分享
 
 
 

sniffer技术原理及应用,包括编程方法和工具使用(2)

王朝c#·作者佚名  2006-12-16
窄屏简体版  字體: |||超大  

sunxufei:

哦,交换机是以MAC地址进行交换的,不是IP那一层的,要IP已经路由器了

现在交换机便宜了,因此以后你想用sniffer抓密码概率不大了,不过还能多公司仍然是交换机和H

UB一起用的,这样小范围内是有效地,至于ADSL CABLE FTTB,我的FTTB是用华为设计的设备

,呵呵,不仅仅工网IP,只有我和交换机两个MAC(这次中国人干的不错),没希望找到第三者,很安全,但

不都这样安全,很多人的网络还是很糟糕的.

很多加密协议可以用来提高安全性,但老的POP3,SMTP,HTTP,FTP这种协议应用广泛,不可能在短

时间内完全取代,而且加密也是有待价的,所以对于要求较高的场合,才会加密.

不过sniffer不是给大家偷密码用的,我当初用来学习网络,看看包的样子,后来就用来当作网管工具,

分析网络的健康与否,其实这样的话,你知道,很有可能sniffer就是接在我需要探测的网络上,听诊器

吗,到处都听听,呵呵,因此即使用了交换机,sniffer仍然是有用处的,但不是抓密码!!

Wincap很简单,大3的学生不要怕,去他的网站看看,有例子的,VC6编译,BCB也行的,把lib的格式转

换一下,不过写这种程序,你最好先熟悉协议,很多协议在linux里有现成的源代码,主要是一些struct

吧,移植时注意VC可不是gcc,有些c的高级语法,编译选项要注意,否则差一个byte你就得不到正确的

结果.

如果你搞不到sniffer,Win2000 Server也有网络包查看器的,不比sniffer强大,但简单的东西入手

也快.

反嗅探和嗅探技术其实很old了,呵呵,不过CSDN经常old的.

注意不要干坏事,有矛必有盾

sevencat:

网卡的混杂模式好像要通过NDIS设置。

下面是转贴的。

哪位UP一下,我来贴完。

一、驱动开发网

作者:gjpland

看到很多仁兄提供的数据包的拦截技术,其中最多的是编写IM DRIVER在NDIS中间层

对MINIPORT(网卡驱动程序)和协议驱动程序之间的数据包进行拦截。这是微软提供的一种技术

但编写该过滤程序拦截程序非常的复杂,安装也很麻烦。

本人简单的介绍一种更有效的基于NDIS包拦截技术。

大家都知道,NDIS协议驱动程序是通过填写一张NDIS_PROTOCOL_CHARACTERISTICS的表

,并调用NDIS API

函数NdisRegisterProtocol进行注册。现在我们来关注一下NDIS_PROTOCOL_CHARACTERI

STICS这张表,

这张表中存有所有协议驱动程序与底层的派发函数的入口。如SendHandler,ReceiveHandler,Bi

ndAdapterHandler等,

当网卡有数据包进入时,会通过表中ReceiveHandle 或ReceivePacketHandler通知协议驱动程

序有一个该协议

的数据包进入,反之协议驱动程序是通过SendHandler或SendPacketsHandler函数向网卡驱动

发送数据包到网络

上去的,有人会奇怪程序中明明不是调用NdisSend或NdisSendPackets函数发送的吗?没错,

是这样的,

但是你可以看一下NDIS.H的头文件里对这两个函数的定义就知道了,他们都是一个

宏定义,实际还是通过这表中SendHandler或SendPacketsHandler发送的。

现在我们所要做的事情应该很清楚了,只要我们能够将每一个协议程序所填写的NDIS_PROTOCO

L_CHARACTERISTICS

表里的派发函数指向自己的函数,我们就能成功的对数据包进行拦截。那么每个协议驱动程序的这张

表到底存放在

那里呢?太简单了,看一下下面的我对NdisRegisterProtocol重新给出的原型就很明白了。

struct _NDIS_PROTOCOL_BLOCK

{

PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol

REFERENCE Ref; // contains spinlock for OpenQueue

UINT Length; // of this NDIS_PROTOCOL_BLOCK struct

NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;// handler

addresses

struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next

ULONG MaxPatternSize;

#if defined(NDIS_WRAPPER)

//

// Protocol filters

//

struct _NDIS_PROTOCOL_FILTER * ProtocolFilter[NdisMediumMax+1];

WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to

// notify protocols of existing drivers.

KMUTEX Mutex; // For serialization of Bind/Unbind requests

PKEVENT DeregEvent; // Used by NdisDeregisterProtocol

#endif

};

typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK,

*PNDIS_PROTOCOL_BLOCK;

EXPORT

VOID

NdisRegisterProtocol(

OUT PNDIS_STATUS Status,

OUT PNDIS_PROTOCOL_BLOCK NdisProtocolHandle, /*注意NDIS_HANDLE所指向的

就是PNDIS_PROTOCOL_BLOCK的结构,不要有什么怀疑。*/

IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics,

IN UINT CharacteristicsLength

);

NDIS_PROTOCOL_BLOCK(协议表)

是NDIS维护所有系统中已注册协义的单向链接表。字段NextProtocol指向下一个协议表。

庆幸的是,当我们注册一新的协议时,NDIS总是会把新注册的协义放在链表的头并返回这张表,

所以只要我们注册一个新的协议

通过新协议注册返回的链表头就可以轻而易举的遍历系统中所有协议表.现在我们所希望得到的每个

协议的

NDIS_PROTOCOL_CHARACTERISTICS表就放在我们面前了,如何勾挂表中的派发函数,我

想不必多说了吧。顺便说一句

NDISREGISTERPROTOCOL为NDIS_PROTOCOL_BLOCK所分配的内存是NonPagedPool

类型的。对于核心DRIVER来说,核心区内存

是一个线性的内存区,所有核心DRIVER是可以随便访问核心内存区的任意地址。所要注意的是不

同IRQL级别下对分页

和非分页内存。

有人会问这样就行了吗?真的拦截下来了吗?如果有那位仁兄心急现在就写程序的话,

准会失望的,因为他会发现结果什么东西都没拦截到或偶而会拦截到一些数据包。为什么?

因为NDIS网卡驱动和协议驱动在发送和接收到数居时并不是调用PNDIS_OPEN_BLOCK->Proto

colCharacteristics

里的派发函数。怎么办?

有必要先介绍一下NDIS网卡驱动和协议驱动之间是如何BINDING 的吧,

NdisRegisterProtocol在注册完一个协议后,不久NDIS会通过调用表中

BindAdapterHandler派发函数,通知协议对每一个网卡进行BINDING。或者当系统通PNP找到

一块新的网卡时

也会调用BindAdapterHandler对协议进行BINDING。协议在BINDING 调用里,会根据自己的

需要使用NdisOpenAdapter

将自身绑定到适合的网卡。并返回NdisBindingHandle.NdisBindingHandle是什么?NdisBin

dingHandl其实是

指向NDIS_OPEN_BLOCK表的一根指针,那么NDIS_OPEN_BLOCK表有什么用呢?当协议顺

利的绑定后,每个绑定的网卡

和每一个协议之间建立了数据传输的通道,而NDIS_OPEN_BLOCK就是用来维护这一数据通道的

表。

struct _NDIS_OPEN_BLOCK

{

PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC

NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs

PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter

PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol

NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs

PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue

PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue

PFILE_OBJECT FileObject; // created by operating system

BOOLEAN Closing; // TRUE when removing this struct

BOOLEAN Unloading; // TRUE when processing unload

BOOLEAN NoProtRsvdOnRcvPkt; // Reflect the protocol_options

NDIS_HANDLE CloseRequestHandle; // 0 indicates an internal close

KSPIN_LOCK SpinLock; // guards Closing

PNDIS_OPEN_BLOCK NextGlobalOpen;

//

// These are optimizations for getting to MAC routines. They are not

// necessary, but are here to save a dereference through the MAC block.

//

SEND_HANDLER SendHandler;

TRANSFER_DATA_HANDLER TransferDataHandler;

//

// These are optimizations for getting to PROTOCOL routines. They are not

// necessary, but are here to save a dereference through the PROTOCOL block.

//

SEND_COMPLETE_HANDLER SendCompleteHandler;

TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;

RECEIVE_HANDLER ReceiveHandler;

RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

//

// Extentions to the OPEN_BLOCK since Product 1.

//

RECEIVE_HANDLER PostNt31ReceiveHandler;

RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

//

// NDIS 4.0 extensions

//

RECEIVE_PACKET_HANDLER ReceivePacketHandler;

SEND_PACKETS_HANDLER SendPacketsHandler;

//

// More NDIS 3.0 Cached Handlers

//

RESET_HANDLER ResetHandler;

REQUEST_HANDLER RequestHandler;

//

// Needed for PnP

//

UNICODE_STRING AdapterName; // Upcased name of the adapter we are bound to

};

上面的表结构可以很清楚的看到这张表是一个单向链接表,并且存放了和PNDIS_OPEN_BLOCK-

>ProtocolCharacteristics

一样的数据收发派发函数,当第N块网卡发送数据包到第N个协议时,就会调用第N个协议与第N个

网卡之间建立的

NDIS_OPEN_BLOCK表里的SendHandler或SendPacketHandler。所以我们还需要对这张表

里的派发函数进行处理(勾挂)。

那么又如何勾挂协议与网卡之间的NDIS_OPEN_BLOCK表呢。我们再回到NDIS_PROTOCOL_

BLOCK这张表中,在

NDIS_PROTOCOL_BLOCK表中字段PNDIS_OPEN_BLOCK OpenQueue;就是所有该协议所

有NDIS_OPEN_BLOCK的表头。

通过AdapterNextOpen遍历一下,再勾挂一把。就可以顺利拦截了。

值得注意的是。

1。

NDIS_OPEN_BLOCK

NDIS_PROTOCOL_BLOCK

这些结构不同NDIS版本是不同的,

解决方法是在windows 98和windows95下(ndis 3.1)使用windows98ddk 带的NDIS.H 里的

定义

在windows me下(ndis 5.0或4。0)请使用WINDOWS 98ddk里NDIS.H里的定义

nt(ndis4.0)用NTDDK里的定议,以此类推,2000(ndis5.0)

2。不要重复勾挂同一个函数。

有问题可以通过

QQ:3955727

mail:gjpland@netease.com

//

//Protocol Wrapper Version 1.05

//Author: gjp

//email: gjpland@netease.com

//

#include 'NdisHook.h'

#include 'HookRule.h'

#pragma pack(push)

#pragma pack(1)

typedef struct _HOOK_CONTEXT_STRUCT

{

//runtime code

ubyte code1_0x58; //0x58 | pop eax | pop caller IP from stack to

eax

ubyte code2_0x68; //0x68 | push IMM | push our hook context

address

struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this

ubyte code3_0x50; //0x50 | push eax | push caller

IP from eax to stack

ubyte code4_0xE9; //0xE9 | jmp HookProc | jump our hook proc

udword m_pHookProcOffset;

//our context data

PVOID m_pOriginalProc;

PVOID m_pHookProc;

PVOID m_pBindAdaptHandle;

PVOID m_pProtocolContent;

PVOID *m_ppOriginPtr;

struct _HOOK_CONTEXT_STRUCT *m_pHookNext;

}HOOK_CONTEXT_STRUCT;

#pragma pack(pop)

HOOK_CONTEXT_STRUCT *m_pOurAllOfHookContext = NULL;

dword m_IsFilterEnabled = FALSE;

NDIS_HANDLE m_ourPacketPoolHandle = NULL;

NDIS_HANDLE m_ourBufferPoolHandle = NULL;

PNDIS_PACKET m_ourPacketHandle = NULL;

PNDIS_BUFFER m_ourBufferHandle = NULL;

PVOID m_ourBuffer = NULL;

void ReadPacket(PNDIS_PACKET Packet,PVOID pBuffer,udword dwBufSize);

uword wswap(uword value);

void HookUnload(void)

{

ReleaseHookFunc();

if( m_ourBufferHandle )

{

NdisFreeBuffer(m_ourBufferHandle);

m_ourBufferHandle = NULL;

}

if( m_ourBuffer )

{

NdisFreeMemory(m_ourBuffer,MAX_PACKET_SIZE,0);

m_ourBuffer = NULL;

}

if( m_ourPacketHandle )

{

NdisFreePacket(m_ourPacketHandle);

m_ourPacketHandle = NULL;

}

if( m_ourBufferPoolHandle )

{

NdisFreeBufferPool(m_ourBufferPoolHandle);

m_ourBufferPoolHandle = NULL;

}

if( m_ourPacketPoolHandle )

{

NdisFreePacketPool(m_ourPacketPoolHandle);

m_ourPacketPoolHandle = NULL;

}

return;

}

dword HookInit(void)

{

NTSTATUS status;

m_ourPacketPoolHandle = NULL;

NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x10);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBufferPoolHandle = NULL;

NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x10);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBuffer = NULL;

status =

NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW');

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBufferHandle = NULL;

NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuff

er,MAX_PACKET_SIZE);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourPacketHandle = NULL;

NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle);

return TRUE;

}

typedef struct _NDIS41_PROTOCOL_CHARACTERISTICS

{

#ifdef __cplusplus

NDIS40_PROTOCOL_CHARACTERISTICS Ndis40Chars;

#else

NDIS40_PROTOCOL_CHARACTERISTICS;

#endif

//

// Start of NDIS 4.1 extensions.

//

CO_SEND_COMPLETE_HANDLER

CoSendCompleteHandler;

CO_STATUS_HANDLER

CoStatusHandler;

CO_RECEIVE_PACKET_HANDLER

CoReceivePacketHandler;

CO_REQUEST_HANDLER

CoRequestHandler;

CO_REQUEST_COMPLETE_HANDLER

CoRequestCompleteHandler;

} NDIS41_PROTOCOL_CHARACTERISTICS;

dword HookProtocol(void)

{

//Default ndis version is 5.0

NDIS_PROTOCOL_CHARACTERISTICS ourNPC;

NDIS_STRING protoName = NDIS_STRING_CONST('HdFw_Slot');

NDIS_STATUS Status;

NDIS_HANDLE ourProtocolHandle = NULL;

byte *ProtocolChain;

dword offset;

dword len;

// NDIS_PROTOCOL_BLOCK *pNdisBlock = NULL;

// pNdisBlock = pNdisBlock->NextProtocol;

// pNdisBlock->NextProtocol = NULL;

memset(&ourNPC,0,sizeof(NDIS_PROTOCOL_CHARACTERISTICS));

if( m_dwMajorVersion == 0x03 )

{

len = sizeof(NDIS30_PROTOCOL_CHARACTERISTICS);

//We must need at least ndis version 3.10

ourNPC.MajorNdisVersion = 0x03;

ourNPC.MinorNdisVersion = 0x0A;

}

else

if( m_dwMajorVersion == 0x04 )

{

len = sizeof(NDIS40_PROTOCOL_CHARACTERISTICS);

ourNPC.MajorNdisVersion = 0x04;

ourNPC.MinorNdisVersion = 0x00;

}

else

{ //treat as version 5.0

len = sizeof(NDIS50_PROTOCOL_CHARACTERISTICS);

ourNPC.MajorNdisVersion = 0x05;

ourNPC.MinorNdisVersion = 0x00;

}

ourNPC.Name = protoName;

ourNPC.OpenAdapterCompleteHandler = PtOpenAdapterComplete;

ourNPC.CloseAdapterCompleteHandler = PtCloseAdapterComplete;

ourNPC.SendCompleteHandler = PtSendComplete;

ourNPC.TransferDataCompleteHandler = PtTransferDataComplete;

ourNPC.ResetCompleteHandler = PtResetComplete;

ourNPC.RequestCompleteHandler = PtRequestComplete;

ourNPC.ReceiveHandler = PtReceive;

ourNPC.ReceiveCompleteHandler = PtReceiveComplete;

ourNPC.StatusHandler = PtStatus;

ourNPC.StatusCompleteHandler = PtStatusComplete;

ourNPC.BindAdapterHandler = PtBindAdapter;

ourNPC.UnbindAdapterHandler = PtUnbindAdapter;

ourNPC.UnloadHandler = PtUnload;

ourNPC.ReceivePacketHandler = PtReceivePacket;

ourNPC.PnPEventHandler = PtPNPHandler;

NdisRegisterProtocol(&Status,&ourProtocolHandle,&ourNPC,len);

if( !NT_SUCCESS(Status) || ourProtocolHandle == NULL )

return FALSE;

//NdisRegisterProtocol return hand reference of

NDIS_PROTOCOL_BLOCK;

ProtocolChain = (byte *)ourProtocolHandle;

while(1)

{

DebugInfoCount++;

//Obtain pointer to next protocol link.

if( m_dwMajorVersion == 0x03 )

offset = 4;

else

if( m_dwMajorVersion == 0x04 )

{

if( m_dwMinorVersion == 0x01 )

offset = 0x8C;

else

offset = 0x60;

}

else

if( m_dwMajorVersion == 0x05 )

//NDIS_PROTOCOL_BLOCK->NextProtocol

offset = 0x10;

else

//Error

break;

ProtocolChain = ((byte **)(ProtocolChain + offset))[0];

if( ProtocolChain == NULL )

break;

HookFuncBlock(ProtocolChain);

}

if( m_dwMajorVersion != 4 )

NdisDeregisterProtocol(&Status,ourProtocolHandle);

else

{

// ((byte *)ourProtocolHandle)[0x0C] = 0x01;

// NdisDeregisterProtocol(&Status,ourProtocolHandle);

}

return TRUE;

}

// ProtocolContent

// Version NextChain offset NDIS_PROTOCOL_CHARACTERISTICS offset

BindingAdaptHandle offset

// NDIS 3.XX 0x04

0x14

0x08

// NDIS 4.XX 0x60

0x14

0x00

// NDIS 4.01 0x8C

0x14

0x00

// NDIS 5.XX 0x10

0x14

0x00

//-----

VOID HookProtocolSendPackets(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MiniportAdapterContext,

IN PPNDIS_PACKET PacketArray,

IN UINT

NumberOfPackets

);

NDIS_STATUS HookProtocolWanSend(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MacBindingHandle,

IN NDIS_HANDLE LinkHandle,

IN PVOID Packet

);

NDIS_STATUS HookProtocolSend(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MacBindingHandle,

IN PNDIS_PACKET Packet

);

NDIS_STATUS HookProtocolReceive(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE ProtocolBindingContext,

IN NDIS_HANDLE MacReceiveContext,

IN PVOID HeaderBuffer,

IN UINT HeaderBufferSize,

IN PVOID LookAheadBuffer,

IN UINT LookaheadBufferSize,

IN UINT PacketSize

);

NDIS_STATUS HookWanReceive(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

NdisLinkHandle,

IN PUCHAR

Packet,

IN ULONG

PacketSize

);

INT HookProtocolReceivePacket(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

ProtocolBindingContext,

IN PNDIS_PACKET Packet

);

VOID HookBindAdapterHandler(

IN

HOOK_CONTEXT_STRUCT *pOurContext,

OUT

PNDIS_STATUS Status,

IN

NDIS_HANDLE BindContext,

IN

PNDIS_STRING DeviceName,

IN PVOID

SystemSpecific1,

IN PVOID

SystemSpecific2);

VOID HookSendComplete(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE ProtocolBindingContext,

IN PNDIS_PACKET Packet,

IN NDIS_STATUS Status

);

void ReleaseHookFunc(void)

{

HOOK_CONTEXT_STRUCT *pHookContext,*pNext;

pHookContext = m_pOurAllOfHookContext;

m_pOurAllOfHookContext = NULL;

while(pHookContext)

{

pNext = pHookContext->m_pHookNext;

pHookContext->m_ppOriginPtr[0] =

pHookContext->m_pOriginalProc;

ExFreePool(pHookContext);

pHookContext = pNext;

}

return;

}

HOOK_CONTEXT_STRUCT *IsHookedNdisFunc(PVOID pAddr)

{

HOOK_CONTEXT_STRUCT *pHookContext;

pHookContext = m_pOurAllOfHookContext;

while(pHookContext)

{

if( pHookContext == pAddr )

break;

pHookContext = pHookContext->m_pHookNext;

}

return pHookContext;

}

HOOK_CONTEXT_STRUCT *IsHookedNdisFuncEx(PVOID *pAddr)

{

HOOK_CONTEXT_STRUCT *pHookContext;

pHookContext = m_pOurAllOfHookContext;

while(pHookContext)

{

if( pHookContext->m_ppOriginPtr == pAddr )

break;

pHookContext = pHookContext->m_pHookNext;

}

return pHookContext;

}

HOOK_CONTEXT_STRUCT *HookNdisFunc(PVOID pHookProc,PVOID

*ppOrigProc,PVOID pBindAdaptHandle,PVOID pProtocolContent)

{

HOOK_CONTEXT_STRUCT *pHookContext;

PVOID OrgFunc;

pHookContext = IsHookedNdisFunc(ppOrigProc[0]);

if( pHookContext )

OrgFunc = pHookContext->m_pOriginalProc;

else

OrgFunc = ppOrigProc[0];

if( OrgFunc == NULL )

return NULL;

pHookContext = IsHookedNdisFuncEx(ppOrigProc);

if( pHookContext )

return pHookContext;

pHookContext =

ExAllocatePoolWithTag(NonPagedPool,sizeof(HOOK_CONTEXT_STRUCT),'HCSP');

if( pHookContext == NULL )

return NULL;

memset(pHookContext,0,sizeof(HOOK_CONTEXT_STRUCT));

pHookContext->code1_0x58 = 0x58;

pHookContext->code2_0x68 = 0x68;

pHookContext->code3_0x50 = 0x50;

pHookContext->code4_0xE9 = 0xE9;

pHookContext->m_pHookContext = pHookContext;

pHookContext->m_pHookProcOffset = ((udword)pHookProc) -

(((udword)&pHookContext->m_pHookProcOffset) + sizeof(udword));

pHookContext->m_pBindAdaptHandle = pBindAdaptHandle;

pHookContext->m_pProtocolContent = pProtocolContent;

pHookContext->m_pOriginalProc = OrgFunc;//ppOrigProc[0];

pHookContext->m_ppOriginPtr = ppOrigProc;

pHookContext->m_pHookProc = pHookProc;

pHookContext->m_pHookNext = m_pOurAllOfHookContext;

m_pOurAllOfHookContext = pHookContext;

ppOrigProc[0] = pHookContext;

return pHookContext;

}

typedef

struct _NDIS40_OPEN_BLOCK

{

PNDIS_MAC_BLOCK MacHandle;

// pointer to our MAC

NDIS_HANDLE

MacBindingHandle; // context when calling MacXX funcs

PNDIS_ADAPTER_BLOCK AdapterHandle;

// pointer to our adapter

PNDIS_PROTOCOL_BLOCK ProtocolHandle; //

pointer to our protocol

NDIS_HANDLE

ProtocolBindingContext;// context when calling ProtXX funcs

PNDIS_OPEN_BLOCK AdapterNextOpen; //

used by adapter's OpenQueue

PNDIS_OPEN_BLOCK ProtocolNextOpen; //

used by protocol's OpenQueue

PFILE_OBJECT FileObject;

// created by operating system

BOOLEAN

Closing; // TRUE when removing this struct

BOOLEAN

Unloading; // TRUE when processing unload

NDIS_HANDLE

CloseRequestHandle; // 0 indicates an internal close

KSPIN_LOCK SpinLock;

// guards Closing

PNDIS_OPEN_BLOCK NextGlobalOpen;

//

// These are optimizations for getting to MAC routines. They are not

// necessary, but are here to save a dereference through the MAC block.

//

SEND_HANDLER SendHandler;

TRANSFER_DATA_HANDLER TransferDataHandler;

//

// These are optimizations for getting to PROTOCOL routines. They are

not

// necessary, but are here to save a dereference through the PROTOCOL

block.

//

SEND_COMPLETE_HANDLER SendCompleteHandler;

TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;

RECEIVE_HANDLER

ReceiveHandler;

RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

//

// Extentions to the OPEN_BLOCK since Product 1.

//

RECEIVE_HANDLER

PostNt31ReceiveHandler;

RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

//

// NDIS 4.0 extensions

//

RECEIVE_PACKET_HANDLER ReceivePacketHandler;

SEND_PACKETS_HANDLER SendPacketsHandler;

//

// Needed for PnP

//

UNICODE_STRING AdapterName;

// Upcased name of the adapter we are bound to

}NDIS40_OPEN_BLOCK,*PNDIS40_OPEN_BLOCK;

void HookFuncBlock(byte *ProtocolContent)

{

PNDIS_PROTOCOL_CHARACTERISTICS pProChar;

dword IsWan;

NDIS_STRING WanString = NDIS_STRING_CONST('NDISWAN');

NDIS_STRING DeviceWanString =

NDIS_STRING_CONST('\\DEVICE\\NDISWAN');

NDIS_STRING TcpipString = NDIS_STRING_CONST('Tcpip');

NDIS_STRING TcpArpString = NDIS_STRING_CONST('TCPIP_WANARP');

NDIS_STRING RasArpString = NDIS_STRING_CONST('RASARP');

if( ProtocolContent == NULL )

return;

//Get pointer to NDIS_PROTOCOL_CHARACTERISTICS from protocol

content

pProChar = (PNDIS_PROTOCOL_CHARACTERISTICS)(ProtocolContent +

0x14);

if( KeGetCurrentIrql() == PASSIVE_LEVEL )

{

//Check protocol name whether is Wan Lan protocol so that we

can correctly hook our function

if(

!RtlCompareUnicodeString(&pProChar->Name,&WanString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&DeviceWanString,TRUE) )

{

IsWan = 1;

}

else

IsWan = 0;

//We r only interest in following protocol

if(

!(!RtlCompareUnicodeString(&pProChar->Name,&TcpipString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&TcpArpString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&RasArpString,TRUE)) )

{

return;

}

}

else

IsWan = 0;

//

if( !IsWan )

{

HookNdisFunc(HookProtocolReceive,(PVOID

*)&pProChar->ReceiveHandler,NULL,ProtocolContent);

//{{added by gjp 6.24

// __asm int 3;

// HookNdisFunc(HookSendComplete,(PVOID

*)&pProChar->SendCompleteHandler,NULL,ProtocolContent);

//}}

}

else

HookNdisFunc(HookWanReceive,(PVOID

*)&pProChar->WanReceiveHandler,NULL,ProtocolContent);

if(pProChar->MajorNdisVersion > 0x03 )

{

HookNdisFunc(HookProtocolReceivePacket,(PVOID

*)&pProChar->ReceivePacketHandler,NULL,ProtocolContent);

HookNdisFunc(HookBindAdapterHandler,(PVOID

*)&pProChar->BindAdapterHandler,NULL,ProtocolContent);

}

zihan:

Guniffer我做过修改,用线程实现,还比较好用.是bcb做的

//---------------------------------------------------------------------------

#include <vcl.h>

#pragma hdrstop

#include 'SnifferThread.h'

#include 'Main.h'

#pragma package(smart_init)

//---------------------------------------------------------------------------

__fastcall TSniffer::TSniffer(bool CreateSuspended)

: TThread(CreateSuspended)

{

MParamTcp = true; // 关注TCP 报文

MParamUdp = true; // 关注UDP 报文

MParamIcmp = true; // 关注ICMP报文

MParamDecode = true;

FreeOnTerminate = true;

strcpy(TcpFlag, 'FSRPAU');

//TcpFlag[6]={'F','S','R','P','A','U'}; //定义TCP标志位

strFromIpFilter = NULL; // 源IP地址过滤

strDestIpFilter = NULL; // 目的地址过滤

strSensitive = NULL; // 敏感字符串

iPortFilter = 0; // 端口过滤

RecvBuf[MAX_PACK_LEN] = NULL;

}

//---------------------------------------------------------------------------

void __fastcall TSniffer::Execute()

{

//---- Place thread code here ----

//侦听IP报文

SnifferInit();

while(!Terminated)

{

ReceiveData();

}

Form1->ListView1->AddItem('线程结束,停止截获...', 0);

}

void TSniffer::SnifferInit()

{

//初始化SOCKET

WSADATA wsaData;

iErrorCode = WSAStartup(MAKEWORD(2,1),&wsaData);

CheckSockError(iErrorCode, 'WSAStartup');

SockRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);

CheckSockError(SockRaw, 'socket');

//获取本机IP地址

char FAR name[MAX_HOSTNAME_LAN];

iErrorCode = gethostname(name, MAX_HOSTNAME_LAN);

CheckSockError(iErrorCode, 'gethostname');

struct hostent FAR * pHostent;

pHostent = (struct hostent * )malloc(sizeof(struct hostent));

pHostent = gethostbyname(name);

SOCKADDR_IN sa;

sa.sin_family = AF_INET;

sa.sin_port = htons(6000);

memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0],

pHostent->h_length);

free(pHostent);

iErrorCode = bind(SockRaw, (PSOCKADDR)&sa, sizeof(sa));

CheckSockError(iErrorCode, 'bind');

//设置SOCK_RAW为SIO_RCVALL,以便接收所有的IP包

LPVOID dwBufferLen[10] ;

DWORD dwBufferInLen = 1 ;

DWORD dwBytesReturned = 0 ;

iErrorCode = WSAIoctl(SockRaw, SIO_RCVALL, &dwBufferInLen,

sizeof(dwBufferInLen),

&dwBufferLen, sizeof(dwBufferLen), &dwBytesReturned , NULL,

NULL);

CheckSockError(iErrorCode, 'Ioctl');

}

//IP解包程序

int TSniffer::DecodeIpPack(char *buf, int iBufSize)

{

IP_HEADER *pIpheader;

SOCKADDR_IN saSource, saDest;

pIpheader = (IP_HEADER *)buf;

//协议甄别

iProtocol = pIpheader->proto;

strncpy(szProtocol, CheckProtocol(iProtocol), MAX_PROTO_TEXT_LEN);

if((iProtocol == IPPROTO_TCP) && (!MParamTcp))

return true;

if((iProtocol == IPPROTO_UDP) && (!MParamUdp))

return true;

if((iProtocol == IPPROTO_ICMP) && (!MParamIcmp))

return true;

//源地址

saSource.sin_addr.s_addr = pIpheader->sourceIP;

strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN);

if (strFromIpFilter)

if (strcmp(strFromIpFilter,szSourceIP)) return true;

//目的地址

saDest.sin_addr.s_addr = pIpheader->destIP;

strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN);

if (strDestIpFilter)

if (strcmp(strDestIpFilter,szDestIP)) return true;

iTTL = pIpheader->ttl;

//计算IP首部的长度

int iIphLen = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf);

//根据协议类型分别调用相应的函数

switch(iProtocol)

{

case IPPROTO_TCP :DecodeTcpPack(buf+iIphLen,

iBufSize);break;

case IPPROTO_UDP :DecodeUdpPack(buf+iIphLen,

iBufSize);break;

case IPPROTO_ICMP :DecodeIcmpPack(buf+iIphLen,

iBufSize);break;

default :break;

}

return true;

}

//协议识别程序

char* TSniffer::CheckProtocol(int iProtocol)

{

for(int i=0; i<MAX_PROTO_NUM; i++)

if(ProtoMap[i].ProtoNum==iProtocol)

return ProtoMap[i].ProtoText;

return '';

}

//TCP解包程序

int TSniffer::DecodeTcpPack(char * TcpBuf, int iBufSize)

{

TCP_HEADER * pTcpHeader;

int i;

int iSourcePort,iDestPort;

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

pTcpHeader = (TCP_HEADER * )TcpBuf;

//计算TCP首部长度

int TcpHeaderLen = pTcpHeader->th_lenres>>4;

TcpHeaderLen *= sizeof(unsigned long);

char * TcpData=TcpBuf+TcpHeaderLen;

//如果过滤敏感字符串则判断是否包含

if (strSensitive)

if ((strstr(TcpData, strSensitive))==NULL) return true;

//对端口进行过滤

iSourcePort = ntohs(pTcpHeader->th_sport);

iDestPort = ntohs(pTcpHeader->th_dport);

if ((iPortFilter) && (iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))

return true;

//输出

//sprintf(OtherInfo, '%s ', szProtocol);

//sprintf(OtherInfo, '%15s:%5d ->%15s:%5d ', szSourceIP, iSourcePort,

szDestIP, iDestPort);

//sprintf(OtherInfo, 'TTL=%3d ', iTTL);

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iSourcePort = iSourcePort;

ReceiveInfo->iDestPort = iDestPort;

ReceiveInfo->iTTL = iTTL;

//判断TCP标志位

unsigned char FlagMask = 1;

for( i=0; i<6; i++ )

{

if((pTcpHeader->th_flag) & FlagMask)

{

//sprintf(OtherInfo, '%c',TcpFlag[i]);

ReceiveInfo->TcpFlag[i] = TcpFlag[i];

}

else

{

//sprintf(OtherInfo, '-');

ReceiveInfo->TcpFlag[i] = '-';

}

FlagMask=FlagMask<<1;

}

//sprintf(OtherInfo, ' bytes=%4d\n', iBufSize);

ReceiveInfo->iBufSize = iBufSize;

//对于长度大于40字节的包进行数据分析(IP_HEADER+TCP_HEADER=40)

if ((MParamDecode) && (iBufSize>40))

{

//分析TCP数据段

if ((!strSensitive) || (strstr(TcpData,strSensitive)))

{

//sprintf(OtherInfo, '[DATA]\n');

//sprintf(OtherInfo, '%s%s', OtherInfo, TcpData);

//sprintf(OtherInfo, '%s\n [DATA END]\n\n\n',

OtherInfo);

ReceiveInfo->ReceiveData = TcpData;

}

}

//Form1->Memo1->Lines->Add(OtherInfo);

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//UDP解包程序

int TSniffer::DecodeUdpPack(char * UdpBuf, int iBufSize)

{

UDP_HEADER *pUdpHeader;

pUdpHeader = (UDP_HEADER * )UdpBuf;

int iSourcePort = ntohs(pUdpHeader->uh_sport);

int iDestPort = ntohs(pUdpHeader->uh_dport);

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

//对端口进行过滤

if(iPortFilter)

if ((iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))

return true;

//printf('%s ', szProtocol);

//printf('%15s:%5d ->%15s:%5d ', szSourceIP, iSourcePort, szDestIP,

iDestPort);

//printf('TTL=%3d ', iTTL);

//printf('Len=%4d ', ntohs(pUdpHeader->uh_len));

//printf('bytes=%4d', iBufSize);

//printf('\n');

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->iSourcePort = iSourcePort;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iDestPort = iDestPort;

ReceiveInfo->iTTL = iTTL;

ReceiveInfo->Length = ntohs(pUdpHeader->uh_len);

ReceiveInfo->iBufSize = iBufSize;

//对于长度大于28字节的包进行数据分析(IP_HEADER+UDP_HEADER>28)

if ((MParamDecode) && (iBufSize>28))

{

//printf(' [DATA]\n');

//UDP首部长度为8

char * UdpData=UdpBuf+8;

//分析UDP数据段

ReceiveInfo->ReceiveData = UdpData;

TStringStream *DataStringStream = new TStringStream(NULL);

try{

DataStringStream->Write(UdpData, sizeof(UdpData));

//DataStringStream->CopyFrom(UdpData, sizeof(UdpData))}

ReceiveInfo->ReceiveUdpData = DataStringStream->DataString;}

__finally{

delete DataStringStream;}

for(unsigned int i=0;i<(iBufSize-sizeof(UDP_HEADER));i++)

{

//if (!(i%8)) sprintf(OtherInfo, '%s\n', OtherInfo);

//memset(OtherInfo, 0, strlen(OtherInfo));

if ( (UdpData[i]>33) && (UdpData[i]<122) )

//sprintf(OtherInfo, '%c', UdpData[i]);

;

else

//sprintf(UdpData, '[%3x]', abs(UdpData[i]));

UdpData[i] = '_';

}

//printf('\n [DATA END]\n\n\n');

}

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//ICMP解包程序

int TSniffer::DecodeIcmpPack(char * IcmpBuf, int iBufSize)

{

ICMP_HEADER * pIcmpHeader;

pIcmpHeader = (ICMP_HEADER * )IcmpBuf;

int iIcmpType = pIcmpHeader->i_type;

int iIcmpCode = pIcmpHeader->i_code;

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

//对类型进行过滤

if ((iPortFilter) && (iIcmpType!=iPortFilter)) return true;

//printf('%s ', szProtocol);

//printf('%15s Type%d ->%15s Code%d ', szSourceIP, iIcmpType,

szDestIP, iIcmpCode);

//printf('%15s ->%15s ', szSourceIP, szDestIP);

//printf('TTL=%3d ', iTTL);

//printf('Type%2d,%d ',iIcmpType,iIcmpCode);

//printf('bytes=%4d', iBufSize);

//printf('\n');

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->iIcmpType = iIcmpType;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iIcmpCode = iIcmpCode;

ReceiveInfo->iTTL = iTTL;

ReceiveInfo->iBufSize = iBufSize;

//对于包含数据段的包进行数据分析

if ((MParamDecode) && (iBufSize>28))

{

char * IcmpData=IcmpBuf+4;

//分析ICMP数据段

//printf(' [DATA]');

//for(unsigned int i=0;i<(iBufSize-sizeof(ICMP_HEADER));i++)

//{

// if (!(i%8)) printf('\n');

// if ( (IcmpData[i]>33) && (IcmpData[i]<122) )

// printf('%3c [%3x]', IcmpData[i],

IcmpData[i]);

// else printf(' [%3x]', abs(IcmpData[i]));

//}

//printf('\n [DATA END]\n\n\n');

ReceiveInfo->ReceiveData = IcmpData;

}

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//SOCK错误处理程序

void TSniffer::CheckSockError(int iErrorCode, char *pErrorMsg)

{

if(iErrorCode==SOCKET_ERROR)

{

//printf('%s Error:%d\n', pErrorMsg, GetLastError());

Form1->ListView1->AddItem(pErrorMsg,0);

closesocket(SockRaw);

exit(0);

}

}

void TSniffer::AddReceiveData(RECEIVEINFO *ReceiveInfo)

{

TListItem *Item;

Item = Form1->ListView1->Items->Add();

Item->Caption = ReceiveInfo->szProtocol;

Item->SubItems->Add(ReceiveInfo->szSourceIP);

Item->SubItems->Add(IntToStr(ReceiveInfo->iSourcePort));

Item->SubItems->Add(ReceiveInfo->szDestIP);

Item->SubItems->Add(IntToStr(ReceiveInfo->iDestPort));

Item->SubItems->Add(IntToStr(ReceiveInfo->iTTL));

Item->SubItems->Add(IntToStr(ReceiveInfo->iBufSize));

Item->SubItems->Add(ReceiveInfo->TcpFlag);

Item->SubItems->Add(IntToStr(ReceiveInfo->Length));

Item->SubItems->Add(ReceiveInfo->iIcmpType);

Item->SubItems->Add(ReceiveInfo->iIcmpCode);

try{

Item->SubItems->Add(ReceiveInfo->ReceiveData);

Item->SubItems->Add(ReceiveInfo->ReceiveUdpData);

}

catch(...){}

}

void TSniffer::ReceiveData()

{

memset(RecvBuf, 0, sizeof(RecvBuf));

iErrorCode = recv(SockRaw, RecvBuf, sizeof(RecvBuf), 0);

CheckSockError(iErrorCode, 'recv');

iErrorCode = DecodeIpPack(RecvBuf, iErrorCode);

CheckSockError(iErrorCode, 'Decode');

}

头文件

//---------------------------------------------------------------------------

#ifndef SnifferThreadH

#define SnifferThreadH

//---------------------------------------------------------------------------

#include <Classes.hpp>

#include <ComCtrls.hpp>

//---------------------------------------------------------------------------

#include <Winsock2.h>

#include 'MSTcpIP.h'

#define STATUS_FAILED 0xFFFF //定义异常出错代码

#define MAX_PACK_LEN 655350 //接收的最大IP报文

#define MAX_ADDR_LEN 16 //点分十进制地址的最大长度

#define MAX_PROTO_TEXT_LEN 16 //子协议名称(如'TCP')最

大长度

#define MAX_PROTO_NUM 12 //子协议数量

#define MAX_HOSTNAME_LAN 255 //最大主机名长度

#define CMD_PARAM_HELP true

typedef struct _iphdr

{

unsigned char h_lenver; //4位首部长度+4位IP版本号

unsigned char tos; //8位服务类型TOS

unsigned short total_len; //16位总长度(字节)

unsigned short ident; //16位标识

unsigned short frag_and_flags; //3位标志位

unsigned char ttl; //8位生存时间 TTL

unsigned char proto; //8位协议 (TCP, UDP 或

其他)

unsigned short checksum; //16位IP首部校验和

unsigned int sourceIP; //32位源IP地址

unsigned int destIP; //32位目的IP地址

}IP_HEADER;

typedef struct _tcphdr //定义TCP首部

{

USHORT th_sport; //16位源端口

USHORT th_dport; //16位目的端口

unsigned int th_seq; //32位序列号

unsigned int th_ack; //32位确认号

unsigned char th_lenres; //4位首部长度/6位保留字

unsigned char th_flag; //6位标志位

USHORT th_win; //16位窗口大

USHORT th_sum; //16位校验和

USHORT th_urp; //16位紧急数

据偏移量

}TCP_HEADER;

typedef struct _udphdr //定义UDP首部

{

unsigned short uh_sport; //16位源端口

unsigned short uh_dport; //16位目的端口

unsigned short uh_len; //16位长度

unsigned short uh_sum; //16位校验和

} UDP_HEADER;

typedef struct _icmphdr //定义ICMP首部

{

BYTE i_type; //8位类型

BYTE i_code; //8位代码

USHORT i_cksum; //16位校验和

USHORT i_id; //识别号(一般

用进程号作为识别号)

USHORT i_seq; //报文序列号

ULONG timestamp; //时间戳

}ICMP_HEADER;

typedef struct _protomap //定义子协议映射表

{

int ProtoNum;

char ProtoText[MAX_PROTO_TEXT_LEN];

}PROTOMAP;

typedef struct _receiveinfo

{

char* szProtocol;

char* szSourceIP;

int iSourcePort;

char* szDestIP;

int iDestPort;

int iTTL;

int Length;

char TcpFlag[6] ;

int iBufSize;

char iIcmpType;

char iIcmpCode;

char* ReceiveData;

AnsiString ReceiveUdpData;

}RECEIVEINFO;

PROTOMAP ProtoMap[MAX_PROTO_NUM]={ //为子协议映射表赋值

{ IPPROTO_IP , 'IP ' },

{ IPPROTO_ICMP , 'ICMP' },

{ IPPROTO_IGMP , 'IGMP' },

{ IPPROTO_GGP , 'GGP ' },

{ IPPROTO_TCP , 'TCP ' },

{ IPPROTO_PUP , 'PUP ' },

{ IPPROTO_UDP , 'UDP ' },

{ IPPROTO_IDP , 'IDP ' },

{ IPPROTO_ND , 'NP ' },

{ IPPROTO_RAW , 'RAW ' },

{ IPPROTO_MAX , 'MAX ' },

{ NULL , '' } };

class TSniffer : public TThread

{

private:

int DecodeIpPack(char *, int); //IP解包函数

int DecodeTcpPack(char *, int); //TCP解包函数

int DecodeUdpPack(char *, int); //UDP解包函数

int DecodeIcmpPack(char *, int); //ICMP解包函数

void CheckSockError(int, char*); //出错处理函数

char * CheckProtocol(int); //协议检查

void SnifferInit();

void AddReceiveData(RECEIVEINFO *ReceiveInfo);

void ReceiveData();

protected:

void __fastcall Execute();

public:

SOCKET SockRaw;

bool MParamTcp; // 关注TCP 报文

bool MParamUdp; // 关注UDP 报文

bool MParamIcmp; // 关注ICMP报文

bool MParamDecode; // 对协议进行解码

char TcpFlag[6]; //定义TCP标志位

char *strFromIpFilter; // 源IP地址过滤

char *strDestIpFilter; // 目的地址过滤

char *strSensitive; // 敏感字符串

int iPortFilter; // 端口过滤

int iProtocol, iTTL;

char szProtocol[MAX_PROTO_TEXT_LEN];

char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN];

char OtherInfo[100];

int iErrorCode;

char RecvBuf[MAX_PACK_LEN];

__fastcall TSniffer(bool CreateSuspended);

};

//---------------------------------------------------------------------------

#endif

lovemaggic:

向大家推荐ethereal 0.9.14,它也是调用winpcap3.0,

它现在版本支持各种抓包软件的数据文件,包括

tcpdump and Ethereal

snoop (including Shomiti) and atmsnoop

LanAlyzer

Sniffer (compressed or uncompressed)

Microsoft Network Monitor

AIX’s iptrace

NetXray

Sniffer Pro

RADCOM’s WAN/LAN analyzer

Lucent/Ascend router debug output

HP-UX’s nettl

the dump output from Toshiba’s ISDN routers

i4btrace from the ISDN4BSD project

而且它是从Linux下移植过来的,有免费的源代码。

前几天整理了一下winpcap的文档,如果有谁想要的话,请到专题开发版给列留言:

http://expert.csdn.net/Expert/topic/2465/2465797.xml?temp=.4748651

希望大家有空没空有事没事常去[专题开发]版讨论问题。

专题开发版新开发网络安全和数据库版块,希望各位能人前往交流!!

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有