Introduction
The code presented implements a network sniffing tool in C# that runs through a Windows Forms application. It uses a raw socket to capture network packets and analyzes their header data.
How it Works
Initialization and Socket Configuration:
The code uses a raw socket (SocketType.Raw) with the protocol ProtocolType.IP, allowing the program to listen for IP packets.
meinsocket.Bind(endpoint) binds the socket to the local IP address.
By using meinsocket.IOControl(IOControlCode.ReceiveAll, BitConverter.GetBytes(1), null), the socket is configured to receive all packets arriving on the network interface (similar to promiscuous mode).
Packet Reception and Analysis:
In the rms label, the code enters an infinite loop that constantly receives packets.
The code checks if the received packet has the expected length . This likely serves to filter specific packets.
The IP addresses (source and destination) and various other header information (such as protocol number) are read and displayed.
WHOIS Queries:
If a WHOIS query for an IP address is to be performed, QueryByIPAddress is called.
The WHOIS query is performed using the WhoisClient.Query method, and the results are displayed on the user interface.
If there is no DNS entry for the source IP address, an appropriate message is displayed.
Code
using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Windows.Forms;
using Whois.NET;
namespace SnowSniff2
{
public partial class Form1 : Form
{
IPHostEntry myip;
IPHostEntry daddr;
int i;
int tcpoffset, dataoffset;
string destaddr;
string sorcaddr;
StringBuilder zeile = new StringBuilder();
string umaddr;
string benutzer = "benutzer";
string benutzertemp = "benutzertemp";
int ipvers;
int headlen;
int sport;
int dport;
int ttl = 1;
int proto;
int flct;
int count;
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
ssnif();
}
public void ssnif()
{
myip = Dns.GetHostEntry(Dns.GetHostName());
for (i = 0; i < myip.AddressList.Length; i++)
{
if (myip.AddressList[i].AddressFamily == AddressFamily.InterNetwork)
break;
}
if (i == myip.AddressList.Length) return;
IPEndPoint endpoint;
endpoint = new IPEndPoint(myip.AddressList[i], 0);
Socket meinsocket;
meinsocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
meinsocket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
byte[] buf = new byte[meinsocket.ReceiveBufferSize];
meinsocket.Bind(endpoint);
meinsocket.IOControl(IOControlCode.ReceiveAll, BitConverter.GetBytes(1), null);
label3.Text = ("<--- analysing data for user string ");
label3.Refresh();
rms:
int count = meinsocket.Receive(buf);
flct++;
textBox2.Text = (flct.ToString());
textBox2.Refresh();
textBox1.Text = count.ToString();
textBox1.Refresh();
if (count != 128) { goto rms; }
destaddr = buf[16] + "." + buf[17] + "." + buf[18] + "." + buf[19];
sorcaddr = buf[12] + "." + buf[13] + "." + buf[14] + "." + buf[15];
umaddr = buf[12] + "." + buf[13] + "." + buf[14];
if (umaddr == "192.168.178") { goto rms; };
tcpoffset = (buf[0] & 0x0f) * 4;
dataoffset = (buf[tcpoffset + 12] >> 4) * 4;
ipvers = (buf[0] >> 4);
headlen = (buf[0] & 0x0f) * 4;
sport = (buf[tcpoffset] << 8) + (buf[tcpoffset + 1]);
dport = (buf[tcpoffset + 2] << 8) + (buf[tcpoffset + 3]);
ttl = buf[8];
proto = buf[9];
DateTime myValue = DateTime.Now;
zeile.Append(myValue.ToString());
zeile.Append(" IPv ");
zeile.Append(ipvers.ToString());
zeile.Append(" : ");
zeile.Append(sorcaddr.ToString());
zeile.Append(" : ");
zeile.Append(sport.ToString());
zeile.Append(" : ");
zeile.Append(destaddr.ToString());
zeile.Append(" : ");
zeile.Append(dport.ToString());
zeile.Append(" TTL ");
zeile.Append(ttl.ToString());
zeile.Append(" Protocol ");
if (proto == 17) { zeile.Append(" UDP "); }
if (proto == 6) { zeile.Append(" TCP "); }
zeile.Append(" count -->> ");
zeile.Append(count.ToString());
zeile.Append(" username -----> ");
for (int b = (tcpoffset + dataoffset + 24); b < count; b++)
{
if (Char.IsControl(Convert.ToChar(buf[b])))
zeile.Append(".");
else
zeile.Append(Convert.ToChar(buf[b]));
}
zeile.Append(" \r\n");
richTextBox1.Update();
richTextBox1.AppendText(zeile.ToString());
richTextBox1.ScrollToCaret();
benutzertemp = zeile.ToString();
if (benutzertemp != benutzer)
{
QueryByIPAddress();
}
goto rms;
}
private void QueryByIPAddress()
{
benutzer = benutzertemp;
try
{
var result = WhoisClient.Query(sorcaddr);
label4.Text = result.Raw.ToString();
label4.Update();
label4.Refresh();
try
{
label3.Text = result.OrganizationName.ToString();
label3.Update();
label3.Refresh();
}
catch (Exception e) { }
if (Dns.GetHostEntry(sorcaddr.ToString()) != null)
{
daddr = Dns.GetHostEntry(sorcaddr.ToString());
label5.Text = daddr.HostName;
label5.Refresh();
}
}
catch (SocketException e)
{
label5.Text = "no dns entry for hostname";
label5.Refresh();
}
}
private async void QueryByDomain()
{
var result = WhoisClient.Query("google.com");
Console.WriteLine("{0}", result.OrganizationName);
Console.WriteLine(string.Join(" > ", result.RespondedServers));
MessageBox.Show(result.OrganizationName);
}
}
}