraries. This can be done in the project C++\/Linker properties\r\n#include \"pcap.h\"\r\n#pragma comment (lib, \"wpcap.lib\")\r\n#pragma comment (lib, \"Packet.lib\")\r\n#pragma comment (lib, \"Ws2_32.lib\")\r\n\r\n\r\n\r\nint setAdapter();\r\nvoid capture();\r\nbool testTargetNetwork(pcap_if_t * adapter);\r\n\r\n\r\n\r\n\r\npcap_if_t\t\t\t*\tallAdapters;\t\t\/\/Used to store all the adapters in a list (by storing references to next adapters)\r\npcap_if_t\t\t\t*\tadapter;\t\t\t\/\/Used to store one of the adapters in a list.\r\npcap_t\t\t\t\t*\tcaptureInstance;\t\/\/Used to store a capture\r\nstruct pcap_pkthdr\t*\tpacketHeader;\t\t\/\/Used to store the header for a packet\r\nconst u_char\t\t*\tpacketData;\t\t\t\/\/Used to store the packet's data\r\n\r\nchar errorBuffer[PCAP_ERRBUF_SIZE];\r\n\r\nint _tmain(int argc, _TCHAR* argv[])\r\n{\r\n\tpcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &allAdapters, errorBuffer);\r\n\r\n\r\n\tint totalAdapters = 0;\r\n\r\n\tfor (adapter = allAdapters; adapter; adapter = adapter->next)\r\n\t{\r\n\t\tprintf(\"\\n%d %s) \", ++totalAdapters, adapter->name);\r\n\t\tprintf(\"-- %s\\n\", adapter->description);\r\n\t}\r\n\t\/\/Just add a blank line. Makes it look pretty.\r\n\tprintf(\"\\n\");\r\n\r\n\t\r\n\tint selectedAdapterNumber = 0;\r\n\r\n\tfor (adapter = allAdapters; adapter; adapter = adapter->next)\r\n\t{\r\n\t\t++selectedAdapterNumber;\r\n\t\tif (testTargetNetwork(adapter))\r\n\t\t{\r\n\t\t\tprintf(\"\\nComputer is currently attached to the network through adapter %d\", selectedAdapterNumber);\r\n\t\t\tprintf(\"\\n\");\r\n\t\t}\r\n\t}\r\n\t\r\n\tadapter = allAdapters;\r\n\tfor (int i = 0; i < selectedAdapterNumber - 1; i++)\r\n\t{\r\n\t\tadapter = adapter->next;\r\n\t}\r\n\t\r\n\r\n\r\n\tcaptureInstance = pcap_open(adapter->name, 65535, PCAP_OPENFLAG_PROMISCUOUS, 65000, NULL, errorBuffer);\r\n\r\n\tchar packet_filter[] = \"ether[12:2] = 0x88cc or ether[20:2] = 0x2000\";\r\n\r\n\tstruct bpf_program fcode;\r\n\tpcap_compile(captureInstance, &fcode, packet_filter, 1, ((struct sockaddr_in *)(adapter->addresses->netmask))->sin_addr.S_un.S_addr);\r\n\tpcap_setfilter(captureInstance, &fcode);\r\n\r\n\r\n\r\n\r\n\tcapture(); \r\n\r\n\r\n\tsystem(\"PAUSE\");\r\n\treturn 0;\r\n}\r\n\r\n\/\/This is what we use to compare the interfaces against our network identity.\r\nbool testTargetNetwork(pcap_if_t * adapter)\r\n{\r\n\tchar ipAddress[INET6_ADDRSTRLEN];\r\n\tpcap_addr_t * adapterAddress;\r\n\r\n\tfor (adapterAddress = adapter->addresses; adapterAddress; adapterAddress = adapterAddress->next)\r\n\t{\r\n\t\tif (adapterAddress->addr->sa_family == AF_INET)\r\n\t\t{\r\n\t\t\tinet_ntop(adapterAddress->addr->sa_family,\r\n\t\t\t\t&(((struct sockaddr_in*)adapterAddress->addr)->sin_addr),\r\n\t\t\t\tipAddress,\r\n\t\t\t\tsizeof(ipAddress));\r\n\t\t}\r\n\t}\r\n\r\n\tint hundreds;\r\n\tint tens;\r\n\tint units;\r\n\r\n\tif (ipAddress[2] == '.')\r\n\t{\r\n\t\thundreds = (ipAddress[0] - '0') * 10;\r\n\t\ttens = (ipAddress[1] - '0') * 1;\r\n\t\tunits = 0;\r\n\t}\r\n\telse\r\n\t{\r\n\t\thundreds = (ipAddress[0] - '0') * 100;\r\n\t\ttens = (ipAddress[1] - '0') * 10;\r\n\t\tunits = (ipAddress[2] - '0') * 1;\r\n\t}\r\n\r\n\tint temp4 = hundreds + tens + units;\r\n\tint network = 10;\r\n\treturn (temp4 == network);\r\n}\r\n\r\n\/\/Capture code\r\nvoid capture()\r\n{\r\n\tpcap_freealldevs(allAdapters);\r\n\r\n\r\n\tprintf(\"\\nCapture session started (%s)\\n\", adapter->name);\r\n\r\n\r\n\tint packetFound;\r\n\twhile ((packetFound = pcap_next_ex(captureInstance, &packetHeader, &packetData)) >= 0)\r\n\t{\r\n\t\tif (packetFound == 0)\r\n\t\t{\r\n\t\t\tprintf(\"\\nPacket timed out! Trying again..\");\r\n\t\t\tcontinue;\r\n\t\t}\r\n\r\n\r\n\t\tprintf(\"\\n%d:%d:%d length of packet: %d\\n\", (packetHeader->ts.tv_sec % 86400) \/ 3600, (packetHeader->ts.tv_sec % 3600) \/ 60, packetHeader->ts.tv_sec % 60, packetHeader->len);\r\n\r\n\t\tprintf(\"\\n\");\r\n\r\n\t\tfor (int x = 0; x < packetHeader->len; x++)\r\n\t\t{\r\n\t\t\tif ((packetData[x] == 0x0e) || (packetData[x] == '\\0'))\r\n\t\t\t{\r\n\t\t\t\tprintf(\"\\n\");\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tprintf(\"%c\", packetData[x]);\r\n\t\t\t}\r\n\t\t}\r\n \/\/Stop iterating and exit\r\n break;\r\n\t}\r\n}<\/pre>\n