300 likes | 329 Views
Snoop Component Suite 2.0 is a component library for sniffing network packets on Microsoft Windows using WinPcap 3.0. It supports various features such as remote capture, file capture, packet dumping, hardware filtering, and statistics.
E N D
Snoop Component Suite 2.0 (2003.09.26) http://www.snoopanalyzer.com
Synopsis What is Snoop component suite 2.0? Snoop component suite 2.0 is the component library for sniffing network packets running on WinPcap 3.0. What does it support? OS: Microsoft Windows 98, 2000, NT, XP, 2003 Compiler : Borland Delphi, Borland C++Builder.
Structure Snoop component runs on WinPcap 3.0 or higher. WinPcap is network packet capture driver on Windows OS. User Application Snoop Component 2.0 WinPcap 3.0 or higher Microsoft Win32 Platform
Features of WinPcap 3.0 Remote Capture File Capture Dump Send Packet Hardware Filter Statistics For more information about WinPcap, http://winpcap.polito.it
Hierarchy TComponent TCustomSnoop TSnoop TSnoopIP TSnoopDump TSnoopARP TSnoopMyNetwork TSnoopICMP TSnoopTCP TSnoopMemory TSnoopUDP TSnoopTCPData TSnoopUDPData TSnoopStatistics
Installation • Install WinPcap 3.0 in your computer. • Double click “SnoopPck.dpk”. • Click “Install” button in Delphi.
TCustomSnoop Properties(1) Active: Boolean; Specify the component is capturing or not. Pcap: Ppcap; Descriptor of an open capture instance. This structure is opaque to the user, that handles its content through the functions provided by wpcap.dll. AdapterNames: TStringList; A string list giving a name for the device to pass. Error: String; An error string from WinPcap or Snoop component. SourceName: String; A string giving a name for the device to pass to. It’s value can be one of AdapterNames or other’s computer’s device information or file name.
TCustomSnoop Properties(2) • Filter : String; A String of capturing. An high level filtering expression is converted into appropriate filter program internally. • type • qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, host is assumed. • dir • qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src anddst. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point protocols such as slip) the inbound and outbound qualifiers can be used to specify a desired direction. • proto • qualifiers restrict the match to a particular protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
TCustomSnoop Properties(3) SnapLen: Integer; length of the packet that has to be retained. For each packet received by the filter, only the first ‘SnapLen' bytes are stored in the buffer and passed to the user application. For instance, snaplen equal to 100 means that only the first 100 bytes of each packet are stored. Flags: Integer; keeps several flags that can be needed for capturing packets. PCAP_OPENFLAG_PROMISCUOUS 1 It defines if the adapter has to go in promiscuous mode. PCAP_OPENFLAG_SERVEROPEN_DP 2 It defines who is responsible for opening the data connection in case of a remote capture (it means 'server open data path'). PCAP_OPENFLAG_UDP_DP 4 It defines if the data trasfer (in case of a remote capture) has to be done with UDP protocol.
TCustomSnoop Properties(4) ReadTimeOut: Integer; Read timeout in milliseconds. The read timeout is used to arrange that the read not necessarily return immediately when a packet is seen, but that it waits for some amount of time to allow more packets to arrive and to read multiple packets from the OS kernel in one operation. Not all platforms support a read timeout; on platforms that don't, the read timeout is ignored.
TCustomSnoop Methods(1) procedure Open; Open capturing using local network device adapter. Before calling this method, you should specify AdapterIndex or AdapterName. If neither AdapterIdex nor AdapterName is specified, An error occurred. procedure Open(Host: String; UserName: String; Password: String); Open using remote packet capture. Host is other computer’s IP. UserName and Password must be authentication information about other computer. On other computer, rpcapd(remote packet capture daemon) must be installed.
TCustomSnoop Methods(2) function LoadFromFile(FileName: String): Boolean; Capture not from adapter but local file. On succeed, it returns true, otherwise, it returns false. procedure Close; Stop capturing.
TCustomSnoop Events procedure OnGetRemoteAdapterInfo(Sender: TObject; AdapterNames: TStringList; AdapterDescriptions: TStringList; var AdapterIndex: Index); Occurs after calling remote machine Open(Host, UserName, Password) method when getting remote machine’s adapter names. You must set AdapterName value in AdapterNames. If you do not specify AdapterName, it is closed automatically. AdapterNames: Remote machine’s adapter names. AdapterDescriptions: Remote machine’s adapter descriptions. AdapterIndex: An adapter Index the user have to select.
TSnoop Events procedure OnCapture(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR); Occurs when packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data.
TSnoopIP Events procedure OnCaptureIP(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR); Occurs when IP packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header.
TSnoopARP Events procedure OnCaptureARP(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR); Occurs when ARP packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. ARPHeader: ARP header.
TSnoopICMP Events procedure OnCaptureICMP(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR; ICMPHeader: PICMP_HDR) of object; Occurs when ICMP packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header. ICMPHeader: ICMP header.
TSnoopTCP Events procedure OnCaptureTCP(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR; TCPHeader: PTCP_HDR); Occurs when TCP packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header. TCPHeader: TCP header.
TSnoopUDP Events procedure OnCaptureUDP(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR; UDPHeader: PUDP_HDR); Occurs when UDP packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header. UDPHeader: UDP header.
TSnoopTCPData Events procedure OnCaptureTCPData(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR; TCPHeader: PTCP_HDR; TCPData: PChar; TCPDataLength: Integer); Occurs when TCP data packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header. TCPHeader: TCP header. TCPData: TCP data. TCPLength: length of TCP data.
TSnoopUDPData Events procedure OnCaptureUDPData(Sender: TObject; PacketHeader: PPCAP_PKTHDR; EthernetHeader: PETHERNET_HDR; IPHeader: PIP_HDR; UDPHeader: PUDP_HDR; UDPData: PChar; UDPDataLength: Integer); Occurs when UDP data packet is captured. PacketHeader : information of timeout, captured length and length. EthernetHeader: packet data. IPHeader: IP header. UDPHeader: UDP header. UDPData: UDP data. UDPDataLength: UDP data length.
TSnoopStatistics Events Procedure OnCaptureStatisticsEvent(Sender: TObject; PacketHeader: PPCAP_PKTHDR; Packets: Int64; Bytes: Int64) of object; Occurs when UDP data packet is captured. PacketHeader : information of timeout, captured length and length. Packets : captured packet count. Bytes : captured packet bytes.
TSnoopDump Properties Active: Boolean; Specify the component is capturing or not. Error: String; An error string from WinPcap or Snoop component.
TSnoopDump Methods procedure Open(Pcap: PPcap; FileName: String); Open dumping captured data by using the given Pcap structure. procedure Close; Close dumping captured data. procedure Write(PacketHeader: PPCAP_PKTHDR; Data: PChar); Write packet header and data to the file actually.
TSnoopMyNetwork Properties IP: DWORD; StrIP: String; Local device’s IP. Mac: SNOOPMACADDRESS; StrMac: String; Local devices’ Mac address. SubnetMask: DWORD; StrSubnetMask: String; Local devices’ subnet mask IP. Gateway: DWORD; StrGateway: String; Local devices’ gateway IP.
Samples(Console, Dump, SendPacket) Console Sample of using Snoop Component in console mode. Dump Sample of using TSnoopDump class. SendPacket Sample of using snoopSendPacket API.
Samples(Expert) Most Powerful Sniff Program that supports all functions of Snoop component suite version 2.
Samples(Statistics) Sample of using TSnoopStatistics class.
Samples(TCPFlag) Sample of understanding TCP flag.
Contact Author: GilGil(Lee Kyung Moon) Email: gilgil1973@hanmail.net Homepage: http://www.snoopanalyzer.com Contact : +82-11-9725-8908