TCP IP Sniffer - Felix John COLIBRI.

• abstract: This program will capture and display the Ethernet packets travelling on your network
  
• key words: TCP-IP - Sniffer - Utility - Packet Dump - Packet.Dll - Packet32.Dll - WinPcap - Snowing
  
• software used: Windows XP, Delphi 6, Winpcap Dlls
  
• hardware used: Pentium 1.400Mhz, 256 M ram, 140 G hard disk
  
• scope: Delphi 1 to 2005, Windows
  
• level: Intermediate
  
• plan:
  
  • Introduction
    
  • Sniffing techniques
    
  • A Delphi Sniffer
    
  • The packet analyzer
    
  • Some sniffing examples
    
  • Improvements
    
  • Download the Source Code
    

1 - Introduction

Many programs are available, and finding them by googling here and there was quite easy. However many of those applications were either only in .EXE format, or outright commercial. Outside of Windows and Delphi, we do not use any application which is not in source form, so we had to hunt for an open source example.

We actually found two in the Delphi / Windows world:

• Snowing, by Sang-Eun Han
  
• WinPcap from the Politecnico di Torino
  

• the installation of a sniffer using Packet.Dll will not be accepted by all firewalls.
  
• many of the sniffer on the market directly or indirectly use WinPcap. You might prefer to use those a finished product, instead of programming the sniffing in Delphi.
  

2 - Sniffing techniques

2.1 - Overview

The PC contain one or several network interface cards (NIC, like 3Com, AsusTek etc.). Each of those cards has a unique hardware identifier. When two person establish a connection, each packets contain the address of the two network cards, and those addresses are used to route the packet to the correct PC. But a PC connected to a network sees all the data packets travelling on the wire. In the usual case, only those packets with the NIC address of one of our cards are fetched and sent to the software.

Now what we are interested in is not only to see all the packets, but also to eavesdrop on the traffic without participating directly to any conversation. This is what sniffing is all about.

2.2 - Architecture

From the bottom to the top, we have:

• the ethernet coax, or the line modem
  
• then our PC is connected to the network using either an Ethernet Card, or a serial card
  
• at the software level, we go through
  
  • the kernel mode layers
    
  • the user mode layers
    
  • finally, our application
    

Now we can sniff the packets at several levels:

• at the hardware level (1)
  
  • by making a hardware wire tap
    
  • by using special network card hardware with debugging features
    
• at the software level
  
  • in Kernel mode (2 and 3)
    
    • by writing new device drivers
      
    • by using a Packet capture Ndis driver
      
    • by using one of the many hooks provided by some Windows versions
      
  • in User mode
    
    • by calling the IpHelp Api or using Raw Sockets (4)
      
    • by watching the packets when we read or write packets using Sockets (5)
      

2.3 - Trials

• writing a low-level VXD is the lowest level I ever went. I was lured into this by a paper by Solar Eclipse. As I remember it, he was loading a driver below the Windows TCP/IP layers (level 2 in our figure), grabbing the "To" and "From" addresses from e-mails and happily exchanging them from one mail to the next. I had no reason to install this kind of little devil to forge our own mails, but fetching the packets at the serial level seemed interesting. It took me about a full week to understand this driver business, and to adapt the Serial Port driver using the Microsoft (free) assembler and link editor tools. It still was some uncomfortable way of working so I stopped.
  
• the Ip Help Api is quite easy to use, and I found a nice Delphi application from Dirk CLAESSENS as well at the Delphi Import Unit by Jedi.
  
• the raw sockets only work on some Windows versions (XP), but I could not succeed in spite of reading all available threads on the topic in Borland NewsGroups
  

2.4 - PACKET.DLL

• it seems that the Windows DDK (Device Driver Kit) contained as an example the source code of a packet driver.

• I found in the late nineties a source code of a packet driver, written by Sang-Eun Han, with the user application called "snowing". You may find the .DLL (without the sources) on the ICS web site, and the sources are still floating around on the web. However, this "snowing" application uses a Windows 98 Vxd driver, and when I switched to XP it was no longer useable.

  If you are working on Windows 98, you can still use the "snowing" drivers, which are somehow simpler than the WinPcap drivers used in this paper, but the Delphi layers that we built on top of both are identical.
  

• the Politecnico di Torino dedicated a full web site to the sniffing of packets for Windows, the package name being WinPCap. And everything works correctly for Windows 98 to XP, or other versions. You can find on their site low level drivers, as well as complete sniffing application. Everything is in source code, but coded in C.

  We are going to use their drivers in the rest of this paper.

  Let me also mention that nearly ALL commercial or freeware sniffing tools in the Windows world are based on Winpcap drivers.

  We prefer to build the project in Delphi since we can

  • build any display interface that we want
    
  • integrate the sniffing in any Delphi application
    

2.5 - The Sniffer and the Analyzer

• the Sniffer, which fetches all the Ethernet packets and displays some simple statistics and, optionally, saves the packet in a log on the disk
  
• the Analyzer which can perform an offline detailed content analysis of the packets read from the log file
  

3 - 1- A Delphi Sniffer

3.1 - Installing the drivers

The Politecnico di Torino projects wants to standardize the packet handling on all Windows platforms. It offers:

• the low level drivers
  
• the capture layer
  
• some analysis tools
  

Since their goal is the use of this BPF format, they do not offer simple download and installation of the drivers only.

I found that the simplest way to install without error the drivers was to download the install WINPCAP_3_0.EXE (431K in June 2003), launch it, and then work with the installed drivers. The more complete WINPDCAP_3_0.ZIP (849K) contains in addition all kind of .EXE for packet capture, writing, analysis, as well as help files and format descriptions. And you may download full sources in WPcapSrc_3_0_A_3.ZIP (602K).

The installation places the following files on the disk:

• the driver: c:\windows\system32\drivers\npf.sys (30 K)
  
• the user .DLL: c:\windows\system32\packet.dll (56 K)
  

Most of the firewall software will complain about this PACKET.DLL installed on your system. The reason is that PACKET.DLL can put the PC in promiscuitous mode, and this is not tolerated by some firewalls.

Having all the sources, you can try to write some parts in Delphi, but be forewarned that this is not a simple business:

• the drivers must be build in the XP special format (not the old Windows 98 Vxd format)
  
• the product is able to detect the Windows platform, and the mere reading of the ethernet card MAC address takes hundreds of lines.
  

3.2 - Integrating PACKET.DLL into Delphi

• U_NDIS.PAS: some NDIS types and constants
  
• U_PACKET_FORMAT.PAS: the definition of the BPF envelope (required since the driver return us pointers to this envelope)
  
• U_PACKET_32.PAS: the Delphi calls to PACKET.DLL
  
• U_PACKET_CAPTURE.PAS: a layer to adapt the capture to the different Windows versions and perform some cleanup (freeing allocated memory for the packets etc)
  

• the sniffer thread
  
• the packet list class
  
• the protocol definitions
  
• the main capture form
  

3.3 - The sniffer thread

Our sniffer class has the following definition:

The main methods of this CLASS are the following (the error handling is not shown):

The sniffer thread is defined by:

with the usual tThread methods:

and this methods uses a (non-object) call-back, since the PACKET.DLL is not object oriented:

The unit organization is the following:

3.4 - The main program

and the handler displays statistics and saves the packets in a log

3.5 - Packet Content analysis

This packet content analysis can become quite involved, so we encapsulated in a CLASS descending from c_sniffer, and responsible for:

• saving the packet in a log file
  
• collecting simple statistics (packet count and total incoming and outgoing byte count)
  
• detailed protocol analysis (IP addresses, ports etc)
  

• the Ethernet packet contains a header and a protocol (Arp, Ppp, Ip ...) packet
  
• the protocol packet, say the Ip packet, contains a protocol header, and a sub protocol packet (ICMP, UDP, TCP)
  
• and so on.
  

Let us sketch the analysis for Ethernet and IP:

• we define a record specifying the content of an Ethernet packet

  type t_ethernet_packet= packed record                                 m_ethernet_destination: t_MAC_address;                                 m_ethernet_source: t_MAC_address;                                 m_ethernet_protocol: array[0..1] of byte;                                 // -- variable size                                 m_ethernet_data: array[0..0] of byte;                               end;          t_pt_ethernet_packet= ^t_ethernet_packet;     const k_ethernet_header_size= SizeOf(t_ethernet_packet)- 1;           // -- rfc1340           k_PPP_IPCP_protocol = $8021;  // Internet Protocol Control Protocol           k_PPP_CCP_protocol  = $80fd;  // Compression Control Protocol           k_PPP_LCP_protocol  = $c021;  // PPP Link Control Protocol           k_PPP_PAP_protocol  = $c023;  // PPP Password Authentication Protocol           k_PPP_LQR_protocol  = $c025;  // PPP Link Quality Report           k_PPP_CHAP_protocol = $c223;  // PPP Challenge Handshake Auth. Protocol           k_arp_protocol= $0806;           // -- rfc1340           k_ip_protocol= $0800;

• the handler receives a pointer to an Ethernet packet and depending on the protocol word calls the protocol analysis procedure:

  procedure c_packet_sniffer.analyze_packet(p_pt_ethernet_packet: t_pt_ethernet_packet; p_ethernet_packet_size: Integer);   // -- ... here the protocol analysis   var l_protocol_size: Integer;       l_protocol: Word;   begin // analyze_packet     with p_pt_ethernet_packet^ do     begin       l_protocol_size:= p_ethernet_packet_size- k_ethernet_header_size;       l_protocol:= f_swap_word(@ m_ethernet_protocol);       case l_protocol of         k_ARP_protocol :           add_packets_to_stats(m_direction= 'i', e_arp_packet, m_sub_protocol_size);         k_IP_protocol : analyze_ip_packet(t_pt_ip_packet(@ m_ethernet_data), l_protocol_size);         // -- ... other       end; // case       if Assigned(m_after_packet_arrived)         then m_after_packet_arrived(Self);     end; // with p_pt_ethernet_packet^  do   end; // analyze_packet

• let us assume that we received an IP packet. The IP packet format, defined in u_ip_packet.pas is the following:

  type t_ip_packet= packed record  // 20 bytes+ data                            m_version_and_header_length: Byte;                            m_type_of_service: Byte;                            m_packet_length: Word;                            // -- identification of a datagram                            m_datagram_identification: Word;                            m_flag_and_offset: Word;                            m_time_to_live: Byte;                            m_ip_protocol: Byte;                            m_check_sum: Word;                            m_ip_source: t_IP_address;                            m_ip_destination: t_IP_address;                            // -- variable size                            m_ip_data: array[0..0] of Byte;                          end;      t_pt_ip_packet= ^t_ip_packet; const // -- 20 bytes (ethernet+ ip= 34)       k_ip_header_size= SizeOf(t_ip_packet)- 1;       // -- the sub-protocol code       k_ip_icmp= 1;       k_ip_igmp= 2;       k_ip_tcp= 6;       k_ip_igp= 9;       k_ip_udp= 17;

• and the nested ip protocol procedure is the following:

  procedure analyze_ip_packet(p_pt_ip_packet: t_pt_ip_packet; p_ip_packet_size: Integer);   // -- ... here the TCP/IP, TCP/UDP analysis procedures   var l_IP_sub_protocol_size: Integer;   begin // analyze_ip_packet     l_IP_sub_protocol_size:= p_ip_packet_size- k_ip_header_size;     with p_pt_ip_packet^ do     begin       m_IP_source_address:= f_IP_to_string(m_IP_source);       m_IP_destination_address:= f_IP_to_string(m_IP_destination);       case m_ip_protocol of         k_ip_tcp : analyze_ip_tcp_packet(t_pt_ip_tcp_packet(@ m_ip_data), l_IP_sub_protocol_size);         k_ip_udp : analyze_ip_udp_packet(t_pt_ip_udp_packet(@ m_ip_data), l_IP_sub_protocol_size);         // -- .. the other sub-protocols       end; // case     end; // with p_pt_ip_packet^   end; // analyze_ip_packet

  
  

3.6 - The project organization:

Obviously this unit splitting might be considered exaggerated. You can easily collapse all the Delphi part (the yellow and white boxes) into a single unit, if the unit count is important for you.

3.7 - The capture application

To give you an idea of using this application, let us examine a simple call to Google:

	start the capture, by checking "stats", "list_packets" and clicking "create" and "start":
	launch Internet Explorer (or any other browser), and type "http://www.google.com" in the address combo box, and hit Enter
	p_packet_sniffer displays the following packets:
	to have the statistics by protocol, click "stats_"
	here are the protocol used:

4 - The packet analyzer

4.1 - The analysis project

If we want to analyze the content of the packets:

• we save the packets in a log file during the capture
  
• we use a separate application, p_analyze_packet to perform any content analysis
  

4.2 - The organization

I am not convinced that object creation and deletion is still important in our age of huge memory capacities and lightning fast hard disks, but the display in any kind of tMemo or, worse, tListView could become a problem. If you believe that time is not critical for you, you can always integrate the following analysis classes in the previous project.

To analyze our packets content, we will use classes for each protocol: there will be a c_ethernet_packet, a c_ip_packet, a c_ip_tcp_packet and so on. The easy way is to copy the data of each protocol in its protocol object:

This involves a lot of copying. So we prefered to build the classes with attributes corresponding to the protocol and a pointer to the data in a single data buffer (the buffer with the data loaded from the disk):

If this pointer technique does not suit you, it is easy enough to create streams and use a stream (which is a pointer anyway) instead of the raw pointer. This might even be useful when some packet content needs pre-processing (PPP character conversion, for instance).

4.3 - The Analysis units

• the c_ethernet_packet is defined as:

  c_ethernet_packet= class(c_basic_object)                      public                        m_id, m_ethernet_size: Integer;                        m_hidden: Boolean;                        m_pt_ethernet_packet: t_pt_ethernet_packet;                        m_protocol: Word;                        m_c_protocol_packet: c_protocol_packet;                        Constructor create_ethernet_packet(p_name: String;                            p_id, p_size: Integer;                            p_pt_ethernet_packet: t_pt_ethernet_packet); Virtual;                        function f_id: String;                        function f_c_self: c_ethernet_packet;                        function f_source_mac: String;                        function f_destination_mac: String;                        function f_direction: Char;                        function f_id_and_direction: String;                        function f_ethernet_hex: String;                        function f_ethernet_detail: String;                        function f_data_size: Integer; Virtual;                        procedure display_ethernet_packet;                        procedure display_ethernet_packet_hex;                        procedure display_packet_only(p_hex: Boolean);                        function f_display_protocol: String;                        function f_display_data_hex: String;                        Destructor Destroy; Override;                     end; // c_ethernet_packet

• in the c_ethernet_packet constructor we examine the protocol byte and create the relevant protocol class:

  Constructor c_ethernet_packet.create_ethernet_packet(p_name: String;     p_id, p_size: Integer;     p_pt_ethernet_packet: t_pt_ethernet_packet);   var l_ethernet_data_size: Integer;       l_pt_protocol_data: Pointer;   begin     Inherited create_basic_object(p_name);     m_id:= p_id; m_ethernet_size:= p_size;     m_pt_ethernet_packet:= p_pt_ethernet_packet;     // -- the sub packet contained after the header     l_ethernet_data_size:= m_ethernet_size- k_ethernet_header_size;     l_pt_protocol_data:= @ m_pt_ethernet_packet^.m_ethernet_data;     m_protocol:= f_swap_word(@ m_pt_ethernet_packet^.m_ethernet_protocol);     case m_protocol of       k_ip_protocol : m_c_protocol_packet:= c_ip_packet.create_ip_packet('IP',           l_ethernet_data_size, t_pt_ip_packet(l_pt_protocol_data));       k_ARP_protocol : m_c_protocol_packet:= c_arp_packet.create_arp_packet('ARP',           l_ethernet_data_size, t_pt_arp_packet(l_pt_protocol_data));         // ... the other protocols     end; // case   end; // create_ethernet_packet

  
  

The overall organization is the following:

The blue boxes correspond to ancestor classes (classes grouping attributes of descendent packet classes).

The full detail can be found in the attached source code.

4.4 - Demonstration

	load the sources and compile
	in the main tabsheet choose any previously saved log file. In our case, the files are the files of the Google connection:
	click on the log file you wish to analyze
	select for instance the "session" button to see the packets sorted by IP connection, then click on any IP address. In our case we chose the 64.231.161.104 address, and, going down the packet display found, for instance, the HTTP "GET":
	we can also examine the Hex content (by checking the "hex" check box), and in addition display combinations of protocols. Just a last example, we wanted to display the UDP content: we clicked the "packets" tab, and selected UDP, with "hex": so we find a DNS query

5 -

6 - Some sniffing examples

• first to see the accurate content of the Internet Explorer HTTP headers. For our internal Internet Browser I had asked only for the .HTML pages and was not getting many images or other files. So copying exactly what IE was sending in the "Content-Type" solved the problem
  
• I also could examine the Cookie content used by some servers
  
• to upload our web pages, we wanted complete automation of the process. We could have started with the Indy or the ICS components, or at least the Delphi tClientSocket and tServerSocket. We chose instead to use the basic Winsock library. Now writing the FTP client was not as simple as fetching an .HTML page with HTTP: 2 sockets are required, and there are several possible modes. When we were stuck in those protocol conversations, we simply used the ICS FTP component and watched the request and the answers. Writing the scripting layers on top of the basic FTP protocol was then a piece of cake.
  
• we also used the sniffer to watch Interbase, and this is described in the Sniffing Interbase Traffic paper.

  This paper also presents a UNIT which totally encapsulates the capture mechanism. With about 3 lines of code, the Interbase application displays the capture statistics (packet count, bytes, line statistics etc).
  

7 - Improvements

• write the drivers in Delphi. We did this for the serial driver for Windows 98, but balked at the effort under XP. Anyway, the drivers from WinPcap are perfect for our task, so this is not a priority
  
• simplify the structure of the import DLLs
  
• we chose to isolate the different protocols in many units, and this could also benefit from some grouping
  
• we did not present here
  
  • the NetBios levels that we analyzed when we were using Windows 98. By the same token, the PPP levels, and the Adsl protocols could be added
    
  • we also started to build the sequence of TCP packets back, in effect staring to implement the reception part of the protocol.
    
• we only considered reading the packets. Under XP, writing seems to be possible, but was not investigated.
  

8 - Download the Source Code

• the main program (.DPR, .DOF, .RES), the main form (.PAS, .DFM), and any other auxiliary form
  
• any .TXT for parameters
  
• all units (.PAS) for units
  

• can be used from any folder (the pathes are RELATIVE)
  
• will not modify your PC in any way beyond the path where you placed the .ZIP (no registry changes, no path creation etc).
  

• create or select any folder of your choice
  
• unzip the downloaded file
  
• using Delphi, compile and execute
  

Here are the files:

• packet_sniffer.zip : the capture, quick analysis and loging of packets (54 K)
  
• analyze_packets.zip : read the packets from the disk and perform several analyzes and displays (65 K)
  

As usual:

• please tell us at fcolibri@felix-colibri.com if you found some errors, mistakes, bugs, broken links or had some problem downloading the file. Resulting corrections will be helpful for other readers
  
• we welcome any comment, criticism, enhancement, other sources or reference suggestion. Just send an e-mail to fcolibri@felix-colibri.com.
  
• or more simply, enter your (anonymous or with your e-mail if you want an answer) comments below and clic the "send" button

  Name :
  E-mail :
  Comments * :

• and if you liked this article, talk about this site to your fellow developpers, add a link to your links page ou mention our articles in your blog or newsgroup posts when relevant. That's the way we operate: the more traffic and Google references we get, the more articles we will write.
  

9 - Conclusion

The resulting capture and analysis tool can be used for education, investigation or debugging purposes. In the companion paper Sniffing Interbase Traffic, we present the analysis of Interbase traffic.

10 - References

• tutorials about packet capture
  
  • Monitoring Ethernet Network Activity With NDIS Drivers - Whitepaper
      R.Apparna, B.PremKumar
       http://www.cswl.com/whiteppr/white/ethernet.html
        A good description of the PACKET.DLL programming
    
  • Lo standard NDIS
      Fabiani Luca e Nannicini Saverio
       http://telemat.det.unifi.it/book/
        A detailed description of the NDIS programming
    
• Serial Card driver:
  Attacking Windows 9x with Loadable Kernel Modules
    Solar Eclipse
     http://www.phreedom.org/article/
       Explanation about loadable modules, along with/ assembler example

• NDIS
  
  • description of Windows architecture and explanation about the different possible hooks
       http://www.pcausa.com
        the commercial site
       http://ndis.com
        the tutorial site linked to the previous site
    
  • msdn
       http://msdn.microsoft.com/
      MSDN Home > MSDN Library > Windows Development > Network Devices and   Protocols > Design Guide > Network Drivers > Network Architecture for Kernel-Mode Drivers > Network Driver Environments
        the Microsoft (very short) description of the NDIS architecture
    
• IpHlpApi.Dll)
  
  • Delphi TCP/IP MONITOR - Dirk Claessens
       http://users.pandora.be/dirk.claessens2 - netmon.zip
        a Delphi source code project using IpHlpApi
    
  • IpHlpApi header
    ftp://delphi-jedi.org/api/IPHlpAPI.zip
        the Delphi import library for IpHlpApi (not tested)
    
• packet libraries
  
  • Snowing Sang-Eun Han - seh@brabo1.korea.ac.kr
      http://widecomm.korea.ac.kr/~seh
        dead link, but search using Google - the Windows 98 PACKET.DLL
    
  • ICS
       http://www.overbyte.be
        ICS component suite home, where the "snowing" capture package can still be found
    
  • WinPcap: the Free Packet Capture Architecture for Windows
      Politecnico di Torino
       http://winpcap.polito.it/
        The only working PACKET.DLL I found working on XP. And in source
        The Delphi adaptation was performed by Lars Peter Christiansen (and possibly by many other)
    

11 Other Papers with Source and Links

12 - The author