Click here to Skip to main content
15,077,641 members
Articles / Programming Languages / C++
Posted 5 Nov 2007


76 bookmarked

A Little Sniffer that Uses WSA Sockets (Windows Sockets)

Rate me:
Please Sign up or sign in to vote.
4.82/5 (17 votes)
5 Nov 20073 min read
Demonstrates how to intercept network traffic (IP packets) by putting a socket in promiscuous mode
Screenshot - lsniff_01.jpg


Many people have used a sniffer at some time. What is a sniffer? A sniffer is an application that catches all network traffic from or to computers attached to a network. Basically, what a sniffer really does is pay attention to all traffic by putting a network interface in the promiscuous mode state. Promiscuous mode puts a selected network interface to listening to all packets passing through it.

This article demonstrates how an application can configure a socket connection to pay attention to all network packets, instead of only those addressed to it. It shows how to grab protocols encapsulated by IP (Internet Protocol: network layer protocol), specifically, TCP and ICMP. IP encapsulates up to 100 different protocols. I advise you to take a look at the RFC 1700, as there is a complete list of all protocols that IP encapsulates.

Let Us Start to Sniff

The demo project contains a single executable named lsniff.exe, which is a console application. The syntax is:

lsniff [TCP|ICMP]

  • TCP grabs TCP packets only (RFC 793).
  • ICMP grabs ICMP packets only (RFC 792).
  • lsniff, with no arguments, will grab TCP and ICMP packets.
Screenshot - lsniff_02.jpg

Figure 1: example of lsniff grabbing only ICMP packets

You also can redirect the output to a file: lsniff icmp >output.txt

Understanding the Source Code

lsniff is a C/C++ application coded using Visual Studio 2005. It will compile in older compilers, too. It is really simple. In fact, the difficult part is to analyze the packets because you must know the packet structure that depends upon the protocol. Windows Socket API (WSA) offers the tools (functions) to create a simple sniffer.

It is worth mentioning that lsniff will run only if the you are logged on with administrative privileges. By reading lsniff_main.cpp, we will see the 4 necessary steps to start working in the promiscuous mode state:

  1. Initialize Windows Sockets (line 107).

  2. Get a RAW socket (line 111). RAW is a special type of socket that gives you access to packet headers, not only the data.

    sniff_socket = socket( AF_INET, SOCK_RAW, IPPROTO_IP );
  3. Bind the socket to the interface you want to sniff (line 119-127).

  4. Set the socket to promiscuous mode (line 135).

    if ( WSAIoctl( sniff_socket,
                   NULL ) == SOCKET_ERROR )
      printf( "Error: WSAIoctl  = %ld\n", WSAGetLastError() );

After all those 4 steps have been successfully performed, it is time to start reading the packets. Notice that you should provide a buffer big enough (LS_MAX_PACKET_SIZE) to the recv function. The first check made after a packet has been read is the IP version (line 161):

if ( LS_HI_PART(ip_header->ver_ihl) != 4 )

lsniff only parses IPv4 packets, not IPv6. Furthermore, the IP header is parsed to know what protocol is encapsulated. Notice that lsniff does not care about packet data, only packet headers. The rest of the code depends upon your knowledge about the protocol you want to parse. Of course, you can extend lsniff by adding more protocol-parsing routines. It is good practice to use a professional sniffer (like Ethereal) to help you to parse packets:

Screenshot - lsniff_03.jpg

Figure 2: parsing packets

Enjoy. I hope this helps.


  • 5 November, 2007: First version


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Ciro Sisman Pereira
Software Developer (Senior)
Brazil Brazil
No Biography provided

Comments and Discussions

QuestionMissing all incoming traffic Pin
ivancmz21-Jun-12 18:51
Memberivancmz21-Jun-12 18:51 
AnswerRe: Missing all incoming traffic Pin
watermoon11-Jul-12 21:27
Memberwatermoon11-Jul-12 21:27 
GeneralRe: Missing all incoming traffic Pin
gnaiqiz9-Nov-12 14:21
Membergnaiqiz9-Nov-12 14:21 
Questionvote Pin
boris.pong18-Jun-12 16:29
Memberboris.pong18-Jun-12 16:29 
GeneralMy vote of 5 Pin
Sergey Chepurin18-Sep-11 10:30
MemberSergey Chepurin18-Sep-11 10:30 
GeneralMy vote of 5 Pin
sumetp18-Sep-11 7:11
Membersumetp18-Sep-11 7:11 
Questionwhy source ip unchanged Pin
idiot72716-Aug-11 0:11
Memberidiot72716-Aug-11 0:11 
AnswerRe: why source ip unchanged Pin
gnaiqiz9-Nov-12 14:27
Membergnaiqiz9-Nov-12 14:27 
QuestionXP OK Win 7 Not OK Pin
Member 776618022-Jul-11 6:43
MemberMember 776618022-Jul-11 6:43 
AnswerRe: XP OK Win 7 Not OK Pin
gnaiqiz9-Nov-12 14:26
Membergnaiqiz9-Nov-12 14:26 
GeneralTurn Off Administrative Pin
Member 77661801-May-11 14:00
MemberMember 77661801-May-11 14:00 
GeneralUDP Pin
Member 776618024-Apr-11 5:13
MemberMember 776618024-Apr-11 5:13 
GeneralNot Reading Pin
Member 776618022-Apr-11 4:55
MemberMember 776618022-Apr-11 4:55 
GeneralRe: Not Reading Pin
Member 776618022-Apr-11 4:59
MemberMember 776618022-Apr-11 4:59 
GeneralMy vote of 5 Pin
gndnet16-Dec-10 21:20
Membergndnet16-Dec-10 21:20 
Generalgetting error 10022 Pin
paposoft23-Feb-10 14:15
Memberpaposoft23-Feb-10 14:15 
General[Message Deleted] Pin
it.ragester2-Apr-09 21:43
Memberit.ragester2-Apr-09 21:43 
GeneralCapturing full package including the ethernet header Pin
matoust27-Feb-09 10:26
Membermatoust27-Feb-09 10:26 
Generalplease help Pin
gdsivan10-Dec-08 23:58
Membergdsivan10-Dec-08 23:58 
Questiontraffic count to small Pin
klsc18069-Oct-08 19:43
Memberklsc18069-Oct-08 19:43 
GeneralNetwork Sniffer. Pin
Souldx712-Jul-08 2:54
MemberSouldx712-Jul-08 2:54 
QuestionARP packets Pin
Herb Miller12-Jun-08 3:04
MemberHerb Miller12-Jun-08 3:04 
AnswerRe: ARP packets Pin
Ciro Sisman Pereira13-Jun-08 16:27
MemberCiro Sisman Pereira13-Jun-08 16:27 
GeneralRe: ARP packets Pin
Jason McBurney18-Jul-08 4:26
MemberJason McBurney18-Jul-08 4:26 
QuestionQuestion Pin
Alireza_136210-Feb-08 22:06
MemberAlireza_136210-Feb-08 22:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.