how to capture packets of all adapters

Home Forums Discussions Support Portal how to capture packets of all adapters

This topic contains 2 replies, has 3 voices, and was last updated by  cozmik 8 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #5207

    datksm
    Participant

    hi,now i am testing the passthru of winpkfilter.But i find it can only capture one adapter’s packets at one time.What can i do if i want to capture all adapters?just set Mode.hAdapterHandle and Request.hAdapterHandle to be null?

    #6632

    Vadim Smirnov
    Moderator

    Please refer WWWCensor sample which do filter on all available network interfaces.

    //
    // Get system installed network interfaces
    //
    api.GetTcpipBoundAdaptersInfo ( &AdList );

    //
    // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
    //
    ADAPTER_MODE Mode;
    Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

    //
    // Create notification events and initialize the driver to pass packets thru us
    //
    for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
    {
    hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

    if (!hEvent[dwAdIndex])
    {
    printf("Failed to create notification event for network interface n");
    return 0;
    }

    Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
    //
    api.SetAdapterMode(&Mode);

    //
    // Set packet notification event for the network interface
    //
    api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
    }


    // Initialize common part of ETH_REQUEST
    ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
    ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
    Request.EthPacket.Buffer = &PacketBuffer;

    //
    // Go into the endless loop (this is just a sample application)
    //
    while (TRUE)
    {
    //
    // Wait before any of the interfaces is ready to indicate the packet
    //
    dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

    //
    // Complete initialization of ETH_REQUEST
    //

    Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Read packet from the interface until there are any
    //
    while(api.ReadPacket(&Request))
    {
    //
    // Get Ethernet header
    //
    pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

    //
    // Check if Ethernet frame contains IP packet
    //
    if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
    {
    //
    // Get IP header
    //
    pIpHeader = (iphdr_ptr)(pEthHeader + 1);

    //
    // Check if IP packet contains TCP packet
    //
    if (pIpHeader->ip_p == IPPROTO_TCP)
    {
    //
    // Get TCP header pointer
    //
    pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

    //
    // Check if this HTTP packet (destined to remote system port 80, or received from it)
    //

    if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
    ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
    {
    //
    // Get data size in the packet and pointer to the data
    //

    DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
    PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

    // If packet contains any data - process it
    if (dwDataLength)
    {
    //
    // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
    //
    memcpy (szTempString, pData, dwDataLength);
    for (unsigned t = 0; t < dwDataLength; ++t)
    {
    if (szTempString[t] == 0)
    szTempString[t] = 0x20;

    if (isalpha((UCHAR)szTempString[t]))
    szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
    }
    szTempString[dwDataLength] = 0;

    //
    // Check if this packet payload contains user supplied pattern in ASCII code
    //

    if (strstr ( szTempString, szPattern ))
    bDrop = TRUE;
    }
    }

    }
    }

    if(bDrop)
    {
    printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
    pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
    pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
    bDrop = FALSE;
    }
    else
    if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
    {
    // Place packet on the network interface
    api.SendPacketToAdapter(&Request);
    }
    else
    {
    // Indicate packet to MSTCP
    api.SendPacketToMstcp(&Request);
    }
    }

    //
    // Reset signalled event
    //
    ResetEvent(hEvent[dwAdIndex]);

    }
    #6633

    cozmik
    Participant

    Oh I learned a bit there from that code! Thanks to SerpentFly! 8)

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.