I'm using C++/boost::asio under Win7.
I'm trying to "sniff" trafic over a given TCP/IP port. Hence, I'd like to listen on that port, receive messages, analyze them, but also immidately allow them to flow further, as if I never intercepted them. I want them to sink into the program that normally listens and connects on that port. Imagine a transparent proxy, but not for HTTP.
I'd rather find a code-based solution, but barring that, maybe you would suggest a tool?
-
what you are trying to do is basically a firewall program.
On windows there is several approach to do that, you can hook winsock. The better (or not hacky) is to use TDI filter (you take a look a this) or to make a NDIS filter.
Microsoft also introduced new API, WPF and LSP. I think you have better to use it because the TDI filter and NDIS wrapper involve driver programming which complicated and can be time consuming.
Kornel Kisielewicz : I don't want to do any more work that is needed -- I only need to do the hook for an analyze phase, after which I want to intercept the messages and handle them by myself (a server). Hence, getting bogged down into an API just for an analyse phase seems pointless :/RageZ : in all the case you would have to some kernel - user space communication on some interprocess communication, making a firewall is really an easy task -
If this is for a product you are developing you may want to take a look at the WinPcap library http://www.winpcap.org/ which you can embed into your own program.
If you just need to analyze for yourself, use one of the tools that uses WinPcap, I have had great success with WireShark; but check out the WinPcap site for other tools
You cannot use boost::asio (or any other socket based library) for this as it consumes all the traffic.
0 comments:
Post a Comment