Here's what I want to do.... and keep in mind that though I think that I can write the actual code, I'm almost totally ignorant on how networking works!

I want to capture a packet that hits my computer with a program. I then want that program to sift throught the packet and deliver certain pieces of information from the packet....

here's the main problem... I HAVE NO IDEA HOW TO CAPTURE A PACKET!!!.... hahahhahHAHA...

I've been having no success finding out how using search engines either, so I'm sort of disheartened, but I know that it can be done, and it can't really be that difficult....

can anyone help me out here???

thanks
-Z

I want to capture a packet that hits my computer with a program.



and keep in mind that though I think that I can write the actual code, I'm almost totally ignorant on how networking works!



the first statement doesn't make much sense as 'packet' is network term for data transmission. what type of network protocol will determine what 'packet' actually means, so provide.

the second statement means, well, write the code and see if it works. Tho methinks difficult to do without understanding 'packet' from above....

Anyway, good luck and happy packeting.

Most modern programming languages/frameworks are going to operate at the socket level to provide communication with other systems. Sockets are an abstraction that allows you as a programmer to work with I/O streams, which are a lot simpler than being down at the network level where the packets are flying around.

You might want to start getting some familiarity with networking basics by spending some time with Cisco's Internetworking Technology Overview (http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm) .

You'll get a good grounding in the terminology, and probably have a better idea how to proceed from there. (I just spent a few minutes browsing there myself! Good stuff!)

My guess is that getting down to the packet level is going to require some low-level C or assembler programming, and a bit of knowledge of the TCP/IP stack you're using too. Sounds like a good challenge!

Have fun, and let us know what you learn!

DJV

hahah... well, it looks like I bit off a lot more to chew than I originally thought.... oh well!!

you'll never learn anything if you don't work at it...

thanks for the link vancinad.... i'll be looking throught that for the next few days!!

oh well, usually, I catch on to this stuff preetty quick, so hopefully it'll work out for me!

I'll let you know!

-Z

You might also want to check the web sites for vendors of network analysis tools -- "Sniffer" is one that comes to mind. They might have some "theory of operation" type stuff that helps too. Good luck!

vancinad,

excellent advice.

Anyway, maybe I can clarify something.

Intercepting/reading packets is one thing, and can give you a large amount of info, think firewall.

Knowing the significance of what a packet contains is entirely different. Firewall is really controlling the packet's action (this is found in the IP header, I believe), not what the packet contains. On a network level, this is basically the same, the network controls the packet's actions, not really caring about the contents.

Now, to even have a chance at determining a packet's significance, you need to find and re-assemble ALL packages in the transmission (a non-trivial thing) and then hope it makes some sense to you, it could be anything from an address to something encrypted (or even the devil or the deep blue sea).

Have fun and keep learning.

maybe we can change the words Capturing Packets to Packet Filtering Techniques?i mean. As qball said...think firewall.

hehe... well, I was under the impression that the mac addy was in the packet header. I thought that every packet had a header, and that the contents were, of course, varied. So I didn't really care what the contens of the packet were really... just the header so that I could check the incoming packets mac addy...

ok... so as to avoid as much confusion as possible, I'll tell you my end goal... I want to make a sort of security add on that I can attach (I have no idea how yet ;) ) to something like my ftp or telnet server. I want the program to check the mac addy of the computer trying to connect to my server and compare it to a list of acceptable clients (that I can load into the program from the server)...

now I have been doing my research, and I know that it is possible, although not simple, to spoof the mac addy, but this more for me to learn than to worry about the real practical application of such a program.

anyway... any more thoughts??

-Z

zskillz

I'll admit that I'm not too great w/packet stuff and am not entirely sure of what you're hoping to do. However, if you want to look at the guts of a packet (and reassemble a whole bunch of captured packets into an organized "start-to-finish" fashion) then have a look at this url:

www.ethereal.com

Works on both Windows and Unix and has some interesting features...the new version looks to have a few things I can use myself. I did a website view in IE while doing a few other things on the network, and managed to reassemble it from go to yo, had a nice look at all the data from the pov of the network layer.

I hope you know a little more about packets than I do though! ;)

Cheers,

Yardiff

Yardiff,

Well there you have it, excellent.

well... thank you... they even have the source code available... I'm gonnd dl all that and parse my way through it... hopefully that'll clue me into what I'm trying to do a little more


I'm leaving town in a couple of days for a few weeks, so we'll see what happens!!!

thanks
-Z

Given your level of knowledge, how you might do this simply will vary drastically depending on the OS platform. If you're on a BSD based system and want to examine local network traffic I'd suggest using tcpdump to create a packet log, and then parsing through it with a bit of Perl code. It should be quite simple, but keep in mind that tcpdump will very rapidly generate HUGE log files. Another relatively simple and more specific method would be to use something like ipf.rules to log packets incoming to specific ports. Again use Perl to parse through it and display the desired info. You can also do direct socket programming in Perl on it's own, but that's a bit too involved to explain in a single post, and I'm by no means an expert on it. Basically for starters I'd suggest you go to sourceforge.com (http://sourceforge.com) or packetstorm.widexs.nl (http://packetstorm.widexs.nl) for more info and resources. Hope I've helped in some small way.