winpcap search pkt_data for string

[D_zirt]

I'm trying to use winpcap to search incoming packets for a fixed ascii string, the print that packet to the console. ie, If the string was "hello" any packet containing a website etc. that has the word "hello" on it, is printed.
pkt_data is an array of u_char and I was thinking I could write a for loop:

for (i=0; header->len; i++)
{
idbuff=pkt_data[i] + pkt_data[i+1] + pkt_data[i+2] + pkt_data[i+3]+ pkt_data[i+4];
if (strcmp(idbuff, "hello")==0)
...

but I know that the values stored in pkt_data aren't ascii characters. To be honest I have almost no clue what I'm doing, and Im certain there's a million things wrong with my code snippet. Can anyone help me, or point me in the right direction? Thanks

[j0nas]

Remember that if pkt_data is a raw PCAP packet (wireshark), you'll get the ethernet frame etc... So, if you for instance is only interested in the TCP data (without headers), you must "parse" the raw packet before you search. You can of course search in the raw data as well, but that may not be the best solution (based on performance and false positives on matches). If you really want to search for "hello" in the raw packet, try something like this: (untested code)

Code:

const char *searchStr = "hello";
size_t searchStrLen = strlen(searchStr);

if (strncmp(pkt_data, searchStr, min(header->caplen, searchStrLen)) == 0)
 ; // got a match

I believe you can set up a capture filter in winpcap/pcap to filter out non-TCP packets. Look at the docs.

[D_zirt]

Thanks for the help, but I can't seem to get this to work. I get a "warning" that says 'function' : 'const char *' differs in levels of indirection from 'int'. I think this might have something to do with the fact that pkt_data is unsigned?

[FrozenEye]

j0nas...so strncmp(str1,str2,n) will return a positive #(index of str2) in str1 ?

D_zirt...seems it means the searchStr passed to strncmp

[j0nas]

Cast pkt_data to (const char *)

strncmp returns 0 upon match... Hmm.. I see a bug in my code now. Re-write compare statement as:

Code:

if (header->caplen >= searchStrLen && 
    strncmp((const char *)pkt_data, searchStr, searchStrLen) == 0)
{
    // got a match... do something
}

[FrozenEye]

so strncmp checks if both strings are typical..it doesnt search

[D_zirt]

I've been trying and trying to figure out why your code won't work, when logically it should. Then I realized that pkt_data contains unformatted values, so they have to formated before you can compare them to anything. I was thinking something like

Code:

for (i=1; (i < header->caplen + 1 ) ; i++)
{
    sprintf(buffer, "%.2x", pkt_data[i-1]);
...

but buffer would only be a byte at a time.

[j0nas]

so strncmp checks if both strings are typical..it doesnt search

Yeah... You are of course right. I was thinking about the last step, so a quick fix:

Code:

int i;
for (i = 0; i < header->caplen; i++)
{
    if (pkt_data[i] == searchStr[0] &&
        header->caplen - i >= searchStrLen && 
        strncmp((const char *)pkt_data + i + 1, searchStr + 1, searchStrLen - 1) == 0)
    {
        // got a match... do something
    }
}

[FrozenEye]

D_Zirt..the formating thing is right..now u need to parse the packets right..i was working on pcap for a while but i stopped..here is how to extract ethernet addresses and the frame type out of the packet

Code:

bool FrameParser(const u_char* packet,int *index)
	{
		ethr=(Ether*)(packet);
		for(int i=0;i<5;i++)
		{
			sprintf(ethr->daddr[i],&quot;%.2X&quot;,ethr->daddr[i]);
			sprintf(ethr->saddr[i],&quot;%.2X&quot;,ethr->saddr[i]);
		}
		sprintf(ethr->type[0],&quot;%.2X&quot;,ethr->type[0]);
		sprintf(ethr->type[1],&quot;%.2X&quot;,ethr->type[1]);
}

ether is an Ether struct pointer

Code:

struct Ether
{
	u_char saddr[6];
	u_char daddr[6];
	u_short type[2];
};

Code:

ethr=(Ether*)(packet);

Now this line is so sexy lol..u just copy the contents of "packet" into ether..till ethr is filled up..so u automatically get ur Ethr struct filled with the data u want..but am thinking..when u do that..can u miss out something ?..sor example..i need a piece of info and i need to format the frame data..the extracted info is a single byte yet it comes in 2 in the frame data..in other words..in order to extract this byte u need to format 2 bytes from the frame data..so when u parse the packet like that..u lose data and in the end mess every thing up..correct me if am wrong


see...index is a pointer so u can track ur progress through ur frame

request..if u find out how this work plz tell me..i remember i got that from the web..i got to know how it works but am not sure how to do this on my own when i face ny new protocol..know what i mean ?

good luck with u work

[D_zirt]

Ahh, I see. Just put pkt_data into the ether struct and then format the data in the struct back into the struct? I don't see how you would lose data, aren't packet (both tcp and udp) interpreted as hex all the time? so each pointer is one hex byte, two characters, never more and never less. I'm probably wrong, maybe I just don't understand.
Tanks for all you help btw guys

[FrozenEye]

i guess ur wirte..there is no data loss !

now listen you ...if u get the approptiate structs for other protocols or a good recourse for them..send them to me plz

[D_zirt]

Oh for sure FrozenEye, but what kind of protocols are you thinking of? Theres soo many, lol. Im working with NTLMSSP right now, theres a Very good breakdown of the data structure here http://curl.netmirror.org/rfc/ntlm.html

[FrozenEye]

i was thinking about usual ones..ethernet,IP, TCP,UDP,HTTP,FTP..usuall ones...also if u got an advice by which i can make structs for any protocol i find..it'll be a great help..i mean protocols have headers and so..each field is for example ethernet first field has 7 octets (7 bytes i suppose)..so i should find put this field in a char[7]..right ?..am not sure...am a learner here
and what'll be the difference if i make it byte[7] ?

[D_zirt]

I think you are mistaken Frozen. I know very little about c++ :s. By the looks of things you know more than I.

You can easily search places like wikipedia. It should be able to find the packet structures, usually in diagram form. http://en.wikipedia.org/wiki/Transmi...ment_structure
Just create a struct with all the appropriate fields, they should all be a fixed length (with the exception of the data field).

Your previous example

Code:

struct Ether
{
	u_char saddr[6];
	u_char daddr[6];
	u_short type[2];
};

Is a struct for Ethernet headers which are fixed to the beginning of any packet send over Ethernet.
An example of a struct for TCP:

Code:

struct Tcp
{
	u_char srcPort[2];
	u_char dstPort[2];
	u_char seqNum[4];
	u_char ackNum[4];
	u_char HdrLen;
	u_char Flags;
	u_char Chksum[2];
	u_char urg;
	u_char opt[variable];
        u_char data[variable];
};

...or something like that. The two things at the end that have [variable] can be different sizes, and I'm not sure how you'd deal with that.

As for Byte vs. Char. There is no Byte variable type in c++, I assumed there was at first and had to edit, silly me :P
Wow, long post, but I hope it helps some

[FrozenEye]

am not an expert or even close lol..thnx tho

about the data fields which are variable in length...well u should be able to get that from previous headers...for example...the Ethernet frame have to provide the type of the packet (ie next protocol header)..
check this out

[Check the "Ethertype/Length" column in the table shown]
http://en.wikipedia.org/wiki/Ethernet#Physical_layer

"Ethertype/Length" link should lead you hear
http://en.wikipedia.org/wiki/Ethertype

IP frames should tell you the next protocol header type this way..
http://en.wikipedia.org/wiki/IPv4#Data

and so on...

now regarding ur post..the tcp struct..thx for the effort but i have a question...source and destination ports range from 0-65534 (16 bits...65535 port)
u_char is "unsigned char" which ranges from (0-255...0-256 numbers)

is it correct that u_char[2] can have 65535 different representations ? since each u_char has 8 bits..put together they represent 16 bits which is enough for representing values from 0-65534..thats how it works ?

no if i need my source port (u_char[0] and u_char[1] combined toghether)..how should i do that ?

sorry if am not clear..i'd be glad to clarify...an good luck with ur authentication protocol..sounds complicated