Good afternoon list,
I recently upgraded an old 8 port hub to a switch, and came to the realization that sniffing the traffic is pretty much impossible. (Yes, yes - arp poisoning, or probably other methods, but I assume this can be solved cleaner with a program I could write.)
Ok, so time to learn some new tricks I figured. No problem. I've done some reading in the WinPCap documentation, specifically, the Packet.dll & packet32.h parts.
What I would like to do, is to "tee" (yes, like the unix command) UDP traffic that is directed to AND from one PC on my network, to a second computer, on the same network.
What I imagine, is when a UDP packet is sent from PC1 (10.1.1.3) to a remote address (a.b.c.d), PC2 (10.1.1.4) would see a copy of this packet, and when a.b.c.d replies to PC1, an copy of that UDP packet is also copied to PC2.
My plan wass to write a program on PC1 that would copy incoming & outgoing UDP packets to a.b.c.d. I have written some code, which copies the original packet, and modifies the destination address, but that doesn't seem to work. The code checks that it's an IP packet, type UDP, not a broadcast and comes from a.b.c.d. (Should have just used a filter, now that I think of it). Then, it makes a copy of the packet, and if it is an incoming packet, change the destination to PC2. When sending, repeat the above filter, and change the destination (again) to the second PC2.
Is there more to it that just changing addresses? I wish the packet contents to remain intact, my only intent is for the second computer to be able to see the UDP traffic to/from a.b.c.d that, technically, isn't its business.
Seems like a trivial thing, but after some Google searching, it appears nothing similar exists to do this. Of course, I don't know what to name what I am looking for, which makes searching a tad difficult. (Yes, a bouncer is similar in concept, but I don't want to redirect, rather, just get a copy of the packets.)
Sorry for the convoluted explanation, hopefully someone has some thoughts on why my above idea isn't working.
[Yes, I could move PC1 and PC2 onto the old HUB and then connect that hub to the new switch, but the HUB is 10mbps, while everything else is 10/100, so I'd rather not sacrifice the speed, if possible.]
Thanks, Chris
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
