PDA

View Full Version : source for TCP/IP Analyzer



NemoFever
10-10-01, 01:45 AM
Hello there, gurus :D !

I have a tricky question. We need to check different types of connection within our local Network. And recently I found this web-site and it's TCP/IP Analyzer. It's almost the same thing that we need to have :p
So I would like kindly to ask if it's possible to see sources for this Analyzer (in case if it's Gnu Pub. License).
All I need is just to know about server part - how to extract a header from TCP packet.
I suppose it's necessary to use SOCK_RAW options in Socket() function (C language).
So - if anybody can help me with that- that would be so nice of you!
THank you in advance! :cool:

Stu
10-10-01, 05:13 PM
If I'm understanding you correctly, you want to have a packet sniffer (writing one would be a chore, considering the packet identification code you'd have to write). Assuming this is true, there are plenty of open source or freeware sniffers out there. You can get some of the sniffers (http://www.wiretapped.net/security/packet-capture/) at Wiretapped (http://www.wiretapped.net/) or tons more (http://freshmeat.net/browse/152/) at freshmeat.net (http://freshmeat.net/).

If, however, you just want to see the code used to do sniffing, download the source code from one of the projects listed at freshmeat.net that has License :: OSI Approved :: <some license name here> listed under it. Be fore-warned, a lot of the open source solutions out there rely on other libraries--like libpcap--to do the capturing. So, navigating through the source might be a bit of a challenge if you've never used those libraries before.

NemoFever
10-10-01, 08:32 PM
Hi there, Stu! ;)

First of all -thank you for your reply.

Well, if you think that current TCP\IP analyzer from speedguide.net is a sniffer by determination - I guess this is exactly what I need..

So what do you think - does this analyzer also relays on some stand-alone library (like libcap) ?

As for you links - thank you , I will check them for sure.

And as for the logic of this application -should it use SOCK_RAW ?

Stu
10-11-01, 06:02 PM
Ahh, I misunderstood. I was thinking of a sniffer called "analyzer". Not the one SG uses.

Referring to the one SG uses, my best guess is that it comes from the stripping the first packet you send to port 8117 (which builds a page that redirects you to optd.cgi after that--this is probably done to decrease the amount of time the script/server takes to execute). All of this is fairly easy to do using Perl and the NetPacket:: module (I suggest this because there is less code involved). In fact, if you are running on a Linux/Unix/BSD server, like SG is, you could use inetd to do all the connection type stuff for you, cutting down on the overall code needed.

Philip
10-11-01, 06:31 PM
The SG Analyzer has a C server component and a output parser written in Perl, explaining the results.

The Server component listens to all connections on a specified port and extracts the headers ( matched to the client's IP) from the TCP/IP three way handshake...

Unfortunately the source code is not Public domain, however I can try to get Mike who wrote the server component in here to give you some basic info...

NemoFever
10-11-01, 07:56 PM
Hi there, Stu!


Originally posted by Stu
....
it comes from the stripping the first packet you send to port 8117 (which builds a page that redirects you to optd.cgi after that--this is probably done to decrease the amount of time the script/server takes to execute). All of this is fairly easy to do using Perl and the NetPacket:: module (I suggest this because there is less code involved). In fact, if you are running on a Linux/Unix/BSD server, like SG is, you could use inetd to do all the connection type stuff for you, cutting down on the overall code needed.

So what you are saying - it's possible to use Perl to extract some header information from this first packet ? Do you have any resources about that ? Your answer will be highly appreciated!
As for INTED using for connections - ok , I'll try to check it too...

Thank you!

NemoFever
10-11-01, 08:05 PM
Hello there, Philip!


Originally posted by Philip
The SG Analyzer has a C server component and a output parser written in Perl, explaining the results.
Ok, thank you for the explanation. As a matter of fact - parser's details seems to be not that important at present time... More important (for me) though is exact details about server. I mean - all I need to know is how to extract this TCP header details...



The Server component listens to all connections on a specified port and extracts the headers ( matched to the client's IP) from the TCP/IP three way handshake...


Well, right, and my question is - how to define this 3-way handshake ?
I mean - originally server should perform following operations
socket ()
bind ()
listen ()
....

so after this listen () server have to (I suppose) extract data from incoming packets.. So you help on how to do that correctly - that's what I'd like kindly to ask you about :D



Unfortunately the source code is not Public domain, however I can try to get Mike who wrote the server component in here to give you some basic info...

Well - if code is not Public - it's OK, but help of Mike would be really valuable. Thank you in advance!

:2cool:

Stu
10-12-01, 04:34 PM
Actually, you can get all the header information using the NetPacket:: (http://search.cpan.org/search?dist=NetPacket), Net::PcapUtils (http://search.cpan.org/doc/TIMPOTTER/Net-PcapUtils-0.01/PcapUtils.pm), and Net::Pcap (http://search.cpan.org/doc/TIMPOTTER/Net-Pcap-0.04/Pcap.pm). You can download the modules at http://www.cpan.org/authors/id/T/TI/TIMPOTTER/ and installation instructions can be found at http://www.cpan.org/modules/INSTALL.html.

All of these modules are written by Tim Potter (who is one of the guys who works on Samba (http://www.samba.org/)), and he's sprinkled some fairly easy to follow examples into their documentation. So, outside of making any calculations or interpretations of the packet data, the capture should be fairly easy to do based on the examples provided.

NemoFever
10-15-01, 02:15 AM
Originally posted by Stu
Actually, you can get all the header information using the NetPacket:: (http://search.cpan.org/search?dist=NetPacket), Net::PcapUtils (http://search.cpan.org/doc/TIMPOTTER/Net-PcapUtils-0.01/PcapUtils.pm), and Net::Pcap (http://search.cpan.org/doc/TIMPOTTER/Net-Pcap-0.04/Pcap.pm). You can download the modules at http://www.cpan.org/authors/id/T/TI/TIMPOTTER/ and installation instructions can be found at http://www.cpan.org/modules/INSTALL.html.


Hello there, Stu!
Thak you very much for you full answers!!!:rolleyes:
I took a look at this modules and it seems to be a thing that I need to have !!
As a matter of fact - it's based on libpcap 8-) So I guess it's possible to try functionality from this exact library .. But meanwhile I'll try to use this Perl scripts (Thanks to Tim Potter you've mentioned)
Once again- thanks for your help, I appreciate that!