Hi NG!

I already implemented a litte program that 'sniffs' my local traffic; it 
copies all incoming (received) traffic (does not remove it from stack)
my next step was doing the same for all sent data, but i wasnt able to do it 
(actually i do not have a clue how to to it...)

i searched the web for any solutions&examples but all i found was fully 
implemented libs which i do not want to use (winPcap etc.)

thanks in advance
Ludwig Moser

ps: i can post my current code (receive, which listens on ALL ports TCP and 
UDP) if anyone is insterested in.

If you use raw socket with  WSAIoctl( SIO_RCVALL) it have to read data on 
both directions, check
http://www.codeguru.com/network/ipmon.html

Arkady


"Ludwig Moser"  wrote in message 
news:7b36d$4430fcaf$d52ff9ab$14497@news.chello.at...
> Hi NG!
>
> I already implemented a litte program that 'sniffs' my local traffic; it 
> copies all incoming (received) traffic (does not remove it from stack)
> my next step was doing the same for all sent data, but i wasnt able to do 
> it (actually i do not have a clue how to to it...)
>
> i searched the web for any solutions&examples but all i found was fully 
> implemented libs which i do not want to use (winPcap etc.)
>
> thanks in advance
> Ludwig Moser
>
> ps: i can post my current code (receive, which listens on ALL ports TCP 
> and UDP) if anyone is insterested in.
>

"Arkady Frenkel"  schrieb im Newsbeitrag 
news:%23SXGbzxVGHA.2480@TK2MSFTNGP11.phx.gbl...
> If you use raw socket with  WSAIoctl( SIO_RCVALL) it have to read data on 
> both directions, check
> http://www.codeguru.com/network/ipmon.html
>
> Arkady

thanks a lot i'll have a look at it soon;
this is my line of code (i firist tried SIO_RCVALL) but it does not show up 
sent data...
[code] WSAIoctl(sock, SIO_RCVALL_MCAST, &optval, sizeof(optval), NULL, 0, 
&dwBytesRet, NULL, NULL); [/code]

greets
ludwig moser

> http://www.codeguru.com/network/ipmon.html

this wont compile here, but i had a look at the code and cannot find my 
mistake,
if someone is willed to point me to my mistake that woul be awesome.

the src including solution and project files can be found here:
http://members.chello.at/l.moser/cpp/rawSocket.zip

thanks in advance
Ludwig Moser

Seems OK, check what is problem with ipmon and try it. The arrows "<" and 
">" shows in/out directions and that work on my XP SP2 machine too ( look at 
attached shap )
Arkady

"Ludwig Moser"  wrote in message 
news:6bf5e$44315011$d52ff9ab$24955@news.chello.at...
>> http://www.codeguru.com/network/ipmon.html
>
> this wont compile here, but i had a look at the code and cannot find my
> mistake,
> if someone is willed to point me to my mistake that woul be awesome.
>
> the src including solution and project files can be found here:
> http://members.chello.at/l.moser/cpp/rawSocket.zip
>
> thanks in advance
> Ludwig Moser
>
>

I recollect that someone wrote that it depends upon adapter used, so try 
that with different adapter ( machine )
Arkady

"Arkady Frenkel"  wrote in message 
news:ekzDbz6VGHA.4568@TK2MSFTNGP15.phx.gbl...
> Seems OK, check what is problem with ipmon and try it. The arrows "<" and 
> ">" shows in/out directions and that work on my XP SP2 machine too ( look 
> at attached shap )
> Arkady
>
> "Ludwig Moser"  wrote in message 
> news:6bf5e$44315011$d52ff9ab$24955@news.chello.at...
>>> http://www.codeguru.com/network/ipmon.html
>>
>> this wont compile here, but i had a look at the code and cannot find my
>> mistake,
>> if someone is willed to point me to my mistake that woul be awesome.
>>
>> the src including solution and project files can be found here:
>> http://members.chello.at/l.moser/cpp/rawSocket.zip
>>
>> thanks in advance
>> Ludwig Moser
>>
>>
>
>
>

"Arkady Frenkel"  schrieb im Newsbeitrag 
news:u7DVNj7VGHA.3284@TK2MSFTNGP09.phx.gbl...
>I recollect that someone wrote that it depends upon adapter used, so try 
>that with different adapter ( machine )
> Arkady

i ran ipmon on my local machine and it 'sees' some outgoing msgs (guess only 
some caused by the sleep?)
i got only one ethernet adapter in my local machine;
i was at a friends home and tried my program over there; outgoing msgs were 
showing up
once again, NOT ALL were shown;
is it possible that something limits my rights/access to the adapter?
if yes, how can i fix that (i am in administrator level at home, was at user 
level at the mates pc)

greets
lumo

Hi!

Do you mean that with your app you can see outgoing packets and with ipmon 
you do see ( at least partly ) ?
OTOH admin rights mean allow all ( no partly admin rights :) AFAIK ).
And for raw sockets you do have to have them starting from W2K, in previous 
OS you do come overcome that demand setting registry key

Arkady


"Ludwig Moser"  wrote in message 
news:c8cd8$4432869b$d52ff9ab$27862@news.chello.at...
> "Arkady Frenkel"  schrieb im Newsbeitrag 
> news:u7DVNj7VGHA.3284@TK2MSFTNGP09.phx.gbl...
>>I recollect that someone wrote that it depends upon adapter used, so try 
>>that with different adapter ( machine )
>> Arkady
>
> i ran ipmon on my local machine and it 'sees' some outgoing msgs (guess 
> only some caused by the sleep?)
> i got only one ethernet adapter in my local machine;
> i was at a friends home and tried my program over there; outgoing msgs 
> were showing up
> once again, NOT ALL were shown;
> is it possible that something limits my rights/access to the adapter?
> if yes, how can i fix that (i am in administrator level at home, was at 
> user level at the mates pc)
>
> greets
> lumo
>

> Hi!
>
> Do you mean that with your app you can see outgoing packets and with ipmon 
> you do see ( at least partly ) ?
> OTOH admin rights mean allow all ( no partly admin rights :) AFAIK ).
> And for raw sockets you do have to have them starting from W2K, in 
> previous OS you do come overcome that demand setting registry key
>
> Arkady

i mean, my program does not see outgoing traffic
ipmon sees outgoing traffic >>sometimes<<
(saw ONE outgoing package in my last test, this test did not bring any 
outgoing packages...)

did ms change something in the last servicepack?
(i am running windows mce 2005 SP2 with all latest patches)

Ludwig
PS: my program was showing up >>SOME<< outgoing packages in university!
-> this totally confuses me; did you see any mistakes in code?

You just doubled the same string ( if and else are the same as UDP too ) , 
look at:
if( szSourceIP == pHostent->h_addr_list[0])

printf("[TCP]\t%s:%d\t<-\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
szDestIP,ntohs(pTcpheader->dport));

else

printf("[TCP]\t%s:%d\t->\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
szDestIP,ntohs(pTcpheader->dport));

Arkady


"Ludwig Moser"  wrote in message 
news:2882e$4433928d$d52ff9ab$7407@news.chello.at...
>> Hi!
>>
>> Do you mean that with your app you can see outgoing packets and with 
>> ipmon you do see ( at least partly ) ?
>> OTOH admin rights mean allow all ( no partly admin rights :) AFAIK ).
>> And for raw sockets you do have to have them starting from W2K, in 
>> previous OS you do come overcome that demand setting registry key
>>
>> Arkady
>
> i mean, my program does not see outgoing traffic
> ipmon sees outgoing traffic >>sometimes<<
> (saw ONE outgoing package in my last test, this test did not bring any 
> outgoing packages...)
>
> did ms change something in the last servicepack?
> (i am running windows mce 2005 SP2 with all latest patches)
>
> Ludwig
> PS: my program was showing up >>SOME<< outgoing packages in university!
> -> this totally confuses me; did you see any mistakes in code?
>

> You just doubled the same string ( if and else are the same as UDP too ) , 
> look at:
> if( szSourceIP == pHostent->h_addr_list[0])
>
> printf("[TCP]\t%s:%d\t<-\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
> szDestIP,ntohs(pTcpheader->dport));
>
> else
>
> printf("[TCP]\t%s:%d\t->\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
> szDestIP,ntohs(pTcpheader->dport));
>
> Arkady

true, saw that mistake too while in university;
finally i dropped all the code and started all over.

i think the code is more clear now.
and it DOES show outgoing traffic now,
but still not ALL outgoing.
possibly its just not as fast at reading out while receiving..?

eg:
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2299
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  192.168.1.2:2301 -> 213.239.203.47:80 <==
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  192.168.1.2:2301 -> 213.239.203.47:80 <==
[TCP]  213.239.203.47:80 -> 192.168.1.2:2301
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303
[TCP]  213.239.203.47:80 -> 192.168.1.2:2303

the two marked lines should not be that near together
cause when i click in Firefox it requests a document with pix -> more than 
one tcp will be opened from webserver to me.
first marked line should be like 8 lines further up (tested on a page with 
more than one pix)

any ideas?
greets
ludwig

To understand what happen, you need to enter into content of packet and see 
what is the data inside, maybe that all, maybe not. But the speed of reading 
is the same so IMHO that not the problem. Check content and see if all data 
there
Arkady

"Ludwig Moser"  wrote in message 
news:82ba4$4433ecb8$d52ff9ab$29367@news.chello.at...
>> You just doubled the same string ( if and else are the same as UDP too ) 
>> , look at:
>> if( szSourceIP == pHostent->h_addr_list[0])
>>
>> printf("[TCP]\t%s:%d\t<-\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
>> szDestIP,ntohs(pTcpheader->dport));
>>
>> else
>>
>> printf("[TCP]\t%s:%d\t->\t%s:%d\n",szSourceIP,ntohs(pTcpheader->sport), 
>> szDestIP,ntohs(pTcpheader->dport));
>>
>> Arkady
>
> true, saw that mistake too while in university;
> finally i dropped all the code and started all over.
>
> i think the code is more clear now.
> and it DOES show outgoing traffic now,
> but still not ALL outgoing.
> possibly its just not as fast at reading out while receiving..?
>
> eg:
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2299
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  192.168.1.2:2301 -> 213.239.203.47:80 <==
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  192.168.1.2:2301 -> 213.239.203.47:80 <==
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2301
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
> [TCP]  213.239.203.47:80 -> 192.168.1.2:2303
>
> the two marked lines should not be that near together
> cause when i click in Firefox it requests a document with pix -> more than 
> one tcp will be opened from webserver to me.
> first marked line should be like 8 lines further up (tested on a page with 
> more than one pix)
>
> any ideas?
> greets
> ludwig
>
>