Reading packets

Home Forums Discussions Support Portal Reading packets

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 9 years, 9 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5155

    krishnabn
    Participant

    Am very much new to this domain. Am writing program to filter certain chat messages based on predefined keywords in IM chats. Can any one help me in reading the packets ( as characters and then compare with keywords ) and to drop those packets. My program is to be written using VC++.

    Thanks in advance

    #6508

    Vadim Smirnov
    Moderator

    The wwwcensor.cpp below blocks HTTP packets which contain the specified string pattern. You can change/extend this code to filter ports different from TCP:80 (you have to know which ports are used by each IM you’d like to support) of even just drop everyTCP packet which contain the specified pattenr by one simple modification – remove the following check:

    //
    // Check if this HTTP packet (destined to remote system port 80, or received from it)
    //

    if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
    ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
    {

    /*************************************************************************/
    /* Copyright (c) 2000-2007 NT Kernel Resources. */
    /* All Rights Reserved. */
    /* http://www.ntkernel.com */
    /* ndisrd@ntkernel.com */
    /* */
    /* Module Name: wwwcensor.cpp */
    /* */
    /* Abstract: Defines the entry point for the console application */
    /* */
    /*************************************************************************/

    #include "stdafx.h"

    USHORT ntohs( USHORT netshort )
    {
    PUCHAR pBuffer;
    USHORT nResult;

    nResult = 0;
    pBuffer = (PUCHAR )&netshort;

    nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
    | ( pBuffer[ 1 ] & 0x00FF );

    return( nResult );
    }

    #define htons ntohs

    int main(int argc, char* argv[])
    {
    TCP_AdapterList AdList;
    CNdisApi api;
    ETH_REQUEST Request;
    INTERMEDIATE_BUFFER PacketBuffer;
    ether_header_ptr pEthHeader = NULL;
    iphdr_ptr pIpHeader = NULL;
    tcphdr_ptr pTcpHeader = NULL;
    HANDLE hEvent[256];
    DWORD dwAdIndex = 0;
    char szTempString[1500];
    char szPattern[256];
    BOOL bDrop = FALSE;


    if (argc < 2)
    {
    printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
    return 0;
    }

    if(!api.IsDriverLoaded())
    {
    printf ("Driver not installed on this system of failed to load.n");
    return 0;
    }

    if ( strlen(argv[1]) > 255 )
    {
    printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
    return 0;
    }

    //
    // Get pattern in upper case
    //
    ZeroMemory ( szPattern, 256 );
    strcpy ( szPattern, argv[1] );
    for ( unsigned i = 0; i < strlen (szPattern); ++i )
    {
    if (isalpha(((UCHAR)szPattern)))
    szPattern
    = (char)toupper((UCHAR)szPattern);
    }

    //
    // Get system installed network interfaces
    //
    api.GetTcpipBoundAdaptersInfo ( &AdList );

    //
    // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
    //
    ADAPTER_MODE Mode;
    Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

    //
    // Create notification events and initialize the driver to pass packets thru us
    //
    for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
    {
    hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

    if (!hEvent[dwAdIndex])
    {
    printf("Failed to create notification event for network interface n");
    return 0;
    }

    Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
    //
    api.SetAdapterMode(&Mode);

    //
    // Set packet notification event for the network interface
    //
    api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
    }


    // Initialize common part of ETH_REQUEST
    ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
    ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
    Request.EthPacket.Buffer = &PacketBuffer;

    //
    // Go into the endless loop (this is just a sample application)
    //
    while (TRUE)
    {
    //
    // Wait before any of the interfaces is ready to indicate the packet
    //
    dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

    //
    // Complete initialization of ETH_REQUEST
    //

    Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

    //
    // Read packet from the interface until there are any
    //
    while(api.ReadPacket(&Request))
    {
    //
    // Get Ethernet header
    //
    pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

    //
    // Check if Ethernet frame contains IP packet
    //
    if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
    {
    //
    // Get IP header
    //
    pIpHeader = (iphdr_ptr)(pEthHeader + 1);

    //
    // Check if IP packet contains TCP packet
    //
    if (pIpHeader->ip_p == IPPROTO_TCP)
    {
    //
    // Get TCP header pointer
    //
    pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

    //
    // Check if this HTTP packet (destined to remote system port 80, or received from it)
    //

    if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
    ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
    {
    //
    // Get data size in the packet and pointer to the data
    //

    DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
    PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

    // If packet contains any data - process it
    if (dwDataLength)
    {
    //
    // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
    //
    memcpy (szTempString, pData, dwDataLength);
    for (unsigned t = 0; t < dwDataLength; ++t)
    {
    if (szTempString[t] == 0)
    szTempString[t] = 0x20;

    if (isalpha((UCHAR)szTempString[t]))
    szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
    }
    szTempString[dwDataLength] = 0;

    //
    // Check if this packet payload contains user supplied pattern in ASCII code
    //

    if (strstr ( szTempString, szPattern ))
    bDrop = TRUE;
    }
    }

    }
    }

    if(bDrop)
    {
    printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
    pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
    pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
    bDrop = FALSE;
    }
    else
    if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
    {
    // Place packet on the network interface
    api.SendPacketToAdapter(&Request);
    }
    else
    {
    // Indicate packet to MSTCP
    api.SendPacketToMstcp(&Request);
    }
    }

    //
    // Reset signalled event
    //
    ResetEvent(hEvent[dwAdIndex]);

    }

    return 0;
    }

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.