Packet Sniffers and Netstat problem

Listenning..
BTW. This is interesting, I will give another 100 points to a working solution

Ok, when you're sniffing packets you're going to be receiving ALL packets that come to the system, therefore you're going to have to distinguish the packets you want from others.  You do this with a header; this could even be a short string at the beginning of every packet like "thisisasendogpacket"... You can accomplish this with either TCP, or UDP.  You can browse for the headers in the TIngusSniffer OnParsePacket event, heres an example:

procedure TForm1.OnParsePacketHandle(nPacketSeq: Longint; uBuffer: PChar;
  nRecvBytes: integer; sPacket:
  TIngusPacketBase);
var
  sFrom, sTo, sDir, sProto, sData: string;
  sIpPacket: TIngusIPPacket;
  sTCPPacket: TIngusTCPPacket;
  sUDPPacket: TIngusUDPPacket;
begin

  if sPacket.EthernetProtocol <> PROTO_IP then exit;
  sIPPacket := TIngusIPPacket(sPacket);

  sFrom := Format('%u.%u.%u.%u', [UCHAR(sIPPacket.IPSourceAddr^),
    UCHAR((sIPPacket.IPSourceAddr + 1)^),
      UCHAR((sIPPacket.IPSourceAddr + 2)^),
      UCHAR((sIPPacket.IPSourceAddr + 3)^)]);
  sTo := Format('%u.%u.%u.%u', [UCHAR((sIPPacket.IPDestAddr)^),
    UCHAR((sIPPacket.IPDestAddr + 1)^),
      UCHAR((sIPPacket.IPDestAddr + 2)^),
      UCHAR((sIPPacket.IPDestAddr + 3)^)]);
  case sIPPacket.IPProtocol of
    1: sProto := 'ICMP';
    2: sProto := 'IGMP';
    3: sProto := 'GGP';
    4: sProto := 'IP';
    5: sProto := 'ST';
    6: begin

      // TCP PACKET

        sTCPPacket := TIngusTCPPacket(sPacket);

        sProto := 'TCP';
        sFrom := sFrom + ':' + IntToStr(sTCPPacket.SourcePort);
        sTo := sTo + ':' + IntToStr(sTCPPacket.DestPort);
        sData := sTCPPacket.TCPData;

       //check for a TCP header in sData here indicating if its one of your packets

      end;
    8: sProto := 'EGP';
    9: sProto := 'IGP';
    17: begin
        sUDPPacket := TIngusUDPPacket(sPacket);

    // UDP PACKET

        sProto := 'UDP';
        sFrom := sFrom + ':' + IntToStr(sUDPPacket.SourcePort);
        sTo := sTo + ':' + IntToStr(sUDPPacket.DestPort);
        sData := sUDPPacket.UDPData;
      end;

   //check for an UDP header here indicating its one of your packets
    27: sProto := 'RDP';
    28: sProto := 'IRTP';
    29: sProto := 'ISO-TP4';
    35: sProto := 'IDPR';
    37: sProto := 'DDP';
    38: sProto := 'IDPR-CMTP';
    88: sProto := 'IGRP';
    89: sProto := 'OSPFIGP';
    92: sProto := 'MTP';
    94: sProto := 'IPIP';
    97: sProto := 'ETHERIP';
    98: sProto := 'ENCAP';
  else sProto := '???';
  end;

  case sPacket.PacketDirection of
    pdInput: sDir := 'In';
    pdOutput: sDir := 'Out';
  end;

end;



I'm assuming you know what packets are when giving you these examples and that you are capable of browsing for your header yourself.

--Olympus

Whopps, the "//check for an UDP header here indicating its one of your packets"
comment should be inside the case 17.

--Olympus

On a side note, its more likely than not that you aren't pursuing netstat hiding for a chat program, but a trojan instead.  Nevertheless, I support that cause; for Microsoft needs to suck it.

--Olympus

On a side note, its more likely than not that you aren't pursuing netstat hiding for a chat program, but a trojan instead.  Nevertheless, I support that cause; for Microsoft needs to suck it.

--Olympus

Actually, I am. The chat program is called Silent and it's for me and this girl I'm pursuing. I'm currently on OJT and the company I'm working on won't allow me to use the programs I make. Actually, I got into a fight with the Net Admin so he banned me from using my programs. I want to hide the connection in netstat so that he won't be able to see what I'm doing. Anyway, I do know what packets are but I don't know how to browse for packets. Can you give me an example of how to set a header and read if the header is mine. Thanks man, I really appreciate it.

Just send a string with ever packet and look for it in the sections i told you to above, and if its there, then process the rest.

ever = every

Let me try...

Dang, it didn't work! Can you give me a sample code of sending and processing the packet. I'm using the TWSocket component. Thank you so much! I really appreciate it. You're a very nice guy.

I have seen a modified version of TIngusSniffer that is capable of sending packets without using any of Delphi's socket components. This would enable you to send for instance raw IP packets and use the udp-header as datafield and the udp-datafield as header. This might seem like a terrible missuse of the protocols but it will make it a whole lot harder for any network monitoring tool to track your connection, since the port, addess etc will change randomly with every single packet (the percived port field would be filled with actual chatdata, possibly encrypted) That would rock.

Hi requiem, where can I get this modified version?

That's the problem, if I had a copy or even a URL I would have posted it in the first message. I have a implementation of this one some old cd somewhere around but the thing is there are just too many CDs in my room so all my tries to find stuff usually fails terribly. Anyways, I have given up trying to find stuff, I use my memory to re-write stuff instead - on large projects this can be a pain - but I can assure you that this method WILL give you really neat coding skills. Everytime you rebuild something you have a clearer picture of the final product so the coding gets more and more optimizing and focused towards the actual application. Try it, it's awesome!!

Anyways, if I remember it right the packet32 dll contains a function called
"PacketSendPacket" or something like that took an adapter and a packet as paramters.. maybe there where support for syncronized transmitting too, not sure and the result is weather or not it worked (a simple boolean is pascal). ehm, I dont have the Ingus sourcecode avaible at this time so I can tell you anything real, but check your copy of the source.. everything you need should be in there already.. all you have to do it add a few methods to the IngusClass itself so it too supports sending packets..

Of course you could also try to sweep the net for the modified version, a good start would be to ask JagaD (the author or TIngus) if he has a copy, if I were him I would be intrested in a such modification of my code! :-)

GL, Happy Hacking! :-)

/m

Or you could create a raw api socket but thats much more complicated.

--Olympus

Olympus, Can you give me a sample code of sending and processing the packet. I'm using the TWSocket component. Thank you so much! I really appreciate your help.

Creating a raw API socket doesn't allow one to modify the actual header information of a IP/UDP packet (afaik anyways) so you won't be able to cloak the connection in the same manner.

requiem: You dont need to, by header i mean a small block of data inside of each data chunk of each packet, that would not be likely to be found in other packets.
You can do this with raw api sockets.

SenDog: i dont have time, look into it; its pretty simple.

--Olympus

May be a little more explanation, working solution or guidelines will give us more help.
BTW, the 100 points are still there..

I'm desperate. Any working code will do. Can someone please help me.

Waiting...

Still waiting... Come on, someone has to know how to do this. Please help out.

What exactly is it you want? Code to get the data in each packet ?

Can you give me an example code of how to set a header and read if the header is mine. Thanks!

Waiting...

Still waiting! Please help...

Hmm, I might get back to you later with an answer as for know I actually think there is a bug in by version of the ingus sniffer because the data I get is not terminated correctly. I get correct strings with alot of bs attached to them.

I will wait for your answer requiem! Thank you!

Hi requiem! I'm still waiting...

yes, I've got a semi-running program going a week ago but then I had a terrible ill and had to go to the hospital for a whole week for some got damn surgery, quite annoying.. they took my appedix. anyways, I will resume that project in the near time but I have a few other projects that has higher priority for recovering - many things has halted this last week :-) Remind me again wihin a week if I haven't gotten back to you yet.

You seem to be very patient and motivated, good things in a person.

Blah blah...


/m

Hi requiem! Any luck with that sample code you promised me? Still waiting...

What I was doing up to now was a complete re-write of the the TIngusClass and it's sister packet classes. However, I found this to be a quite intressting area and I have decided to not complete re-write the Ingus classes but to write a new sniffer class from scratch, hopefully I've get my dirty hands on the source code of packet32.dll too and if so, I will rewrite the whole package from .dll level (still keeping the vxd). hopefully this will lead to less blue-screen, i'm quite tried of the now... :-) But anyway, you should be forced to wait for the first release of this new sniffer package, so here is a short snippet to extract data from the TIngusSniffer (which works well in most cases).

  SetLength(data, nRecvBytes);
  Move(ubuffer[0], data[1], nRecvBytes);
  msg := 'Packet.Size='+IntToStr(nRecvBytes)+' Packet.Data=';
  for k := 1 to Length(data) do
    msg := msg + IntToStr(ord(data[k])) + ',';
  Memo1.Lines.Add(msg);

I added this code at the bottom of the procedure TForm1.OnParsePacketHandle;

To read UDP data (or whatever), add similar code within the case statement reading the length of the packet from the UDPHeader field (but remember this field is big-endian so you must swap it!!) and read data from the headers .data[0] field.

I will complete the new TSniffer soon, and I'll send you a copy if you remind me. Any question you might have is also welcome here. Good Luck!


/m

Hi! Here's my OnParsePacketHandle Procedure. I think it has a problem but I don't know what. Both "sData := sUDPPacket.UDPData;" and "sData := sTCPPacket.TCPData;" are undefined and generate errors. Also, from your code, "Data" and "k" generate errors too. Can you please give me your whole OnParsePacketHandle Procedure, tell me what's wrong with my code or maybe send me an example application through e-mail. Thanks and sorry for any inconvenience!

procedure TForm1.OnParsePacketHandle(nPacketSeq: Longint; uBuffer: PChar;
  nRecvBytes: integer; sPacket:
  TIngusPacketBase);
var
  sFrom, sTo, sDir, sProto, sData: string;
  sIpPacket: TIngusIPPacket;
  sTCPPacket: TIngusTCPPacket;
  sUDPPacket: TIngusUDPPacket;
begin

  if sPacket.EthernetProtocol <> PROTO_IP then exit;
  sIPPacket := TIngusIPPacket(sPacket);

  sFrom := Format('%u.%u.%u.%u', [UCHAR(sIPPacket.IPSourceAddr^),
    UCHAR((sIPPacket.IPSourceAddr + 1)^),
      UCHAR((sIPPacket.IPSourceAddr + 2)^),
      UCHAR((sIPPacket.IPSourceAddr + 3)^)]);
  sTo := Format('%u.%u.%u.%u', [UCHAR((sIPPacket.IPDestAddr)^),
    UCHAR((sIPPacket.IPDestAddr + 1)^),
      UCHAR((sIPPacket.IPDestAddr + 2)^),
      UCHAR((sIPPacket.IPDestAddr + 3)^)]);
  case sIPPacket.IPProtocol of
    1: sProto := 'ICMP';
    2: sProto := 'IGMP';
    3: sProto := 'GGP';
    4: sProto := 'IP';
    5: sProto := 'ST';
    6: begin
        sTCPPacket := TIngusTCPPacket(sPacket);

        sProto := 'TCP';
        sFrom := sFrom + ':' + IntToStr(sTCPPacket.SourcePort);
        sTo := sTo + ':' + IntToStr(sTCPPacket.DestPort);
        sData := sTCPPacket.TCPData;
      end;
    8: sProto := 'EGP';
    9: sProto := 'IGP';
    17: begin
        sUDPPacket := TIngusUDPPacket(sPacket);
        sProto := 'UDP';
        sFrom := sFrom + ':' + IntToStr(sUDPPacket.SourcePort);
        sTo := sTo + ':' + IntToStr(sUDPPacket.DestPort);
        sData := sUDPPacket.UDPData;
      end;
    27: sProto := 'RDP';
    28: sProto := 'IRTP';
    29: sProto := 'ISO-TP4';
    35: sProto := 'IDPR';
    37: sProto := 'DDP';
    38: sProto := 'IDPR-CMTP';
    88: sProto := 'IGRP';
    89: sProto := 'OSPFIGP';
    92: sProto := 'MTP';
    94: sProto := 'IPIP';
    97: sProto := 'ETHERIP';
    98: sProto := 'ENCAP';
  else sProto := '???';
  end;

  case sPacket.PacketDirection of
    pdInput: sDir := 'In';
    pdOutput: sDir := 'Out';
  end;

  SetLength(Data, nRecvBytes);
  Move(ubuffer[0], Data[1], nRecvBytes);
  msg := 'Packet.Size='+IntToStr(nRecvBytes)+' Packet.Data=';
  for k := 1 to Length(data) do
    msg := msg + IntToStr(ord(Data[k])) + ',';
  Memo1.Lines.Add(msg);
end;

Okie, data and k should be:

var
  data: string;
  k: Word;

Nothing else, sorry about that. It's important that k is actually a word (a 16-bit unsigned integer, because it's used to aquire & swap the big-endian length value in the UDP packets headers. The string is used because pchar sucks when it comes to handling data with zero in them, delphi will treat pchar's with ascii zero in them as shorter pchars, eg:

var
  pc: PChar;
begin
  pc := Chr(65) + Chr(0) + Chr(66);
end;

This will yield "A" when reading delphi, because delphi just reads until it finds an ascii zero (this is by the definition of a pchar). Strings however has their own length field so doing a:

for k := 1 to Length(st) do
  Memo1.Lines.Add(IntToStr(Ord(st[k])));

will print result beyond the ascii zero.
Also note that pchar's start at pc[0] and strings start at st[1].


Another very important thing is that I have found that most ethernet packets has a address in the beginning of the packet which starts with a acsii zero, this makes it very hard / inconvinient to work with the data in pchar form. This is the reason why:

Memo1.Lines.Add( Copy(ubuffer[0],1,nRecvBytes) );

won't work as a charm even though it makes some sense when you first look at it. Also, I have found that using typed pointers to parse the data is a very simple and quick way but it presents a few problems when it comes to incomplete packets and other stuff.


Now to my OnParsePacketHandle proc:

This code was taken directly from a TIngusClass example, and then modified to retreive and print the data. For the UDP protocol I have added specific code to parse the UDP data properly, this could be done the same way with TCP however in that case one MUST take the ACK flag in to consideration or you will get duplicate and invalid packets all the time. This problem does not happen with UDP since UDP does not have a ACK flag :) Also, note... this code is not optimized or perfect in anyway, but it is working. Neater coding will be seen in the TSniffer I will release later. Hmm, finally, you might wanna add a small proc to validate the packet using the checksum field, don't forget to swap it though, since it's still big-endian in the udp header fields. Hmm, that's about all.
Any question are welcome here. Good Luck!

//DELPHI CODE

procedure TForm1.OnParsePacketHandle( nPacketSeq: Longint; uBuffer: PChar;
                                      nRecvBytes: integer; sPacket:
                                      TIngusPacketBase );
var
  sMacAddr: string;
  //pIPHdr: PIP_RHDR;
  sIpPacket: TIngusIPPacket;
  sIcmpPacket: TIngusICMPPacket;
  sTCPPacket: TIngusTCPPacket;
  sUDPPacket: TIngusUDPPacket;
  nSrcPort, nDestPort: integer;
  data: string;
  msg: string;
  k: Word;
begin
  if sPacket.EthernetProtocol <> PROTO_IP then exit;
  sIPPacket := TIngusIPPacket(sPacket);

  // FPiette May 17, 1999
  sMacAddr := Format( '**Mac address: %.2X:%.2X:%.2X:%.2X:%.2X:%.2X',
                      [ UCHAR(sIngus.MacAddr[0]), UCHAR(sIngus.MacAddr[1]),
                        UCHAR(sIngus.MacAddr[2]), UCHAR(sIngus.MacAddr[3]),
                        UCHAR(sIngus.MacAddr[4]), UCHAR(sIngus.MacAddr[5]) ] );

  Memo1.Lines.Add('');
  Memo1.Lines.Add(IntToStr(nPacketSeq));
  Memo1.Lines.Add(sMacAddr);

  Memo1.Lines.Add(Format('Source: %u.%u.%u.%u', [ UCHAR(sIPPacket.IPSourceAddr^),
                                                  UCHAR((sIPPacket.IPSourceAddr+1)^),
                                                  UCHAR((sIPPacket.IPSourceAddr+2)^),
                                                  UCHAR((sIPPacket.IPSourceAddr+3)^) ]));
  Memo1.Lines.Add(Format('Destination: %u.%u.%u.%u', [ UCHAR((sIPPacket.IPDestAddr)^),
                                                       UCHAR((sIPPacket.IPDestAddr+1)^),
                                                       UCHAR((sIPPacket.IPDestAddr+2)^),
                                                       UCHAR((sIPPacket.IPDestAddr+3)^) ]));

  //pIPHdr := PIP_RHDR(sPacket.Data);
  //case pIPHdr^.Protocol of
  case sIPPacket.IPProtocol of
  1: begin
       //ICMP
       sIcmpPacket := TIngusICMPPacket(sPacket);
       Memo1.Lines.Add('ICMP');
     end;
  6: begin
       //TCP
       sTCPPacket := TIngusTCPPacket(sPacket);
       Memo1.Lines.Add('TCP');
       nSrcPort := sTCPPacket.SourcePort;
       nDestPort := sTCPPacket.DestPort;
       Memo1.Lines.Add('PS: '+IntToStr(nSrcPort));
       Memo1.Lines.Add('DS: '+IntToStr(nDestPort));
     end;
  17: begin
        sUDPPacket := TIngusUDPPacket(sPacket);
        k := (sUDPPacket.UDPHeader.Length[0]*256)+sUDPPacket.UDPHeader.Length[1];
        SetLength(data, k);
        Move(sUDPPacket.UDPHeader.data[0], data[1], k);
        msg := 'Packet.Size='+IntToStr(k)+' Swap(Size)='+IntToStr(Swap(k))+' Packet.Data=';
        for k := 1 to Length(data) do
          msg := msg + IntToStr(ord(data[k])) + ',';
        Memo1.Lines.Add(Msg);
      end;
  end;

  case sPacket.PacketDirection of
  pdInput:
    begin
      Memo1.Lines.Add('Input');
    end;
  pdOutput:
    begin
      Memo1.Lines.Add('Output');
    end;
  end;

  SetLength(data, nRecvBytes);
  Move(ubuffer[0], data[1], nRecvBytes);
  msg := 'Packet.Size='+IntToStr(nRecvBytes)+' Packet.Data=';
  for k := 1 to Length(data) do
    msg := msg + IntToStr(ord(data[k])) + ',';
  Memo1.Lines.Add(msg);
end;





Hmm, I don't know if this is exactly what you wanted. But a few points would rock! ;-D






/m

Hi! I've added more points. Why does "sData := sUDPPacket.UDPData;" and "sData := sTCPPacket.TCPData;" generate errors? I don't see them anywhere in the ingussniffer code. Why is this? Anyway, I would really appreciate it if you could just post a complete code to get the data of TCP and UDP Packets including that thing about validating the packet, etc. so I can just implement it and learn more. I hope you will grant my request. Thanks!

I suspect that we have diffrent version of the TIngusSniffer, because I don't have any TCPData or UDPData fields on my ingus-packet classes. If you actually do have them, please send a copy of your ingus files to me (including packet32.dll and stuff since they might be changed too) and I'll have a look at them. Meanwhile check this out:

http://mnemo.nu/temp/IngusPacket.zip

Here is a working example which will get UDP data and ethernet data to a normal pascal string. Just as described above, but this package includes the full program, with ALL files needed, refering mainly to ingus and snowing files.

Concerning your need for a checksum calculator, sorry but I have never written anything like that before and I think its gonna take a while to complete it. For this reason I cannot just post a quick sample to you here, but instead I will try to include it in my TSniffer when I release first version. Also about the ACK flags in TCP packets, you have a swapped delphi ready version of the flags in sTCPPacket.AckNum so just hit the rfc for TCP and start coding. rfc number for tcp is 793 and you can download copies from www.rfceditor.org. Hmm, I dont remember the rfc-no for UDP though.


Anyways, I hope this will help you a bit further on your quest for silent networking. ;-)

Good Luck!


/m

Extra note: rfc-no for UDP is 768 and specs can be found on:

http://www.rfc-editor.org/rfc/rfc768.txt

I'm gonna have a first look at the checksum now. *brb*


/m

Hmm, I guess you relize this but anyway. To Sort out your packets only, using UDP you would have to do soemthing like this:

        k := (sUDPPacket.UDPHeader.Length[0]*256)+sUDPPacket.UDPHeader.Length[1];
        SetLength(data, k);
        Move(sUDPPacket.UDPHeader.data[0], data[1], k);
        if Copy(data, 1, 12)='SilentSenDog' then
        begin
          Memo1.Lines.Add('SenDog Silent Packet Detected');
        end;

And then when using SendBuffer() of the UDP component in delphi, always add
'SilentSenDog' infront of the packet data.

Also, the checksum seems to be a checksum of the whole IP and UDP headers, and its also 16-bit (padded with zero at the end if needed). the rfc was kind of *light-material* too.


/m

Also, I've compiled a valid packet example for checksum calculation, which include both IP and UDP packet data and header information:

IP_Version:        45 (Version 4)
IP_TypeOfService:  00
IP_Length:         00 c8 (200 bytes)
IP_Ident:          27 d0 (10192)
IP_Flags:          0X
IP_Frags:          00
IP_TimeToLive:     80 (128 hops)
IP_Protocol:       11 ($11 = 17 = UDP)
IP_CheckSum:       8d d1
IP_Source:         c0 a8 01 34 (192.168.1.52)
IP_Destination:    c0 a8 01 ff (192.168.1.255)
UDP_Source:        0b 35 (2869 decimal little-endian)
UDP_Destination:   0b 35 (2869 decimal little-endian)
UDP_Length:        00 b4
UDP_CheckSum:      43 fa
UDP_Data:          00 00 00 c0 ac 00 00 00 0f 00 00 00 00 00 00 00 14 00 00 00 05 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 3c 00 00 00 03 00 01 00 b1 a0 04 00 40 6a 16 00 c6 0b 00 00 a0 0e 00 00 01 00 00 00 00 00 00 00 d4 f2 66 19 14 45 01 00 14 1a 00 00 00 02 00 00 04 00 00 00 11 00 00 00 00 00 00 00 38 00 00 00 6d 73 68 6f 6d 65 2e 6e 65 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 1c 00 00 00 00 d7 3c 69 29 47 c0 01 ab 5b 05 3a 00 00 00 00




/m

Wow, you must really be into networking. Anyway, I don't have those fields either. I just copied the code that Olympus posted above. Okay, so we have UDP checking. How about TCP? About the packet code you posted, how can I make one both for tcp and udp and then send it? I'm using FPiettes' TWSocket. Thanks! And don't worry, when I get more points, I'll add them to this question. :[)

Waiting...

Still waiting requiem...

I had *almost* forgotten about this little question, sorry. I will try to fix a working version of my sniffer.pas now, it will yield all your problems.

About your question: "how can I make one both for tcp and udp and then send it". Just use a similar "data: string" solution. When it comes to sending with TWSocket that's a whole other matter and a new question imho, I spend more time on this after the sniffer.pas because it had already taken over 20hrs of coding and I dont get a paycheck. Feels weird. It's in my own interest to finish the sniffer.pas code though, so I'll post asap when it's done. Start to write right away.


/m

listening..
interesting thread and code guys :-)

SenDog, why won't you give me any points?


/m

You promised me sniffer.pas but I haven't received it yet. Once you send it to me, I'll add more points and award them to you. Thank you for your help. :[)

requiem, I am still waiting for a copy of sniffer.pas which you promised you'd send me. As soon as I receive the copy, I'll add more points and award them to you. Thank you!

requiem you shoulda left this thread ages ago LOL...

btw, I am still listening with those 100 points to a good solution. I will post 100 points question for a solution to this problem. I hope this will encourage you a little requiem..

these are the additional points..
https://www.experts-exchange.com/jsp/qShow.jsp?ta=delphi&qid=20038208

Perhaps you've overlooked this item, since this question remains open today.  If you've been helped by one of the experts, please accept that comment as the answer to then grade and close. If more is needed, please advise details.

Thank you for your responsiveness,
Asta

The sniffer.pas file is currently not a visual component, but its half-way modified into it. Once its a VCL component I'll send it to anyone who wants it. Probably I'll publish it over at Delphi-JEDI.org or something.

SenDog; I do not have you e-mail address to send the file(s)?


I'm gonna sail to Shetland islands soon, so I'll be ooo for about 2 weeks. After that I'll finish the sniffer component, if there is time. I'm on a very tight schedule atm, thats why I've not been able to read/post at EE for a long time..




/m

My e-mail address is slowbone_32@yahoo.com

Greetings.
 
This question is still open today, perhaps it was overlooked or just lost in the volumes.  Please return to this question to update it with comments if more information is needed to get your solution.  If you've been helped by the participating expert(s), you may just convert their comment to the accepted answer and then grade and close.  If an answer has ever been proposed you may not have this option to accept the comment as answer, if that is the case, ask the specific expert you wish to award to post an answer.     This benefits others who then search our PAQ for just this solution, and rewards the experts who have provided information.  A win/win scenario.  Please DO NOT accept this comment as an answer,  it is merely a reminder.
 
If you wish to award multiple participants, you can do so by creating a zero point question in the Community Support topic area, include this link and tell them which experts you'd like to award what amounts.  If you'd like to delete this question, use the same process as above, but explain why you think it should be deleted.  Here is the Community Support link:   https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
You can always click on your profile to see all your open questions, in the event you also have other open items to be resolved.   If your number of Questions Asked is not equal to the number of Answers Graded, choose to VIEW question history, and you'll quickly be able to navigate to your open items to close them as well.
 
I've had excellent help from experts-exchange through the years and find the real key to getting what I need is to remain active in all my questions, responding with results to suggestions until my solution is found, and recommend that highly.
 
Thank you very much for your responsiveness, it is very much appreciated.  
":0)  Asta
 
P.S.  Some of the older questions from last year are not in the proper comment date order, and Engineering has been advised.  

requiem, still waiting.

Why does it seem to add garbage specifically to ETH_RAW and IP_RAW packets?

Because they have a header which very often contains ASCII zero. Use the Psomething pointers to typecast the data into something useable, and then use @ to get the addr of the .Data field which you can then typecast again etc. The "human readble" content is often prestented at the bottom of the protocol stack (eg; in the TCP or UDP packets).

Network packets should never be treated as "strings" but instead as what they are binary chunks! I suggest you loop through the string doing this:

for k := 1 to Length(OldSt) do
  NewSt := NewSt + IntToHex(Ord(OldSt[k]), 2);


or something like that (which will convert the string into a hex-editor like text.


/m

Ah! Then there is no need to convert it to hex. I'll leave it as is. All in all, you potsed great code. Finally, why does the app freeze at times? Thanks!

If the load is great on the sniffed interface the code will try to parse to much and the GUI becomes unstable due to the CPU drain. As you might know, its very hard to process 10mbit networks and do any useful analysis. The CPU demands are enourmous. This has been resolved in different ways on different sniffers programs, usually they choose not to sniff a new packet until the first packet is processed and analyzed.

In the sniffer.pas example you will be able to use the OnNetworkData only so that component CPU drain is minimized and then its up to you..

It would be neat if you gave me the points now. =) =)
And I guess karouri could cough of some points too, I feel abit uncredited for this rather large amount of code.

Of course I will continue to assist you, if nessecary, and I will post a copy of my new sniffer project (using my own more stable packet driver) to you.


greetings,
/m

Thanks! Here are the points. Yes, please update me on your more reliable packet sniffe project. If I need assistance, where can I contact you? Please give me your e-mail address. Thanks again.

https://www.experts-exchange.com/jsp/qShow.jsp?ta=delphi&qid=20038208
The 100 points are still there, and thanks a lot for the code..
yours,
k

https://www.experts-exchange.com/jsp/qShow.jsp?ta=delphi&qid=20038208
The 100 points are still there, and thanks a lot for the code..
yours,
k

If you have questions, send them to me through mnemo(at)home.se



/m