Can't capture my Spoofed SYN packet by ethereal...

Several days ago I wrote a spoofing SYN c++ program, I execute it on one PC, sending the spoofed syn to my own computer. But I can't see any SYN packets by running ethereal on my own computer. I captured only one IP(but protocol I set in the spoofed syn is TCP) packet, the info is: IPv6 hop-by-hop option(0x00) , and this IP packet used the real source ip, not the spoofed source ip I set in the program... I want to know if there is anything wrong with my program? Can anyone help me? Thanks in advance. Both computers' system are XP, and the program is the following:

int _tmain(int argc, _TCHAR* argv[])
{
                class SpoofSocket spoof_socket;

      WSADATA WSAData;
      int ret=WSAStartup(MAKEWORD(2,2),&WSAData);

      //Create Raw_Socket
      bool ip_hdrincl=true;
      int SendTimeOver=1000;

      SOCKET raw_sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_IP,NULL,0,WSA_FLAG_OVERLAPPED);                  
      setsockopt(raw_sock,IPPROTO_IP,IP_HDRINCL,(char *)&ip_hdrincl,sizeof(ip_hdrincl));      
      setsockopt(raw_sock,SOL_SOCKET,SO_SNDTIMEO,(char *)&SendTimeOver,sizeof(SendTimeOver));
      
      unsigned int s_ipAddress=inet_addr("192.168.0.103");
      unsigned int d_ipAddress=inet_addr("192.168.0.104");
      unsigned short s_port=2006;
      unsigned short d_port=8000;
      unsigned int seq=0x00000000;
      unsigned int ack=0x00000001;

      //Spoof buffer for sending
      spoof_socket.SetIP_Head_Buffer(s_ipAddress,d_ipAddress);
      spoof_socket.SetTCP_Head_Buffer(s_port,d_port,2,seq,ack+1);
                              
      int len=spoof_socket.tcp_head_len+spoof_socket.ip_head_len;
                                    
      SOCKADDR_IN addr_client1_in;
      addr_client1_in.sin_family=AF_INET;
      addr_client1_in.sin_port=htons(d_port);
      addr_client1_in.sin_addr.S_un.S_addr=d_ipAddress;
                                    
      int send_bytes=sendto(raw_sock,spoof_socket.SendBuffer,len,0,(struct sockaddr*)&addr_client1_in,sizeof(addr_client1_in));
                              
      Console::WriteLine(S"Send one SYN+ACK success!!!");

      closesocket(raw_sock);
      WSACleanup();

      char i;
      cin>>i;
            
      return 0;
}

spoofsocket.cpp:
unsigned short SpoofSocket::checksum(unsigned short *buffer,int size){

      unsigned short cksum=0;
    while(size>1)
      {
            cksum+=*buffer++;
            size-=sizeof(unsigned short);
      }
      if(size)
      {
            cksum+=*(unsigned char*)buffer;
      }
      cksum=(cksum>>16) + (cksum&0xffff);
      cksum+=(cksum>>16);

      return cksum;

};

void SpoofSocket::SetIP_Head_Buffer(unsigned long SourceAddress,unsigned long DestAddress){

      //Set ip_header
      ip_header.h_lenver=(4<<4|sizeof(ip_header)/sizeof(unsigned int));
      ip_header.tos=0;
      ip_header.total_len=htons(sizeof(ip_header)+sizeof(tcp_header));
      ip_header.ident=1;
      ip_header.flags=0;
      ip_header.ttl=(unsigned char)GetTickCount()%87+123;
      ip_header.proto=IPPROTO_TCP;
      ip_header.checksum=0;
      ip_header.sourceIP=SourceAddress;
      ip_header.destIP=DestAddress;
};

void SpoofSocket::SetTCP_Head_Buffer(unsigned short SourcePort,unsigned short DestPort,unsigned char flag,unsigned long seqNumber,unsigned long ackNumber){

      //Set tcp_Header
      tcp_header.th_dport=htons(DestPort);
      tcp_header.th_sport=htons(SourcePort);
      tcp_header.th_seq=htonl(seqNumber);
      tcp_header.th_ack=htonl(ackNumber);
      tcp_header.th_lenres=(sizeof(tcp_header)/4<<4|0);
      tcp_header.th_flags=flag;//flag=2 is SYN; flag=16 is ACK; flag=12 is SYN_ACK
      tcp_header.th_win=htons(512);
      tcp_header.th_urp=0;
      tcp_header.th_sum=0;

      //Set TCP psudHeader
      psd_header.saddr=ip_header.sourceIP;
      psd_header.daddr=ip_header.destIP;
      psd_header.mbz=0;
      psd_header.ptcl=IPPROTO_TCP;
      psd_header.tcpl=htons(sizeof(tcp_header));

      //Get header length
      psd_head_len=sizeof(psd_header);
      tcp_head_len=sizeof(tcp_header);
      ip_head_len=sizeof(ip_header);

      send_buffer=new BYTE[psd_head_len+tcp_head_len];

      //Compute the Checksum value
      memset(send_buffer,0,psd_head_len+tcp_head_len);
      memcpy(send_buffer,&psd_header,psd_head_len);
      memcpy(send_buffer+psd_head_len,&tcp_header,tcp_head_len);
      tcp_header.th_sum=checksum((unsigned short *)send_buffer,psd_head_len+tcp_head_len);

      
      send_buffer=new BYTE[tcp_head_len+ip_head_len];

      //put spoofed IP and TCP header into the SendBuffer
      memset(send_buffer,0,tcp_head_len+ip_head_len);
      memcpy(send_buffer,&ip_header,ip_head_len);
      memcpy(send_buffer+ip_head_len,&tcp_header,tcp_head_len);
      ip_header.checksum=checksum((unsigned short *)send_buffer,ip_head_len+tcp_head_len);

      memset(send_buffer,0,tcp_head_len+ip_head_len);
      memcpy(send_buffer,&ip_header,ip_head_len);
      memcpy(send_buffer+ip_head_len,&tcp_header,tcp_head_len);
      char SendBuffer[60]={0};
      memcpy(SendBuffer,send_buffer,tcp_head_len+ip_head_len);
};

spoofsocket.h
typedef struct ip_head{

      unsigned char h_lenver; //four bits for header length;four bits for IP version
      unsigned char tos;     //eight bits for Type of Service
      unsigned short total_len;// 16bits for total length
      unsigned short ident;
      unsigned short flags; //3flags
      unsigned char ttl;
      unsigned char proto;
      unsigned short checksum;
      unsigned int sourceIP; //32bits source IP
      unsigned int destIP;//32bits destination IP

}IPHEADER;

typedef struct tcp_head{

      unsigned short th_sport;//16bits source port
      unsigned short th_dport;//16bits destination port
      unsigned int th_seq;//32bits sequence number
      unsigned int th_ack;//32bits confirmation number
      unsigned char th_lenres;//four bits for header length;four bits for restoring key words
      unsigned char th_flags;//6flags
      unsigned short th_win;//16bits windows size
      unsigned short th_sum;//16bits checksum
      unsigned short th_urp;//16bits urgent data offsets

}TCPHEADER;

//define TCP pseudHeader
typedef struct ts_head{

      unsigned long saddr;
      unsigned long daddr;
      char mbz;
      char ptcl;//protocol type
      unsigned short tcpl;//TCP length

}PSDHEADER;

class SpoofSocket {

public:
      SpoofSocket(){};
      ~SpoofSocket(){};
      unsigned short checksum(unsigned short *,int);
      void SetIP_Head_Buffer(unsigned long SourceAddress,unsigned long DestAddress);
      void SetTCP_Head_Buffer(unsigned short SourcePort,unsigned short DestPort,unsigned char flag,unsigned long seqNumber,unsigned long ackNumber);
      
      unsigned short psd_sport;
      bool result;
      char SendBuffer[60];
      BYTE * send_buffer;
      int psd_head_len;
      int tcp_head_len;
      int ip_head_len;

      TCPHEADER tcp_header;
      PSDHEADER psd_header;
      IPHEADER ip_header;      
};
gotdoughAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

itsmeandnobodyelseCommented:
Did you check WSAGetLastError() after sendto has failed?

send_bytes has a value of -1 if sendto failed.

Regards, Alex
grg99Commented:
This usually means the packet has a bad checksum so everybody ignores it.

Can you set etherreal to accept "bad" packets too?

another possibility--  if your PC's are hooked together by something other than a really dumb hub, that little box may be tossing out packets that are obviously faked.  have you been able to make a good unspoofed packet and receive it on the other PC?  I'd try that first.



gotdoughAuthor Commented:
1, the send_bytes returns correct, 40 bytes.
2, I have made the test with the unspoofed packets between the two computers, they all are captured correctly.
This problem have confused me serveral days. . .
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

grg99Commented:
So what is connecting your PC's?

Any firewall software anywhere?

gotdoughAuthor Commented:
no firewall , just a router , and the router connects to ISP, maybe there is a firewall at the ISP end.
itsmeandnobodyelseCommented:
>>>> Any firewall software anywhere?

With XP SP 2 you got a firewall that would prevent packages from passing. You would need to switch off the firewall (you can do that if your internet connection does *not* use the same LAN and C-Net 192.168.0) or configure the firewall to open ports 2006 and 8000.

Regards, Alex
itsmeandnobodyelseCommented:
>>>>  no firewall , just a router

There is no modern router without a firewall ...

Try to configure the router.

Did you use XP SP2 ?

Regards, Alex
 
itsmeandnobodyelseCommented:
>>>> and the router connects to ISP, maybe there is a firewall at the ISP end.

No, if you connect to local IP addresses like 192.168.0.104 your ISP isn't involved. The router acts like a local hub/switch. But the default configuration wouldn't open port 2006 or port 8000.

Regards, Alex

gotdoughAuthor Commented:
then, you mean it didn't send out the spoofed packet at all, but why I captured a packet from the sending-spoofed-packet machine?
itsmeandnobodyelseCommented:
>>>> but why I captured a packet from the sending-spoofed-packet machine?

Maybe you should explain your configuration a little more in detail. Actually, I don't know what a sending-spoofed-packet machine is and what might be different to the machine where it doesn't work. What's about your XP firewalls? Are they on or off?

grg99Commented:
Your router or XP's routers and firewalls may be blocking spoofed packets.

Routers and firewalls are smart enough to notice that a particular hardware address that has been saying it's   192.168.8.2 for the last 343,432 packets, is now claiming to be 33.55.66.77.   Of course that is impossible.  So the packet gets dropped.

You need a dumb HUB, one that doesnt inspect each packet.  They're available on eBay for $0.99 to $4.99 usually.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C++

From novice to tech pro — start learning today.