Sniffer under Windows Intercepter-NG (instructions for use). Best Pen-Tester Tools: Snifractions and Work with Packages Download Sniffer Program

SmartSniff - TCP / IP Sniffer, which allows you to capture packets that pass through your network adapter and view captured data as a sequence of communication between the client and the server. Viewing the contents of the packages is possible in ASCII format (for text protocols, such as HTTP, SMTP, POP3 and FTP) and in the form of a HEX code. To use SmartSniff, the installation is not required, just unpack the archive and run the program. The developer distributes SmartSniff completely free.

Key features and functions

SmartSniff Provides three methods for capturing TCP / IP packages:

1. Raw Sockets. Allows you to capture network packets without installing the capture driver. But this method has a number of restrictions:

outgoing UDP and ICMP packets are not tracked;
windows XP SP1 is not tracked in general due to microsoft errorwhich is present in SP1. This error was eliminated in the SP2 update package, but again appeared in Windows Vista;
only UDP packages are tracked in Windows Vista SP1.

2. Using the WinPSAP Package Capture Driver. Allows you to fix all packages under all operating windows systems. This method is preferable and to use it, you must install the WinPCAP driver.

3. Microsoft Network Monitor Driver (Windows 2000 / XP / 2003 only). Microsoft provides free driver To capture packets, but it is not installed by default, so it needs to be installed. Two ways are available for installing Microsoft Network Monitor Driver:

from Windows disk;
download Windows XP SERVICE Pack 2 Support Tools. One of the tools in this package is Netcap.exe. Run it, and the driver will be automatically installed.

View mode.
SmartSniff has three packet viewing modes: automatic, ASCII, HEX. With automatic mode, SmartSniff checks the first byte of the captured data - if it contains a character less than 0x20, it displays data in HEX mode, otherwise in ASCII mode. The contents of the package content can be easily switched by selecting the desired in the menu.

Export data.
Top Panel: You can select the desired items in the top panel, copy to the clipboard and paste into Excel or an OpenOffice.org spreadsheet. You can also save them in Text / HTML / XML format (using "Save Packet Summaries").
Lower panel: You can select the desired text, and insert it into the desired text editor or save it directly to the text file, HTML file or Raw fileUsing the "Export TCP / IP Streams" option.

What's new in this version?

2.26 (20.07.2016)

now the program automatically loads new version WinPcap drivers from https://nmap.org/npcap/ If it is installed in the system;
SmartSniff is now trying to download DLL Network Monitor Driver 3.x (nmapi.dll) in accordance with the path indicated in HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Netmon3. This should solve the problem with downloading Network Monitor Driver 3.x on some systems.

Each of the team] [their preferences in terms of software and utilities for
Pen-test. Having consistent, we found out that the selection varies so that you can
Make a real gentleman's set of proven programs. On that I.
Decided. In order not to do the Solinka team, we broke the entire list on topics - and in
This time we will touch the utilities to snapping and manipulate packages. Use on
health.

Wireshark.

Netcat.

If we talk about the interception of data, then Network Miner. Rewit from "Ether"
(or from a predetermined dump in PCAP format) files, certificates,
Images and other media, as well as passwords and other info for authorization.
Useful opportunity - search for those data plots that contain keywords
(for example, user login).

Scapy

Website:
www.secdev.org/projects/scapy.

Must-Have for any hacker, which is a powerful tool for
Interactive package manipulation. Take and decode the packages most
various protocols, respond to the request, inject the modified and
Put the package created - everything is easy! With it you can perform a whole
A number of classic tasks, such as scanning, tractorute, attacks and definitions
network infrastructure. In one bottle, we get the replacement of such popular utilities,
How: Hping, Nmap, Arpspooof, ARP-SK, Arring, Tcpdump, Tetheral, P0F, etc. T.
same time Scapy Allows you to perform any, even the most specific
The task that will never be able to make an already created by another developer
means. Instead of writing a whole mountain string on si to, for example,
Generate the wrong package and make a phaseing of someone, enough
Press a pair of lines of code using Scapy! No program
graphical interface, and interactivity is achieved due to the interpreter
Python. You still have a little, and you will not have anything to create incorrect
Packages, inject the desired frames of 802.11, combine different approaches in attacks
(Let's say Arp Cache Poisoning and VLAN Hopping), etc. The developers themselves insist
The scapy features are used in other projects. By connecting it
As a module, it is easy to create a utility for a different kind of locked research,
search for vulnerabilities, Wi-Fi injection, automatic performing specific
Tasks, etc.

packeth.

Website:
Platform: * NIX, there is a port for Windows

Interesting development, allowing, on the one hand, generate any
Ethernet package, and, on the other, send sequences of packages to
Checks bandwidth. Unlike other similar TULZ, packeth.
has a graphical interface, allowing you to create packages as simple as possible.
form. Further more. Especially worked out the creation and dispatch
Package sequences. You can set delays between sending,
Sat packages with maximum speed to check the bandwidth
The network site (Yeah, here it will be dicked) and, more interesting -
Dynamically change the parameters in packets (for example, IP or MAC address).

In this article, we will consider creating a simple sniffer under Windows.
Who is interested, welcome to Cat.

Introduction

Purpose: Write a program that will capture network traffic (Ethernet, WiFi) transmitting via IP protocol.
Funds:Visual Studio. 2005 or higher.
The approach that is described here does not personally belong to the author and is successfully applied in many commercial, and also categorically free programs (Hi, GPL).
This work is intended primarily for beginners in network programming, which, however, have at least basic knowledge in the field of sockets in general, and Windows sockets in particular. Here I often will write well-known things, because the subject area is specific, if you miss something - porridge will be in my head.

I hope you will be interested.

Theory (read not necessarily, but preferably)

At the moment, the overwhelming majority of modern information networks are based on the TCP / IP protocol stack. TCP / IP protocol stack (eng. Transmission Control Protocol / Internet Protocol) is a collective name for network protocols of different levels used in networks. In this article, we will be interested in the IP protocol, the routable network protocol used for the non-marginal delivery of data divided into so-called packages (a more faithful term - datagram) from one network node to another.
Of particular interest to us represent IP packets intended for transmitting information. This is a fairly high level of the network OSI-model of data when you can be painted from the device and the data transfer medium, only operating a logical representation.
It is completely logical to the fact that sooner or later tools should appear to intercept, control, accounting and analyzing network traffic. Such means are usually called traffic analyzers, batch analyzers or sniffers (from the English to Sniff - sniff). This is a network traffic analyzer, a program or software and hardware device, designed to intercept and subsequent analysis, or only network traffic analysis intended for other nodes.

Practice (conversation essentially)

At the moment, quite a lot software For listening to traffic. The most famous of them: Wireshark. Naturally, reaping his laurels. The goal is not worth it - we are interested in the task of intercepting traffic using the usual "listening" of the network interface. It is important to understand that we are not going to deal with hacking and intercepting alien traffic. You just need to view and analyze traffic that passes through our host.

For which it may need:

Watch the current flow of traffic through network connection (incoming / outgoing / total).
Redirect traffic for subsequent analysis to another host.
Theoretically, you can try to apply it to hack a WiFi-network (we are not going to do it?).

Unlike Wireshark, which is based on the libpcap / winpcap library, our analyzer will not use this driver. What is there, we will not have a driver at all, and our NDIS (oh horror!) We are not going to write. About it can be read in this topic. He will be simply a passive observer using only WinSock library. Using the driver in this case is excessively.

How so? Very simple.
A key step in turning a simple network application to the network analyzer is to switch the network interface to the listening mode (Promiscuous Mode), which will allow it to receive packages addressed to other interfaces on the network. This mode makes the network fee take all frames, regardless of those who are addressed to the network.

Starting with Windows 2000 (NT 5.0), create a program for listening to the network segment has become very simple, because her network Driver Allows you to translate socket to the reception mode of all packages.

Inclusion of an unintelligible mode

LONG FLAG \u003d 1; Socket Socket; #Define SiO_Rcvall 0x98000001 IOCTLSocket (SOCKET, SIO_RCVALL, & RS_FLAG);
Our program will operate with IP packages, and uses windows library Sockets version 2.2 and "raw" sockets (Raw Sockets). In order to get direct access to the IP packet, the socket must be created as follows:

Creating a raw socket

S \u003d Socket (AF_INET, SOCK_RAW, IPPROTO_IP);
Here instead of constant SOCK_STREAM(TCP protocol) or SOCK_DGRAM(UDP protocol), we use the value SOCK_RAW. Generally speaking, working with Raw Sockets is interesting not only in terms of traffic capture. In fact, we get complete control over the formation of the package. Rather, we form it manually, which allows, for example, to send a specific ICMP package ...

Go ahead. It is known that the IP packet consists of a header, service information and, actually, data. I advise you to look here to refresh the knowledge. We describe in the form of an IP title structure (thanks to an excellent article on RSDN):

Description of the IP Package Structure

TypeDef STRUCT _IPHEADER (unsigned char ver_len; // version and length of the Unsigned Char TOS; // Type of Service Unsigned Short Length; // Length of the entire packet of unsigned short ID; // ID Unsigned short flgs_offset; // Flags and offset unsigned char ttl ; // Life lifetime Unsigned Char Protocol; // Protocol unsigned short xsum; // check sum unsigned long src; // IP address of the sender Unsigned Long Dest; // IP address of destination Unsigned short * params; // Options (up to 320 bits) unsigned char * data; // Data (up to 65535 octets)) ipheader;
The main function of the listening algorithm will look like this:

The capture feature of one package

Ipheader * rs_sniff () (ipheader * hdr; int count \u003d 0; count \u003d recv (RS_SSocket, (Char *) & RS_Buffer, SizeOF (RS_Buffer), 0); if (count\u003e \u003d sizeof (ipheader)) (HDR \u003d (LpipHeader ) Malloc (MAX_PACKET_SIZE); memcpy (HDR, RS_Buffer, Max_Packet_Size); RS_UPDateNetStat (Count, HDR); RETURN HDR;) ELSE RETURN 0;)
Everything is simple here: we get a portion of data using the standard Socket function function recvand then copy them to the type structure Ipheader..
And finally, we start the infinite package capture cycle:

Captured all packages that will fall on our network interface

While (True) (iPheader * HDR \u003d RS_SNIFF (); // Processing IF Pack (HDR) (// Print the header in the console))

A bit offtopic

Here and then some important functions And the author's variables made prefkis RS_ (from RAW Sockets). The project did 3-4 years ago, and there was a crazy idea to write a full-fledged library for working with raw sockets. As it is often happens, after receiving any significant (for the author) results, the enthusiasm of the UGAS, and on the curriculum did not fly the case.

In principle, you can go further, and describe the headlines of all subsequent protocols above. To do this, it is necessary to analyze the field protocolin structure Ipheader.. Look at the sample code (yes, there should be a Switch, damn it!), Where the header coloring occurs depending on which protocol has a package encapsulated in IP:

/ * * Color Package Allocation * / void ColorPacket (Const iPheader * H, Const U_LONG HADDR, const U_LONG WHOST \u003d 0) (If (H-\u003e XSUM) SetConsoletextColor (0x17); // If the packet is not empty ELSE SetConsoletextColor (0x07) ; // Empty Pack IF (HADDR \u003d\u003d H-\u003e SRC) (SetConsoletextColor (background_blue | / * background_intensity | * / foreground_red | foreground_intensity); // "Native" Package for return) ELSE If (HADDR \u003d\u003d H-\u003e DEST ) (SetConsoletextColor (background_blue | / * background_intensity | * / foreground_green | foreground_intensity); // "native" reception package) if (h-\u003e protocol \u003d\u003d prot_icmp || h-\u003e protocol \u003d\u003d prot_igmp) (setConsoletextColor (0x70) ; // ICMP packet) ELSE IF (H-\u003e PROTOCOL \u003d\u003d PROT_IP || H-\u003e PROTOCOL \u003d\u003d 115) (SetConsoletextColor (0x4F); // IP-IN-IP Package, L2TP) ELSE IF (H- \u003e Protocol \u003d\u003d 53 || H-\u003e PROTOCOL \u003d\u003d 56) (SetConsoletextColor (0x4c); // TLS, IP with Encryption) if \u003d\u003d H-\u003e DEST || WHOST \u003d\u003d H-\u003e SRC) (SetConsoletextColor (0x0a);))

However, this is significantly out of this article. For our curriculum, it will be enough to see the IP addresses of hosts, from which and to which traffic goes, and to calculate its number per unit of time (the finished program in the archive at the end of the article).

In order to display the IP title data, you must implement the header conversion feature (but not data) of the datagram in the string. As an example of implementation, this option can be offered:

IP header conversion in string

inline char * iph2str (ipheader * iPh) (Const int buf_size \u003d 1024; char * r \u003d (char *) malloc (buf_size); memset ((void *) r, 0, buf_size); sprintf (r, "ver \u003d% D Hlen \u003d% D TOS \u003d% D LEN \u003d% D ID \u003d% D FLAGS \u003d 0X% X OFFSET \u003d% D TTL \u003d% DMS PROT \u003d% D CRC \u003d 0X% X SRC \u003d% s Dest \u003d% S ", Byte_H (iPh-\u003e ver_len), byte_l (iPh-\u003e Ver_len) * 4, iPh-\u003e TOS, NTOHS (iPh-\u003e Length), NTOHS (iPh-\u003e ID), IP_Flags (NTOHS (iPh-\u003e FLGS_OFFSET)), ip_offset (NTOHS (iPh-\u003e FLGS_OFFSET)), iPh-\u003e TTL, iPh-\u003e Protocol, NTOHS (iPh-\u003e XSUM), NETHOST2STR (iph-\u003e src), nethost2str (iph-\u003e dest)); Return R;)
Based on the above basic information, this is such a small program (a terrible name SS, SOPR. From English. Simple Sniffer), implementing local listening of IP traffic. The interface is shown below in the figure.

Original I. binary code I provide as it is, such as it was a few years ago. Now I'm scared to look at him, and yet, he is quite readable (of course, it is impossible to be such self-confident). To compile, even Visual Studio Express 2005 will be quite enough.

What did we do in the end:

The sniffer works in user mode, however requires administrator privileges.
Packages are not filtered, displayed as it is (you can add custom filters - I suggest detail to consider this topic in the next article, if interesting).
WiFi traffic is also captured (it all depends on specific model Chip, you may not work, as I have a few years ago), although there are Airpcap, which is wonderful to do it, but worth the money.
The entire flow of the datagram is logged in to a file (see the archive attached at the end of the article).
The program works as a server in port 2000. You can connect using the Telnet utility to the host and monitor traffic flows. The number of connections is limited to twenty (the code is not mine, I found it on the network and used for experiments; I did not change - it's a pity)

Thank you for your attention, priterathing the Habrovsk and Habrovska and all-all-all with the upcoming Christmas!

Wireshark will be an excellent helper for those users who need to make a detailed analysis of network packets - traffic computer network. Sniffer easily interacts with such common protocols as netBIOS, FDDI, NNTP, ICQ, X25, DNS, IRC, NFS, HTTP, TCP, IPv6 And many others. Allows you to separate the network package to the appropriate components, according to a specific protocol, and extract readable information in numeric form.
Supports a huge number of diverse formats of transmitted and received information, is able to open files that are in the use of other utilities. The principle of operation is that the network card goes into the broadcast mode and the interception of network packets begins, which are in the zone of its visibility. Able to work as a program to intercept WiFi packages.

How to use Wireshark.

The program is engaged in learning the contents of information packets that pass through the network. To start and use the results of the sniffer operation, no specific knowledge is required, you just need to open it in the "Start" menu or click on the icon on the desktop (its launch is no different from any other Windows Programs). The special function of the utility allows it to capture information packages, carefully decipher their contents and give the user to the user.

Running Wireshark, you will see the main menu program on the screen, which is located at the top of the window. Using it and controls the utility. If you need to upload files that store packet data caught in previous sessions, as well as save data about other packages extracted in a new session, then you will need the File tab.

To start the network packet capture function, the user must click on the "Capture" icon, then find a special section of the menu entitled "Interfaces", with which you can open a separate "Wireshark Capture Interfaces" window, where all available network interfaces will be displayed, through which will capture the necessary data packets. In the case when the program (sniffer) is able to detect only one appropriate interface, it will display all important information about him.

The results of the utility are direct proof that even if users do not independently do (at the moment) transmission of any data, information is not terminated on the network. After all, the principle of work local network It is that in order to maintain it in the working mode, each element (computer, switch and other devices) is continuously exchanged with each other service information, so such network instruments are intended to intercept such packages.

There is a version for Linux systems.

It should be noted that sniffer is extremely useful for network administrators. and computer security services, because the utility allows you to identify potentially unprotected network nodes - probable sections that can be attacked by hackers.

In addition to its direct destination, Wireshark can be used as a means for monitoring and further analysis of network traffic in order to organize an attack on unprotected networks, because the intercepted traffic can be used to achieve different purposes.

Before you, a good sniffer (network traffic analyzer, you can intercept information to be intercepted), which will allow you in a visual video to get enough full information about all packages of the protocol you choose, in full news without difficulty download Ip Sniffer. . The developers tried and made from the usual sniffer more powerful programSince it is now possible to filter the data being processed and maintain the full decoding of the entire contents of the packages.

IP Sniffer has a number of additional utilities, among which there are quite good monitoring of traffic, you can view in the IP address diagrams that are more often used, the same can be said about the protocols. When grabbed a desire, you can work with the address definition protocol or more known as ARM - to view it, delete different entries, send answers. There is a feature helping to receive a NetBIOS name for a given IP address. I wanted to mark the NetStat tool in the IP Sniffer - it will display a different kind network connections And you will have the opportunity to force your selected connections, which is quite convenient.

If you need to get full information on the used network adapter, the program will help here. Among other things, there is support for spoofing of various types of protocols, including ARP, which means to support traffic interception between different hosts. IP Sniffer is able to search for DHCP servers, a service for issuing information on the IP addresses you need is built, you can convert the IP to HostName and, accordingly, on the contrary, of course pinging hosts and networks are also possible.

IP sniffer does not need installation, it can start with media, does not have Russian support, and has a simple interface without supporting the change of Snaps. In general, this is such a development before you, I think under certain purposes it will be quite useful. Do not forget to leave your opinions about this program, if anyone finds her use share impressions, and do not forget that it is completely free.

Name of release: Ip.sniffer.1.99.3.6
Developer:

ERWAN "S Blog

License: Freeware.
Language: English
The size: 7.16 MB.
OS.: Windows
Download:

- 7.16 MB.