Re: [WinPcap-users] pcap_compile : Filter Syntax
So I think this is pretty much capturing almost all packets and finding out if the string is there before logging to a file !! AnalogX PacketMonitor claims to be able to capture only packets that contain a string of our choice. It is says it works on XP (may be because of XP raw packet support) but I have XP Home Edition where Microsoft Network Monitor isn't supplied. And I couldn't even get AnalogX PacketMon to log packets with particular string as promised. So is this attempt to do the same with WinPcap. Wrong question for this mailing list: Has anyone successfully got Microsoft Network Monitor or AnalogX PacketMon to work on XP Home Edition ? Bala --- Guy Harris [EMAIL PROTECTED] wrote: On Mon, Feb 24, 2003 at 12:08:20AM -0800, Balakrishnan Muthukrishnan wrote: Because I am not from a UNIX background and dont have any knowledge about BPF, I am not able to understand the syntax for the parameter filter in pcap_compile function It's not a UNIX issue, any more than the C or C++ programming language is; libpcap/tcpdump, C, and C++ are available on non-UNIX systems (which you presumably already know, given that you're mailing to this list :-)). I want to only capture packets which have a particular word in the data field (say Kazaa). Unfortunately, that's *very* hard to do. BPF is a machine language that has 1-byte, 2-byte, and 4-byte loads, and compare instructions, so it'd have to be done by code that, for each offset at which the string might begin, tests whether there is such a string. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Re: Compiling on visual C++, getting errors
Thanks, I found the problem by moving the pcap.h file to the very beginning of my includes. Jeff babelfsh wrote: It might be better to stop winsock.h or winsock2.h directly by explicitly using a #define _WINSOCKAPI_ to get rid of winsock.h or #define _WINSOCK2API_ to get rid of winsock2.h early in your program. This helped with some of my MFC programs, which tend to hide where the winsock.h is included. A big plus is that I no longer had to worry about the position of my wpcap.h/packet32.h includes. - Original Message - From: xchen [EMAIL PROTECTED] To: Jeff Wong [EMAIL PROTECTED]; winpcap-users [EMAIL PROTECTED] Sent: Monday, February 24, 2003 3:13 PM Subject: RE: [WinPcap-users] Re: Compiling on visual C++, getting errors Seems that you included winsock.h before winsock2.h. Try to move '#include winsock2.h' (or packet32.h)to a higher position. = Original Message From Jeff Wong [EMAIL PROTECTED] = Hello, I am trying to compile in the wpcap.lib file into my existing app and I'm getting the following errors: c:\program files\microsoft visual studio\vc98\include\winsock2.h(99) : error C2011: 'fd_set' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(134) : warning C4005: 'FD_SET' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(83) : see previous definition of 'FD_SET' c:\program files\microsoft visual studio\vc98\include\winsock2.h(143) : error C2011: 'timeval' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(199) : error C2011: 'hostent' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(212) : error C2011: 'netent' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(219) : error C2011: 'servent' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(226) : error C2011: 'protoent' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(310) : error C2011: 'in_addr' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(368) : error C2011: 'sockaddr_in' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(378) : error C2011: 'WSAData' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(430) : warning C4005: 'SO_DONTLINGER' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(391) : see previous definition of 'SO_DONTLINGER' c:\program files\microsoft visual studio\vc98\include\winsock2.h(483) : warning C4005: 'AF_IPX' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(449) : see previous definition of 'AF_IPX' c:\program files\microsoft visual studio\vc98\include\winsock2.h(506) : warning C4005: 'AF_MAX' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(468) : see previous definition of 'AF_MAX' c:\program files\microsoft visual studio\vc98\include\winsock2.h(512) : error C2011: 'sockaddr' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(521) : error C2011: 'sockproto' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(560) : error C2011: 'linger' : 'struct' type redefinition c:\program files\microsoft visual studio\vc98\include\winsock2.h(573) : warning C4005: 'SOMAXCONN' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(533) : see previous definition of 'SOMAXCONN' c:\program files\microsoft visual studio\vc98\include\winsock2.h(598) : warning C4005: 'FD_READ' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(551) : see previous definition of 'FD_READ' c:\program files\microsoft visual studio\vc98\include\winsock2.h(601) : warning C4005: 'FD_WRITE' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(552) : see previous definition of 'FD_WRITE' c:\program files\microsoft visual studio\vc98\include\winsock2.h(604) : warning C4005: 'FD_OOB' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(553) : see previous definition of 'FD_OOB' c:\program files\microsoft visual studio\vc98\include\winsock2.h(607) : warning C4005: 'FD_ACCEPT' : macro redefinition c:\program files\microsoft visual studio\vc98\include\winsock.h(554) : see previous definition of 'FD_ACCEPT' c:\program files\microsoft visual studio\vc98\include\winsock2.h(610) : warning C4005:
RE: [WinPcap-users] microseconds in time stamp
I've posted this before but I don't think I got a reply. But does anyone know how winpcap fill the microseconds field in the timeval struct. I don't think there's a native function in windows that returns the time passed in microseconds since the onset of the second. If I'm not mistaken, I think it uses 'KeQuerySystemTime'. You can read up on it here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/ hh/kmarch/k105_41iq.asp It is based on 100 nanosecond intervals since 1601. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] microseconds in time stamp
On Tue, Feb 25, 2003 at 11:23:42AM -0800, Jason Copeland wrote: If I'm not mistaken, I think it uses 'KeQuerySystemTime'. ...on Windows NT (4.0, 5.0 a/k/a Windows 2000, 5.1 a/k/a Windows XP, etc.). I think it uses something else on Windows OT (95, 98, Me). In both cases, those are kernel interfaces, not Win32 interfaces - the time stamping is done by kernel code. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] microseconds in time stamp
On Tue, Feb 25, 2003 at 11:23:42AM -0800, Jason Copeland wrote: If I'm not mistaken, I think it uses 'KeQuerySystemTime'. ...on Windows NT (4.0, 5.0 a/k/a Windows 2000, 5.1 a/k/a Windows XP, etc.). I think it uses something else on Windows OT (95, 98, Me). In both cases, those are kernel interfaces, not Win32 interfaces - the time stamping is done by kernel code. Yes, but the question was what was actually being used. :) If someone wanted to use something in their code, they could always look at 'GetSystemTime' which if I'm not mistaken goes to milliseconds. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] microseconds in time stamp
Yes, GetSystemTime goes to milliseconds. Currently, I've been using GetSystemTimeAsFileTime and then converting the 100 nanosecond resolution to microseconds. But the time obtained doesn't seem to be consistent with the time stamp obtained from the packet capture. --On Tuesday, February 25, 2003 11:40 AM -0800 Jason Copeland [EMAIL PROTECTED] wrote: On Tue, Feb 25, 2003 at 11:23:42AM -0800, Jason Copeland wrote: If I'm not mistaken, I think it uses 'KeQuerySystemTime'. ...on Windows NT (4.0, 5.0 a/k/a Windows 2000, 5.1 a/k/a Windows XP, etc.). I think it uses something else on Windows OT (95, 98, Me). In both cases, those are kernel interfaces, not Win32 interfaces - the time stamping is done by kernel code. Yes, but the question was what was actually being used. :) If someone wanted to use something in their code, they could always look at 'GetSystemTime' which if I'm not mistaken goes to milliseconds. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == Jicai Jonathan Chow Aircaster Carnegie Mellon University CIT, ECE Senior There are many forms of solitude --Isolation is just one == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] pcap_compile : Filter Syntax
On Tue, Feb 25, 2003 at 12:41:16AM -0800, Balakrishnan Muthukrishnan wrote: So I think this is pretty much capturing almost all packets and finding out if the string is there before logging to a file !! Yes, unless you want to construct a complicated filter expression to test whether the string appears at an offset of 0, or at an offset of 1, or at an offset of 2, or AnalogX PacketMonitor claims to be able to capture only packets that contain a string of our choice. Yes, but the question is whether it does so by capturing almost all packets before logging to a file It is says it works on XP (may be because of XP raw packet support) but I have XP Home Edition where Microsoft Network Monitor isn't supplied. It might not be using Network Monitor's capture driver. I ran Network Monitor, Ethereal (which uses WinPcap; WinDump, Analyzer, Packetyzer, etc., which also use WinPcap, would all work the same there), and AnalogX PacketMonitor for a short period of time on my machine; Network Monitor and Ethereal both saw ARP packets, but PacketMonitor didn't. Perhaps it's using some mechanism for getting raw IP packets; the page at http://www.analogx.com/contents/download/network/pmon.htm claims that AnalogX PacketMon allows you to capture IP packets that pass through your network interface - whether they originated from the machine on which PacketMon is installed, or a completely different machine on your network!, but as they speak of packets that pass through your network, they might not support promiscuous mode (and thus can't capture packets that come from a different machine on your network and that are being sent *to* a different machine on your network), and as they speak of IP packets, they might well use a raw socket interface rather than the Network Monitor driver or a driver of their own. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] microseconds in time stamp
On Tue, Feb 25, 2003 at 02:51:02PM -0500, Jonathan wrote: Yes, GetSystemTime goes to milliseconds. Currently, I've been using GetSystemTimeAsFileTime and then converting the 100 nanosecond resolution to microseconds. But the time obtained doesn't seem to be consistent with the time stamp obtained from the packet capture. Well, KeQuerySystemTime() only offers 10 millisecond resolution, according to the http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k105_41iq.asp page cited earlier: System time is a count of 100-nanosecond intervals since January 1, 1601. System time is typically updated approximately every ten milliseconds. This value is computed for the GMT time zone. I.e., it works the way UNIX time stamps work... ...on older systems, and on systems that don't have high-resolution timers, except that the not-really-achieved resolution is .1 microsecond rather than 1 microsecond, and the time base is in 1601 rather than 1970. In many modern UNIX systems, if there's a high-resolution timer, it's combined with the timer that's updated every 10-100 ms to give a higher-resolution time stamp. I suspect GetSystemTimeAsFileTime() has the same 10-millisecond resulution (unlike gettimeofday() on UNIX systems with high-resolution-timer support) - i.e., the kernel's time stamp just gets propagated to userland by the calls used to fetch time stamps. It's unfortunate, that KeQuerySystemTime() doesn't return a high-resolution time stamp, and it'd be even more unfortunate if GetSystemTimeAsFileTime() did the same, although one could perhaps argue that 1) if code often doesn't need microsecond-or-better resolution, and if querying the high-resolution timer is expensive, having a separate call to get high-resolution time might be a good idea and 2) the performance counter on x86, at least, might not deliver a time in convenient intervals, so using it as a high-resolution timer might be problematic. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] microseconds in time stamp
On Tue, Feb 25, 2003 at 05:19:57PM -0500, Jonathan wrote: I was wondering if you could point me to the file in which this is done? If by this you mean the time-stamping of packets, then: download the WinPcap 3.0 beta source ZIP file from http://winpcap.polito.it/install/default.htm look in winpcap\Packet9x\VXD\Openclos.c and winpcap\Packet9x\VXD\Read.c to see the code for Windows OT (95, 98, Me); look in winpcap\packetNtx\driver\Openclos.c, winpcap\packetNtx\driver\Read.c, and winpcap\packetNtx\driver\time_calls.h to see the code for Windows NT (NT 4.0, 2000, XP). Finding the equivalent code in WinPcap 2.3 is left as an exercise for the reader. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] I am getting socket: Operation not permitted error
On Tue, Feb 25, 2003 at 02:02:41PM -0800, Jeff Wong wrote: When I try to execute the following command: pcapHandle = pcap_open_live(pcapDeviceName, BUFSIZ, 0, -1, pcapErrBuf); I am getting the error socket: Operation not permitted. Is this because I'm not executing as root? Is there a way to execute this command without being root? My device name is eth0. On Linux, it might be; on Windows, it's not. Are you talking about Linux, or Windows? I suspect it's Linux, given the device name and the socket error; WinPcap doesn't use sockets to capture, but libpcap on Linux does. If you're talking about Linux (or any other UNIX variant), the right list is [EMAIL PROTECTED] I noticed when I want to execute tcpdump I have to either sudo or run as root to execute this command. (Except on systems using BPF, where you might be able to give yourself read permission on the BPF devices if you can become root. That can sort of be made to work with DLPI devices on Solaris, except that, on at least some versions of Solaris, you have to be root in order to run in promiscuous mode. In theory, on Linux - which is probably the OS you're discussing there, given the device name eth0 - you could assign users capability bits to let them do packet capture; however, there's no userland support for that, as far as I know, so you can't put an entry in a file saying this user has raw network capability.) Is this the case as well? If this is Linux, or some other variant of UNIX, yes, it is the case (modulo the items noted above). If this is Windows, no, because does things differently. (For one thing, root is spelled Administrator. :-)) The WinPcap FAQ discusses this: http://winpcap.polito.it/misc/faq.htm#Q-7 Q-7: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP? A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] microseconds in time stamp
I was wondering if you could point me to the file in which this is done? --On Tuesday, February 25, 2003 12:06 PM -0800 Guy Harris [EMAIL PROTECTED] wrote: Jicai Jonathan Chow Aircaster Carnegie Mellon University CIT, ECE Senior There are many forms of solitude --Isolation is just one == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] I am getting socket: Operation not permitted error
-Original Message- From: Jeff Wong [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 23:03 To: [EMAIL PROTECTED] Subject: [WinPcap-users] I am getting socket: Operation not permitted error When I try to execute the following command: pcapHandle = pcap_open_live(pcapDeviceName, BUFSIZ, 0, -1, pcapErrBuf); I am getting the error socket: Operation not permitted. Is this because I'm not executing as root? yes. Is there a way to execute this command without being root? The NPF driver should have been started before by someone else. My device name is eth0. Are you sure that you're using a Win32 machine? If not, are you sure this is the right mlist? fulvio I noticed when I want to execute tcpdump I have to either sudo or run as root to execute this command. Is this the case as well? Thanks. Jeff == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==