[Winpcap-users] Is it possible to capture messages on Socket using WinPcap?

Guy Harris guy at alum.mit.edu
Wed Aug 24 17:55:36 GMT 2005

Abdul Shahzad wrote:

> I need to know whether we can use WinPCap to monitor the messages 
> flowing on Socket specifying the IP address and Port number.
> My requirement is that , the client is talking with server using Socket 
> and I want to capture all the messages flowing to and fro on the socket.

That's possible, *IF* the client and server are running on different 

> If it is possible then how?

	windump -s 0 "(host {client IP} and {server IP}) and port {port number}"

will capture, on the default network interface, traffic going between 
the client and server IP addresses, using the port number in question, 
and print out some information about it.  (The "-s 0" is important - if 
you omit it, WinDump will only capture the first 96 bytes or so of the 
packet, which might not include all of the information in the message.)

That's a bit of a "lazy" filter, because it'll capture traffic going to 
that port number on the server *or* the client, but it's probably good 
enough.  (The "correct" filter is a lot more work, and probably won't 
discard much more "uninteresting" traffic.)

WinDump might not know about the protocol those messages are using; you 
can see the raw bytes of the traffic in hex if you also use the "-x" 
flag to WinDump, or the raw bytes in hex and ASCII if you use "-X".

If the default network interface isn't the right one, that won't do what 
you want.  Run

	windump -D

to get a list of interfaces; the list will include numbers before the 
names and descriptions of the interfaces - you would use the number with 
the "-i" option:

	windump -i 2 -s 0 "(host {client IP} and {server IP}) and port {port 

if the right interface had the number 2.

Ethereal and Tethereal might include a dissector for your protocol; they 
use the same syntax, for capture filters, as WinDump.  The same is true 
of Analyzer.

If they don't, you'll have to write your own code for WinDump, or for 
Ethereal and Tethereal or Analyzer, to decode your protocol.

> Can you provide me with sample.

If you want to write your own code to capture those messages, you might 
want to look at


and at the "sniffex.c" example file to which it refers, but note that

	1) that code hasn't (yet) been tested on Windows


	2) more importantly, the hardest part is not going to be capturing the 
traffic, it'll be doing something with the data you've captured - when 
you capture with libpcap/WinPcap, what you get is *raw* packet data, 
complete with the link-layer header and any other protocol headers that 
come before your protocol's header, such as the IPv4 header or IPv6 
header(s) and the TCP header.  sniffex.c will process those headers, 
skip past them, and dump the data in hex and ASCII, but doing anything 
more than that would require code to be written to decode the protocol 
running on top of TCP (or whatever protocol is being used).  In that 
case, you might as well use the existing infrastructure of WinDump, 
Ethereal/Tethereal, or Analyzer, rather than writing your own code to do 
all the work.

More information about the Winpcap-users mailing list