Local Network Interface Monitoring

[John Bowman]

Hi,

I need to write a utility program for my home PC that basically monitors all
keystrokes going out and char's coming back in on a local machine's network
interface. We need to monitor the kids' online activity in an
unsophisticated way. They like to use the web based AIM Express for instant
messaging. I won't let them install the AIM client. Traditional keystroke
loggers only get us half the story (outbound) but I'd like to also capture
the other half of the conversations. I know there are AIM monitors out
there, but my understanding is that they work w/ the AIM client - which
isn't part of the pticure in this case.

Can anyone point me in the right direction of where/how to begin? I'm a
total newbie when it comes to monitoring network traffic.

TIA,

 

[Andreas Håkansson]

John,

You would have to use a packet sniffer kind of application to catch
and identify incoming and outbound packages. This is quite low-level
and there is no such support in the .NET Framework. You could try to
use the WinPcap library (http://winpcap.polito.it/) from your application
using p/Invoke.

Read up on platform invoke and interop with unmanaged code in the
MSDN (online) documentation and refer to the
microsoft.public.dotnet.framework.interop newsgroup for interop
questions, where you will be able to get qualified if you get stuck.

Please ensure to read up on local laws on this kind of activity, i.e. you
are
actually logging a private conversation between two parties (your kids and
another person) without telling the other person (the person your kids are
talking with) about it. Not sure what the (local) law has to say about this.

//Andreas

 

[Mark]

John,

You would have to use a packet sniffer kind of application to
catch
and identify incoming and outbound packages. This is quite low-level
and there is no such support in the .NET Framework. You could try to
use the WinPcap library (http://winpcap.polito.it/) from your
application using p/Invoke.

Mmmm, you sure can capture packets in c# without a drop of interop!

int SIO_RCVALL = unchecked((int)0x98000001);
byte[] ioc_in = new byte[4] {1, 0, 0, 0};
byte[] ioc_out = new byte[4];

Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.Unspecified);

// Bind it to an IP and listen
s.Bind(new IPEndPoint(IPAddress.Any, 0));

// Include headers in packets returned
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded,
1);

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

 

[Andreas Håkansson]

Mark,

Oh, I was unaware of that. Thank you for pointing this out. I really
should
be mad at you since I will spend a few hours playing around with it instead
of
doing the work which I should be doing

//Andreas

John,

You would have to use a packet sniffer kind of application to
catch
and identify incoming and outbound packages. This is quite low-level
and there is no such support in the .NET Framework. You could try to
use the WinPcap library (http://winpcap.polito.it/) from your
application using p/Invoke.

Mmmm, you sure can capture packets in c# without a drop of interop!

int SIO_RCVALL = unchecked((int)0x98000001);
byte[] ioc_in = new byte[4] {1, 0, 0, 0};
byte[] ioc_out = new byte[4];

Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.Unspecified);

// Bind it to an IP and listen
s.Bind(new IPEndPoint(IPAddress.Any, 0));

// Include headers in packets returned
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded,
1);

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

 

[John Bowman]

Mark,

Thanks for the help. 1 Question though. Once I've set

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

as your code sample indicated, where/how do I actually receive the
"contents" of the packets. Is there some callback.. er delegate that I need
to use to actually inspect each packet and extract the contents? I'm too
much a newbie on this stuff, I started looking at the Sockets and IOControl
method, but I'm still confused.

TIA,

John

Mark,

Oh, I was unaware of that. Thank you for pointing this out. I really
should
be mad at you since I will spend a few hours playing around with it instead
of
doing the work which I should be doing

//Andreas

John,

You would have to use a packet sniffer kind of application to
catch
and identify incoming and outbound packages. This is quite low-level
and there is no such support in the .NET Framework. You could try to
use the WinPcap library (http://winpcap.polito.it/) from your
application using p/Invoke.

Mmmm, you sure can capture packets in c# without a drop of interop!

int SIO_RCVALL = unchecked((int)0x98000001);
byte[] ioc_in = new byte[4] {1, 0, 0, 0};
byte[] ioc_out = new byte[4];

Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.Unspecified);

// Bind it to an IP and listen
s.Bind(new IPEndPoint(IPAddress.Any, 0));

// Include headers in packets returned
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded,
1);

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

 

[Jared Parsons [MSFT]]

Copule of comments on the code

// Bind it to an IP and listen
s.Bind(new IPEndPoint(IPAddress.Any, 0));

If I remember correclty, for the purposes of sniffing/raw sockets you must
bind to a specific IP address. IPAddress.Any doesn't work in this case

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

This isn't a problem with your code, more of a heads up. If you setup
sniffing in this manner it will only report incoming packets. Outgoing
packets are not logged (for whatever reason) when using this method.

--
Jared Parsons [MSFT]
(e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"

John,

You would have to use a packet sniffer kind of application to
catch
and identify incoming and outbound packages. This is quite low-level
and there is no such support in the .NET Framework. You could try to
use the WinPcap library (http://winpcap.polito.it/) from your
application using p/Invoke.

Mmmm, you sure can capture packets in c# without a drop of interop!

int SIO_RCVALL = unchecked((int)0x98000001);
byte[] ioc_in = new byte[4] {1, 0, 0, 0};
byte[] ioc_out = new byte[4];

Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Raw,
ProtocolType.Unspecified);

// Bind it to an IP and listen
s.Bind(new IPEndPoint(IPAddress.Any, 0));

// Include headers in packets returned
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded,
1);

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

 

[Mark]

Mark,

Thanks for the help. 1 Question though. Once I've set

// Set RCVALL so we get all packets
s.IOControl(SIO_RCVALL, ioc_in, ioc_out);

as your code sample indicated, where/how do I actually receive the
"contents" of the packets. Is there some callback.. er delegate that I
need to use to actually inspect each packet and extract the contents?
I'm too much a newbie on this stuff, I started looking at the Sockets
and IOControl method, but I'm still confused.

TIA,

John

Call Socket.Receive() (or create a NetworkStream around the socket and read
from that). It's just like a normal socket at this point, except that you
didn't connect.

Mark

 

[John Bowman]

Mark,

Thanks for the additional info. I'll give it a try.

John