Capturing Another Application's Network Traffic

[aldente]

Hi!

I am currently looking for an easy way to capture another application's network traffic in my program.

One way I found is the following: Create a local proxy, starting the other application and set it to use the proxy, like described on the following page: http://portswigger.net/misc/

But maybe someone knows a better method. It would be great if capturing the network traffic (incoming only), WITHOUT administrator priviliges, and even if the other application is ALREADY RUNNING.

Thank you for any advice!

[Archer]

If application is running and you don't have administer rights I don't think it's possible to sniff it's traffic. In the other way if application is running, you can use raw sockets (in win 2000, XP, if I'm right) and sniff all the traffic, you can inject dll in the process and reroute procedure, that handles traffic. There is article by Kris Kaspersky about bypassing firewalls in exploits and where are some ways for worm to capture traffic from exploited application. I think it may help, but it's in russian. hxxp://www.sendspace.com/file/uhvxma

[D-Jester]

I would suggest looking into WinPcap (http://www.winpcap.com) which is a Packet Capture Library for windows, and is open source.

Tools like Ethereal, Wireshark, Nmap, Snort, ntop use WinPcap.

Whether or not you can use it without Admin priv is a good question.

(From FAQs):
-------------------------------------------------------------------------
Q-7: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

-------------------------------------------------------------------------

I suppose it is possible to bypass windows security measures and install the driver, but thats not my speciality ;-)

[Mkz]

If you're looking for a ready-to-use tool and not develop your own code, another one you can look at - also WinPcap-based - is YATT (http://www.pocketsoap.com/yatt/).
It's pretty straightforward for seeing HTTP traffic, and doesn't require any changes in the target app. In the same site there are also a couple more tools for slightly different needs (SOAP, XML, ...)

As for the admin rights, after installing you can configure the WinPcap driver to start on boot, that way the user doesn't have to be admin to start it on-demand. Check here: http://www.winpcap.org/misc/faq.htm#Q-18

[piccolo]

Apart from winpcap where you need to install a lib you can find various other tools. For example analogx has some simple capture utility that can capture traffic (it is called packetmon). But if you look around. anyway using ethereal you got an awesome package too as already mentioned.
Another cool one that runs without a driver is BasicNetworkSniffer from planet-source-code I just compiled it.
There is a thing called ethernetspy with source code, which is interesting to read (use google).
There is also netcat which is a basic sniffer which uses hooking so also no drivers are needed.
One I really liked is poorsniff which also doesnt need drivers. Be aware tho that using raw packets can only be done under sp2 when you are not crafting packets (normally, although with hooking you might get it done anyway). Have fun.

@Big_or_what:
The question is what exactly you are trying to do:
- Do you have general admin access?
- Are you interested in the packets' data or in the packets themself?
- How will the program you're capturing data from access the network?
- Will the program run at Ring-3 or Ring-0?
- Will the data be encrypted?
- How much traffic do you expect to be captured?
- What transport and communication protocol will be used?

If you can't answer these questions, nobody can help you.

(for example: the sniffers posted here mostly capture all network traffic, not only one application; if SSL is used, all capturing will be useless; if you like to capture IGMP, most sniffers won't even know it; ...)

[aldente]

I could not log in to my account for quite a long time, so that's why it took me so long to answer.

Here are the answers to your questions:

Quote:

- Do you have general admin access?

Sure. But I wanted to design my tool so it works without administrator rights. That seems to be impossibile though...

Quote:

- Are you interested in the packets' data or in the packets themself?

I want to access the packets content.

Quote:

- How will the program you're capturing data from access the network?

WinSocks.

Quote:

- Will the program run at Ring-3 or Ring-0?

It's a normal usermode-application.

Quote:

- Will the data be encrypted?

No, just unencrypted TCP-data.

Quote:

- How much traffic do you expect to be captured?

Very little.

Quote:

- What transport and communication protocol will be used?

Only TCP.


In the meantime I tried a network sniffer based on raw sockets and filtered out just the traffic of the target application. Anyway, the CPU-load of this sniffer is quite high when there are other applications which produce network traffic (a 250 kb/s download makes a 3-4% CPU load in the sniffer tool).
Installing a driver for the sniffing application is NOT an option, so WinPCap can't be used.

Any other ideas of howto get the traffic besides from raw sockets?
How about some winsock-tricks?

In this case you might want to try "Ultra Network Sniffer" (http://www.gjpsoft.com/UltraNetSniffer/).

It only needs admin rights once to install the driver and it captures traffic based on applications.

And if you don't intend to buy the application ( ), you might want to skip the strong RSA-1024 registration system and find the implementation error.

[aldente]

As I said, I don't want any solution which requires a driver!

To ensure you got me right: I don't want any network sniffer for myself, CommView is just perfect for that purpose and I don't need anything else.

I wan't a solution which I can easily integrate into my own tool, and I don't want to distribute any drivers with my tool!

But I already wrote that in the first sentence of the first post of this thread!

well you already said in that same post proxy would be easiest method if you can set proxy for target app.

you opted out winpcap, that was another easy way. there was app called "http analyzer", it seemed pretty basic to me and did what you wanted, you could take a peek and reverse it.