0

Actually I have three questions:

1- According to Nazar Grynko answer, Is it only intercepting the three functions(send , recv,and connect) will help me to anticipate all the packet in my machine?

2- If I hooked the three functions, How to get an IntPtr which points to a sockaddr structure from a P/Invoked native function?

3- Send, and recv are not having sockaddr, so how to figure out the addresses?

Thank you in advance.

Community
  • 1
  • 1
user3312744
  • 33
  • 6
  • Monitoring all traffic on the machine is harder than hooking three functions from user mode code. This is going to need to be done in kernel mode. That means a driver. Not something for C#. – David Heffernan Oct 15 '15 at 07:41
  • @DavidHeffernan , what about the Easyhook and deviare they are for C#. Another thing, is it better to shift to capturing packet tools like SharpPcap. or stick with the hooking. – user3312744 Oct 15 '15 at 07:54
  • I thought you said you want to detect all packets on the machine. You aren't going to do that from a desktop app running in the context of a user. – David Heffernan Oct 15 '15 at 08:10
  • @DavidHeffernan I'm new to these stuffs so could you explain it more, and what should I do. My aim is to monitor the network traffic for all processes in my machine(outgoing or incoming). I started with Pcap(sharppcap) but it captures the packets with out knowing the process receiving or sending it, I tried to retrieve the port # from the headers and excute _netstate_ but still not all the packets can be associated to a process . So, I shifted to hooking, by hooking all the system calls that results a network packet(s) I thought its possible to achieve my goal. – user3312744 Oct 18 '15 at 04:43

1 Answers1

0

  1. The functions you described are a part of the POSIX standard. This means that when you use these functions on Windows, you're actually calling a wrapper that eventually translates to a system call. You can send packets without the use of this function (e.g, by using the Windows API).

  2. See answer number one. This won't help you. You'd also have to provide a hook for all processes.

  3. The functions you describe use a file descriptor which is a POSIX construct, and are user-mode simulated on other systems.

To inspect your traffic you must use a driver that will do it for you. You might want to look at Pcap.Net which is a C# project aimed exactly at your problem, and provides the driver and API necessary.

Mark Segal
  • 5,427
  • 4
  • 31
  • 69
  • I know pcap and other drivers like sharppcap,..., etc. but my aim is to know the process receiving or sending the captured packet which was difficult for me. I tried to retrieve the port # from the headers(tcp&udp) and excute netstate but still not all the packets can be associated to a process, only tcp&udp. – user3312744 Oct 19 '15 at 05:05