Solved

PacketSniffer Problems

Posted on 2001-08-17
7
254 Views
Last Modified: 2010-04-06
Hi.

I'm currently trying to make a tool that checks how much bandwith each user on a Network is using.

Tried to use FPiette's PacketSniffer but for some reason it always freezes the computers after a while... and the packet32.dll used by it is also used by the SubSeven Trojan so my AV software always start complaining...

So i found another PacketSniffer one that doesnt crash... the only problem is that i cant seem to get the source/destionation address from the packets... not sure what to do =(

It's located at:
http://home1.stofanet.dk/nitezhifter/files/Delphi%20Pcap.zip

it's actually a Delphi conversion of the WinPcap Library.

so what i need is some help on how to actually get the source/destination ip addresses...

regards,
John
0
Comment
Question by:Arachnid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Expert Comment

by:karouri
ID: 6398223
As far as I know, the winpcap captures the whole packet, so you can read the source and destination IP addresses from within the packets. Notice that the packet capture does not contain the Ethernet preamble, neither the CRC at the end. Any data you can get from a packet assuming it is an IP packet can be got from the headers:
Ethernet frame header: http://wks.uts.ohio-state.edu/sysadm_course/html/sysadm-326.html
IP packet header: http://www.freesoft.org/CIE/Course/Section3/7.htm
All in all, the source IP address is the four bytes starting at byte 26 (assuming a zero based array) in network byte order, which is different from x86 machine order. So the source IP is
Eth[29]:Eth[28]:Eth[27]:Eth[26]
The next four bytes are the destination IP address, like
Eth[33]:Eth[32]:Eth[31]:Eth[30]
assuming the array holding the packet is defined as
Eth:array[0..1513] of byte
0
 
LVL 1

Accepted Solution

by:
SenDog earned 300 total points
ID: 6399489
Try downloading release 0.3 of O.W.N.S. (One Way Network Sniffing) at http://sourceforge.net/projects/owns/

It works great and can be modified to suit your needs. Also, it already uses WinCap.

Cheers,
SenDog
0
 
LVL 3

Expert Comment

by:karouri
ID: 6399873
Correction for my previous comment:
... in network byte order, which is different from x86 machine order. So the source IP is
Eth[26]:Eth[27]:Eth[28]:Eth[29]
The next four bytes are the destination IP address, like
Eth[30]:Eth[31]:Eth[32]:Eth[33]

The order I gave last time is reversed..


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Arachnid
ID: 6405458
ahhh... finally!
the owns project was exactly what i needed... in a way...
just went through the sourcefiles and found out how to get the ip addresses.
thanx SenDog...
 
sorry karouri but to me SenDogs answer was a more "complete" one...


Regards,
John
0
 

Author Comment

by:Arachnid
ID: 6405459
ahhh... finally!
the owns project was exactly what i needed... in a way...
just went through the sourcefiles and found out how to get the ip addresses.
thanx SenDog...
 
sorry karouri but to me SenDogs answer was a more "complete" one...


Regards,
John
0
 
LVL 3

Expert Comment

by:karouri
ID: 6405764
actually it is fine for me too, as I needed such a work on linux, and I found it now for free
0
 
LVL 1

Expert Comment

by:SenDog
ID: 6408218
Glad I could help!


Cheers,
SenDog
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
find a node in VST 2 92
Find and Replace Stream with 0s 8 86
RESTRequest Parameter 4 81
Automatic field translation delphi 10.2 6 45
Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question