Anyone feel like testing my simple packet sniffer?

Miscellaneous and Personal Stuff I Must Share
1

I developed a very simple LAN packet sniffer in MS Visual C++ .NET, to refresh my programming skills (and have something to show potential employers).

If anybody with Windows (95 on up) feels like giving her a rip for me, just to see that it runs on other machines, I’d appreciate it.

First, you have to install WinPCap 3.0 from http://winpcap.polito.it , then
my program from http://revtim.250free.com/sps.exe.

Known issue: Can’t copy/paste from main window

It’s hard-coded to look at the first device the WinpCap discovery function returns, so it might fail if you have multiple LAN cards and use one other than the first.

And I have no clue what will happen with a dial-up connection! Hopefully, it’ll work the same.

What one should see after pressing the START button is the device the program chooses, its description, then the packets start a’flowin.

The packets should look something like:
1080602034:320426 (60)
ff ff ff ff ff ff 00 0a 42 6c 20 54 08 06 00 01
08 00 06 04 00 01 00 0a 42 6c 20 54 45 a7 78 01
00 00 00 00 00 00 45 a7 7a 80 04 01 04 00 00 00
00 02 01 0b 03 02 00 00 05 01 02 00

1080602034:872384 (60)
ff ff ff ff ff ff 00 0a 42 6c 20 54 08 06 00 01
08 00 06 04 00 01 00 0a 42 6c 20 54 45 a7 70 01
00 00 00 00 00 00 45 a7 72 f6 45 00 00 1c 38 3d
00 00 01 01 72 6a 45 a7 76 ef cf 1a

1080602035:10230 (60)
ff ff ff ff ff ff 00 0a 42 6c 20 54 08 06 00 01
08 00 06 04 00 01 00 0a 42 6c 20 54 45 a7 78 01
00 00 00 00 00 00 45 a7 7b 8b 51 9d d6 c6 70 12
80 00 67 f9 00 00 02 04 05 b4 01 01

You might have to do some network activity to see packets, like load a web page or check your email.

Thanks! And special thanks to doper bashere for helping with a problem I was having.

2

No offense to a fellow Straight Doper, but it’s just not wise to download and run a program from a (mostly) complete stranger unless it’s a trusted download site.

3

Like all things downloaded, you should scan it for viruses. I did before I uploaded it, and it came up clean. But don’t trust me, scan it yourself.

4

You should also mention that you need the MFC v7 DLL to run it. I do not have this, so I cannot run it. Are you permitted to distribute that?

5

Crap, forgot about that. I’m pretty sure I can distribute that, but I’ll have to make sure. I’ll get back to here later.

Thanks for trying though! I truly appreciate it. I’d hate there to be a big problem that doesn’t manifest itself on my machine, but does on potential employers’ machines!

6

OK, if I understand the redist.txt doc, there should be no problem redistributing mfc70.dll.

It’s at http://revtim.250free.com/mfc70.dll. After download, place in your c:\WINDOWS\system32 directory.

Thanks much!

7

Well, that’s actually not the point. A virus detector won’t identify a trojan horse or just plain old malicious code. The only real safe way to run your code would be to accept the source code, read and understand it, and then compile it.

So while I’m 99.9% sure that in this instance, no harm is meant, I just thought I’d mention that, in general, running code that some unknown person gives you is pretty much the equivalent of handing your wallet to someone standing on the street and saying “Can you watch this for me?”.

8

Well, I have no problem with putting the source code up there, if that makes anybody feel better.

http://revtim.250free.com/SimplePacketSniffer-v1_vc7.zip

That’s the whole project/solution directory of the application. It may require Vis C++ .Net to load it as a project, but the source can still be read with a simple text editor in one doesn’t have Vis C++ .NET.

And certainly if I was trying to pull a fast one, I wouldn’t do it after paying the bucks to become a member? I’m unemployed, I can’t afford to waste even five bucks.

Not to mention that I’ve been here since 1999. Why now would I all of a sudden do something so heinous as to try and trick people into running malicious code?
This is very important to me; I have no other way to try this on different machines. I need to find out if there’s major problems before potential employers try to run it. I see that your intentions are good, but the FUD you are raising is certainly hurting my chances of getting this tried out by other people.

9

I was going to check out your source code just for curiosity sake, but the link is broken.

I’ll check out the executable later today.

10

OK, this is odd. It keeps disappearing after the upload with FTP for some reason.

I changed the name, and used 250free’s upload manager, and that seemed to work.

Here it is:
http://revtim.250free.com/src.zip

Thanks much for checking this out caphis, I appreciate it!

11

Revtim, it’s looking for MFC70D.DLL, not MFC70.DLL . Renaming MFC70.DLL to add the D (which sometimes is successful) fails. Do you have MFC70D.DLL available for distribution?

12

Do’h! Should have known that, it’s a debug release.

http://revtim.250free.com/mfc70d.dll

Sorry.

13

I tried to run the program first on my machine without Visual Studio loaded. It asked for these three files, which luckily I did have on my laptop, which has VS .NET 2003 loaded onto it.



MFC70D.DLL
MSVCR70D.DLL
MSVCP70D.DLL

According to redist.txt, these are redistributable, but there really shouldn’t be any need to – these are debug versions of their non “D” counterparts. Since these are redistributable, I’ve put copies of them here for anyone who wants to try the program.

Revtim, I checked your source code, and you’re compiling in Debug mode. Compile it in release mode, and it should remove the dependencies on these files. Build->Configuration Manager->Configuration. That’s my best guess.

As to how well it works… I pressed “Start” and it just stopped responding. WinXP Home Edition.

14

But isn’t there more information from crashes in Debug mode? This is the stuff I’m gonna need to see.

Also, can you tell me what your configuration is, especially your network connection? And, I presume when you say it stopped responding, you were unable to exit with the EXIT button. Is this true?

15

Oh, and caphis, many thanks for trying this stuff out. I appreciate it.

And also for linking to those files.

16

I dunno about the amount of information provided in either mode; I’d test it using both, but I can’t compile your source at all since I don’t have the required WinPcaps SDK header file.

Oh, my network connection is the school LAN. Basically, I pressed start, the mouse turned to an hourglass, I waited about 20 seconds, then nothing happened. I switched to a different task, came back a few minutes later to your program, and the interface had turned white, the titlebar read “(Not Responding)” and I had to CTRL-ALT-DEL it.

17

Ditto. WinXP Home, built-in Ethernet card on the motherboard. Clicked “Start” and the button stayed down and non-responsive. Had to Task Manager end it after about 2 minutes.

You said it just goes after the first network interface Winpcap returns, right? Well, that might be my dial-up adapter, or my Bluetooth network interface, neither of which is currently active. This may be part of the problem – is there a way for you to return all the devices pcap discovers and allow the user to select which one?

18

Oh, and for you, here’s the technical info when I CTRL-ALT-DEL it:



Error Signature
szAppName: sps.exe
szModVer: 0.0.0.0
szAppVer: 1.0.0.1
offset: 00000000
szModName: hungapp

And, then error report includes these files:

C:\DOCUME~2\Owner\LOCALS~1\Temp\WER2EE.tmp.dir00\sps.exe.mdmp

C:\DOCUME~2\Owner\LOCALS~1\Temp\WER2EE.tmp.dir00\appcompat.txt



<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="sps.exe" FILTER="GRABMI_FILTER_PRIVACY">
    <MATCHING_FILE NAME="sps.exe" SIZE="143360" CHECKSUM="0xF9B062E3" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="1.0.0.0" FILE_DESCRIPTION="A Very Simple Packet Sniffer" COMPANY_NAME="Laplacalypse Now Software" PRODUCT_NAME="Simple Packet Sniffer" FILE_VERSION="1.0.0.0" ORIGINAL_FILENAME="MFC_WinPCap.exe" INTERNAL_NAME="sps.exe" LEGAL_COPYRIGHT="(c) Laplacalypse Now Software.  All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="03/29/2004 22:57:02" UPTO_LINK_DATE="03/29/2004 22:57:02" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
    <MATCHING_FILE NAME="kernel32.dll" SIZE="926720" CHECKSUM="0x6262EEA5" BIN_FILE_VERSION="5.1.2600.0" BIN_PRODUCT_VERSION="5.1.2600.0" PRODUCT_VERSION="5.1.2600.0" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.0 (xpclient.010817-1148)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xE8792" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.0" UPTO_BIN_PRODUCT_VERSION="5.1.2600.0" LINK_DATE="08/18/2001 05:33:02" UPTO_LINK_DATE="08/18/2001 05:33:02" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>
19

Thanks again folks, I appreciate the time you spent.

That’s a strange result, my expectation was that if it hit the wrong adapter, it would still display the adapters, but simply show no packets and not hang. I think the problem is more basic. My first thought is to ASSERT the hell out the code that retrieves the adapter list. FYI, you guys did install WinPCap, right?

I’ll examine this further, but likely tomorrow.

FYI, I made a release version:
http://revtim.250free.com/sps_release.exe

I’d be very surprised if this acted differently.

Thank you again. Goodnight.

20

Made a new version, with the following changes:

  1. built as Release, so it used less .dll files (in case for some reason my .dll files are different from caphis’s, which I think is)

  2. added more outputs to report where it is in the code (will look like gibberish to most users)

  3. now it does more stuff before any keys are pressed, so if it locks up before pressing START I have a better idea what’s going on

250free seems to be down this morning, so I put it here:
http://users.adelphia.net/~tlaplaca/sps_1.1.exe

Thank you again, you folks are very kind to be taking the time to help me with this.