Forum Replies Created
-
Posts
-
You should use something like the code below. Also if modify IP header you should recalculate IP checksum, if modify UDP packet you should recalculate UDP checksum…
VOID
RecalculateTCPChecksum (
PINTERMEDIATE_BUFFER pPacket
)
{
tcphdr_ptr pTcpHeader = NULL;
unsigned short word16, padd = 0;
unsigned int i, sum = 0;
PUCHAR buff;
DWORD dwTcpLen;
iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];
// Sanity check
if (pIpHeader->ip_p == IPPROTO_TCP)
{
pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
}
else
return;
dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);
if ( (dwTcpLen/2)*2 != dwTcpLen )
{
padd=1;
pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
}
buff = (PUCHAR)pTcpHeader;
pTcpHeader->th_sum = 0;
// make 16 bit words out of every two adjacent 8 bit words and
// calculate the sum of all 16 vit words
for (i=0; i< dwTcpLen+padd; i=i+2){
word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
sum = sum + (unsigned long)word16;
}
// add the TCP pseudo header which contains:
// the IP source and destination addresses,
sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);
// the protocol number and the length of the TCP packet
sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;
// keep only the last 16 bits of the 32 bit calculated sum and add the carries
while (sum>>16)
sum = (sum & 0xFFFF)+(sum >> 16);
// Take the one's complement of sum
sum = ~sum;
pTcpHeader->th_sum = ntohs((unsigned short)sum);
}You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:
PINTERMEDIATE_BUFFER ParsePacketHeaders ( PINTERMEDIATE_BUFFER pBuffer )
{
ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;
if(ntohs(pEthernet->h_proto) == ETH_P_IP){
iphdr_ptr pIp = NULL;
tcphdr_ptr pTcp = NULL;
pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
//printf("%i", MHdrSize);
UCHAR IpProto = pIp->ip_p;
if(IpProto == IPPROTO_TCP){
pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
in_addr IP = pIp->ip_src;
PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;
if(ntohs(pTcp->th_sport) == 80){
string foo = (char *)pTcpData;
while(foo.find("sex") != string::npos){
foo.replace(foo.find(sought), sought.size(), replacement);
}
const char* final = foo.c_str();
memcpy(pTcpData, final, foo.length());
printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
}//port 80?
}//tcp??
} //IP Packet?
return pBuffer;
}The command line should be “PacketSniffer 1 -promisc” but not “PacketSniffer index 1 -promisc”. Also are you sure that there are packets available from interface with index 1? Usually (for Windows 2000/XP/2003) this is dial-up interface (NDISWANIP) for which there is no sense to use promiscuous mode (it is point-to-point connection), and it can evemn affect interface normal functionality.
