Sign in to follow this  
fusion32

Winsock and Raw Sockets

Recommended Posts

Hello, I was trying to get packets from a game using raw sockets and setting it to promicuous mode but i don't know why the fuck only the outgoing packets has some real data. Incoming packets has nothing but the headers. Anyone had this problem before? Thanks in advance.

Share this post


Link to post
Share on other sites
[CODE]

int main()
{
//
int lasterror;

//
int sock = ::socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if(sock == INVALID_SOCKET){
lasterror = ::WSAGetLastError();
if(lasterror == WSAEACCES){
printf("\n\n -> Execute as administrator\n\n");
}
else{
printf("\n\n -> Unkown error: %d\n\n", lasterror);
}
system_pause();
return 0;
}

char hostname[256];
gethostname(hostname, 256);
hostent *he = gethostbyname(hostname);

//char host[] = {127, 0, 0, 1};
sockaddr_in addr = {0};
addr.sin_family = AF_INET;
addr.sin_port = htons(7171);
addr.sin_addr.s_addr = *(unsigned*)he->h_addr_list[0];
if(::bind(sock, (sockaddr*)&addr, sizeof(sockaddr_in)) != 0){
printf("\n\n -> Unkown error: %d\n\n", ::WSAGetLastError());
closesocket(sock);
system_pause();
return 0;
}

// set Promiscous Mode
DWORD opt = RCVALL_ON;
DWORD bytes = 0;
if(::WSAIoctl(sock, SIO_RCVALL, &opt, sizeof(opt), 0, 0, &bytes, 0, 0) != 0){
printf("\n\n -> Unkown error: %d\n\n", ::WSAGetLastError());
closesocket(sock);
system_pause();
return 0;
}

//
iphdr *ip;
tcphdr *tcp;
char *buffer = (char*)malloc(BUFFER_SIZE);

unsigned hdrlen;

char *data;
unsigned datalen;

char log[64];
unsigned pnum = 0;

int ret;
while((ret = ::recvfrom(sock, buffer, BUFFER_SIZE, 0, NULL, NULL)) > 0){
// parse packet
ip = (iphdr*)buffer;
if(ip->proto == IPPROTO_TCP){
tcp = (tcphdr*)(buffer + (ip->ihl * 4));
unsigned dstport = swapShort(tcp->dstport);
if(dstport != 7171)
continue;

//
unsigned short totallength = swapShort(ip->length);

//
hdrlen = ((ip->ihl + tcp->offset) * 4);
data = buffer + hdrlen;
datalen = totallength - hdrlen;

printf("\n\nHEADER LENGTH: %d | DATA LENGTH: %d | TOTAL LENGTH: %d | RET: %d\n\n", hdrlen, datalen, totallength, ret);

if(datalen > 0){
// parse packet
// dicard 6 first bytes
data += 6;
datalen -= 6;
// decrypt message
updateXTEAKEY();
XTEA_decrypt((uint32_t*)data, datalen, XTEA_KEY);
// get decrypted len
datalen = *(unsigned short*)data;
data += 2;
// dump into a log file
sprintf(log, "packets/packet_%d.log", ++pnum);
hexdump(log, data, datalen);
}
}
}

closesocket(sock);
return 0;
}
[/CODE]

Here it is.

Actually im just reading the packets and dumping into a file for analisis and the reason im not using wireshark or any other tool is because this game has an encryption so i need to decrypt the message to read it.

Also this line:
[CODE]
unsigned dstport = swapShort(tcp->dstport);
[/CODE]


The reason to swap shorts and longs has something to do with endianness?

And i had also tryed to use WinPCap and it seems to have the same error...

Share this post


Link to post
Share on other sites
What are your exact symptoms? Do you receive a packet with a 0 TCP data length, or do you actually get a data length but your logging fails to record the packet? How big is BUFFER_SIZE? Have you tried your code on a different connection type, say HTTP, to make sure you get packets there as well? Also, what version of Windows are you on? Are you running as an administrator?

As for swapping byte orders: yes, this is related to endianness specifications.

Share this post


Link to post
Share on other sites
Ok i get all the packets i receive and parse only those in port 7171. All good here. Now when im parsing the packets only the outgoing have some data. The incoming have only the headers and nothing else. I tryed to use winpcap but the same thing happened. I'm using Windows 7 64b.

EDIT: i checked the packets in wireshark and it seems to have only the headers for incoming packets too... it might be windows 7... not sure

Share this post


Link to post
Share on other sites
Hmm when i receive an incoming packet, ret is 40 and ip->total_length is 40 too. So 20 + 20 (ip header + tcp header) is already 40 and there is no data left in the packet. As for outgoing packets the data size vary.

Share this post


Link to post
Share on other sites
What are the TCP flags on the incoming packets? e.g. are you just getting RSTs or something? It's important to know whether or not there's even an attempt at sending data from the other side. You might also just be getting empty keep-alive packets as well. How have you verified that you're actually getting incoming data payloads?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this