Click here to Skip to main content
15,889,826 members
Search within:


Articles / Programming Languages / C#
 
Article

RawSocket Class-Create Network Monitoring (Packet Sniffing) Apps

Rate me:
Please Sign up or sign in to vote.
4.83/5 (17 votes)
11 Apr 2002 253.3K   3.2K   71   50
A class for creating Network Monitoring Programs

Introduction

This program illustrates the use of the RawSocket class which is written in C#. The class RawSocket is a packet sniffing class that fires notification events when an IP packet is received. This makes using the class simple. Just declare your RawSocket object, instantiate it, and register to be notified when the event fires.

When the event fires, you are sent event arguments which give your program access to everything in the IP packet including things like IP addresses, port numbers, protocols, message lengths, and of course the message contents.

The included Windows form is a simplified example which basically just shows the origination and destination IP addresses for all incoming packets on a listbox control. The Rawsocket class makes creating more sophisticated network monitoring applications easy.

This program relies on Winsock 2 and runs only on Win2000 or WinXP.

Please email comments and improvements to:

Kember Brown
kbrown@internetcds.com

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Lyle Brown
Web Developer
United States United States
Lyle is a computer programmer in Vancouver, Washington.

Comments and Discussions

 
FirstPrev Next
GeneralRe: Bug SIO_RCVALL Pin
Anonymous30-Jan-03 19:42
Anonymous30-Jan-03 19:42 
GeneralRe: Bug SIO_RCVALL Pin
SpaceQ18-Nov-03 21:55
SpaceQ18-Nov-03 21:55 
QuestionHow about a C++ version? Pin
McGarrah15-Apr-02 3:14
McGarrah15-Apr-02 3:14 
AnswerRe: How about a C++ version? Pin
Amit Dey15-Apr-02 6:03
Amit Dey15-Apr-02 6:03 
AnswerRe: How about a C++ version? Pin
Lyle Brown15-Apr-02 8:42
Lyle Brown15-Apr-02 8:42 
AnswerRe: How about a C++ version? Pin
5.5 cents25-Nov-03 21:28
suss5.5 cents25-Nov-03 21:28 
GeneralUnexplained Pin
Nick Parker13-Apr-02 1:55
protectorNick Parker13-Apr-02 1:55 
GeneralRe: Unexplained Pin
Lyle Brown13-Apr-02 13:30
Lyle Brown13-Apr-02 13:30 
SIO_RCVALL is just a special number sent to winsock to put it into promiscuous mode (where the network card listens for everything...not just packets meant for your computer.)

"head" is a pointer to the IP packet header start byte. Next we find the header length (usually 20 bytes), then the version number (usually 4 these days right....), then we grab the from and to IP addresses.

For this code to make sense you have to be looking at how the IP header is laid out. Basically the IP header is a bunch of bytes and in certain positions is certain info....you just have to pick off what you want. (There are some bit ANDS and some shifts to help pick the right bytes.)

Thanks for the comments.

Kember.

Kember Brown
GeneralSomething's missing Pin
Jason Douglas12-Apr-02 9:29
professionalJason Douglas12-Apr-02 9:29 
GeneralRe: Something's missing Pin
Nish Nishant12-Apr-02 17:50
sitebuilderNish Nishant12-Apr-02 17:50 
Last Visit: 31-Dec-99 18:00     Last Update: 1-May-24 10:56Refreshᐊ Prev12

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 11 Apr 2002

Article Copyright 2002 by Lyle Brown
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1