[Winpcap-users] Programs not working

Fish fish at infidels.org
Wed Nov 18 15:00:43 PST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dennis Burgess wrote:
> Gianluca Varenni wrote:
> > Dennis Burgess wrote:
> > 
> > > I have winpcap installed with Wireshark, my router,
> > > sends a packet sniff stream to my PC.  This works
> > > PERFECTLY with Wireshark.  I have two other programs
> > > that look at data and capture data, they do not have
> > > options to enable promismiscus mode.  And hence, they
> > > don't get any data.  Is there a way to enable that
> > > on the NIC or though winPacp?
> >
> > No. If it's just specific to your own machine, the easiest
> > way is to recompile your own version of wpcap.dll and force
> > promiscuous mode from within the code.
> 
> Sorry to say I don't know how to do that one.  :(  All attempts
> to get these two programs to work, just fail, they see the
> connections from the IP that the workstation is one, but nothing
> else.  But like I said,  Wireshark works, so I would think that
> its not a machine issue.

It's not.

Setting an adapter into promiscuous mode is easy. It's just a simple
DeviceIoControl call.

Here's how to do it:

(Note: I'm not going to be bothered with showing you all of my code, but if
you're reasonably competent you should be able to figure it out based on the
below code fragments)

- ---------------------------------
//c:\Program Files\Microsoft SDKs\Windows\v6.0A\Include\NtDDNdis.h

#define NDIS_PACKET_TYPE_PROMISCUOUS            0x00000020
#define OID_GEN_CURRENT_PACKET_FILTER           0x0001010E

- ---------------------------------
//K:\WINDDK\6001.18001\inc\api\devioctl.h

#define METHOD_BUFFERED                 0
#define FILE_ANY_ACCESS                 0
#define CTL_CODE( DeviceType, Function, Method, Access ) (                 \
    ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)
- ---------------------------------
#define NUM_BYTES( x )        sizeof ( x )
#define CADAPTER_BUFFSIZE_BYTES   ( 4 * 1024 )   // 4K
#define CADAPTER_BUFFSIZE_DWORDS  ((CADAPTER_BUFFSIZE_BYTES +
(NUM_BYTES(DWORD)-1)) / NUM_BYTES(DWORD))

#define FILE_DEVICE_PROTOCOL   0x8000   // (1st avail dev type; 0-32767
rsrvd by Microsoft)

#define IOCTL_PROTOCOL_QUERY_OID        ( CTL_CODE ( FILE_DEVICE_PROTOCOL,
1, METHOD_BUFFERED, FILE_ANY_ACCESS ) )
#define IOCTL_PROTOCOL_SET_OID          ( CTL_CODE ( FILE_DEVICE_PROTOCOL,
0, METHOD_BUFFERED, FILE_ANY_ACCESS ) )
#define IOCTL_PROTOCOL_RESET            ( CTL_CODE ( FILE_DEVICE_PROTOCOL,
3, METHOD_BUFFERED, FILE_ANY_ACCESS ) )

    DWORD  m_Buffer [ 2 + CADAPTER_BUFFSIZE_DWORDS ];  // ** DWORDS not
bytes! **

- ---------------------------------

    VERIFY( FishPackSetHwFilter ( fhAdapter, NDIS_PACKET_TYPE_PROMISCUOUS )
);


BOOL CFishPackApp::FishPackSetHwFilter( FISHPACK_HANDLE fhFile, DWORD
dwFilterType )
    return pAdapter->SetHwFilter( dwFilterType );


bool CAdapter::SetHwFilter ( DWORD dwFilterType )
    if ( SetOID( OID_GEN_CURRENT_PACKET_FILTER, &dwFilterType, NUM_BYTES(
dwFilterType ) ) )


bool CAdapter::SetOID ( DWORD dwOID, void* pData, DWORD dwDataLen )
    bool bSuccess = QueryOrSetOID( IOCTL_PROTOCOL_SET_OID, dwOID, pData,
dwDataLen );


bool CAdapter::QueryOrSetOID ( DWORD dwIoControlCode, DWORD dwOID, void*
pData, DWORD dwDataLen )
    m_Buffer[0] = dwOID;
    m_Buffer[1] = dwDataLen;
    if (bIsSet) memcpy( &m_Buffer[2], pData, dwDataLen );
    bool bSuccessOrFailure = IntSyncDeviceIoControl( dwIoControlCode,
NUM_BYTES( m_Buffer ), NUM_BYTES( m_Buffer ) );


bool CAdapter::IntSyncDeviceIoControl(DWORD dwIoControlCode, DWORD dwInLen,
DWORD dwOutLen)
    if (DeviceIoControl
    (
        m_hFile,
        dwIoControlCode,
        dwInLen  ? m_Buffer : NULL,
        dwInLen,
        dwOutLen ? m_Buffer : NULL,
        dwOutLen,
        &m_dwBytesTransfered,
        NULL                            // (synchronous)
    ))
- ---------------------------------


Hope that helps.


- -- 
"Fish" (David B. Trout) - fish at softdevlabs.com
Fight Spam! Join CAUCE! <http://www.cauce.org/>
7 reasons why HTML email is a bad thing
http://www.georgedillon.com/web/html_email_is_evil.shtml
PGP key fingerprints:
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52





-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Charset: iso-8859-1

wj8DBQFLBHyhSPXX9MTuPioRAshIAJ9BCCkXVaWrrsgqqIweTuTfZ/7FIgCcDNZe
Iy+bW3X2YCR6J5HNpu3ZpNU=
=3App
-----END PGP SIGNATURE-----

More information about the Winpcap-users mailing list