I want to dump network traffic from any application in Windows. But I don't want to use any proxy or listen to socket. I just want to read it from memory.
I could do it with Strace in linux. Can you suggest a solution for Windows? As a result of my research, I found Echo Mirage. But I could not find which dll(winapi) uses this process.
Thanks...
Have you thought about using a system tool such as Network Monitor and filtering the resulting traffic down to your specific port ? The following implies that it's possible https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/
To get the winsock traffic you would want to hook the send & recv functions which are exported by ws2_32.dll and log the arguments.
If the traffic is HTTP you should use Fiddler.
For logging non HTTP traffic for a specific process on Windows the best tool (despite being deprecated) is Message Analyzer
I am writing a custom p2p program that runs on port 4900. In some cases when the person is behind a router, this port is not accessible from the internet.
Is there an automatic way of enabling the access to the port from the internet. I am not really sure of how other p2p applications work.
Can anyone please throw some light on this?
P2P connectivity in a nutshell. Assume we're talking about UDP here. The steps below can also be applied to TCP with some adjustments.
Enumerate all your local IP addresses (usually only 1). Create a UDP socket on a given port number** for each adapter with an IP address.
For each socket created in step 1, contact a STUN or TURN server with that same socket to discover your external IP address and to discover what the internal port number maps to outside of the NAT (it's not always the same port value). That is, your local address 192.168.1.2:4900 might be 128.11.12.13:8888 to the outside world. And some NATs don't always use the same port mapping when using the same local port to other IP addresses. TURN will also provide you a "relay address". You can also use UPNP to get a port mapped address directly from your router, if it supports that protocol.
Through a rendezvous service (SIP, XMPP, instant message, web service, email, cups with strings), publish your address candidate list to a service or send a notification to the other client that says, "hey, I want to connect with you". This message includes all the "address candidates" (ip and port pairs) collected in steps 1 and 2.
The remote client, upon receiving the invite to connect, performs step 1 and 2 above as well. Then sends back his candidate list through the same channel that he received the inviter's candidate list on.
Hole punching step. Both clients, start sending test messages over UDP to the other side's address candidates and listening for the same messages on their end. Whenever a messages is received, reply back to the address from which it came. Eventually, the clients will discover that they have a pair of addresses that they can reliably send datagrams too. Typically, one endpoint makes the final decision on which address pair (sockets) to communicate with and the protocol facilitates this endpoint telling the other endpoint this decision.
**- usually best to not to rely on a well known port for P2P clients. Because two clients behind the same NAT or firewall would not likely be able to use your software at the same time.
Here is a quick summary of some technologies to explore.
STUN - Is a simple server and protocol for clients behind a NAT/route to discover what their external IP and port mappings are.
TURN is an expansion to STUN, but supports relaying for P2P connectivity scenarios where firewalls and NATs prevent direct connections.
ICE is a set of steps by which STUN and TURN are used for setting up a P2P connection. ICE is a formal protocol for steps 1-5 above. Two excellent set of slides on ICE are here and here.
WebRTC is a variant of the ICE standard as well as a reference library for make P2P sessions with STUN and TURN.
UPNP + Internet Gateway Device Protocol - Some routers support this for hosts to automatically obtain port mappings.
libnice is an open source C library for Linux (and might work on windows) that implements ICE.
libjingle is another ICE implementation (in C++) from Google. For Windows and Linux.
PJNATH is a library within the PJSIP suite of coding libraries. It is a good implementation of an ICE stack (C code) and has been ported to a lot of platforms. (Windows, Linux, Mac, iOS, Symbian, and soon Android).
And finally, I have a blatant plug for you to use my STUN server code base.
There are solutions in some cases, see UPnP: https://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal
My home router allows this, basically, the NAT can be configured automatically by the proper request from the computer.
I would not count on this to provide a big improvement in your availability, because not that many routers both support that and have it enabled.
EDIT: #David suggested this SO question for a .NET library for UPnP: Is there a UPnP Library for .NET (C# or VB.NET)?
I would use WebRTC technology as an open source framework for such application.
Official Website
In fact it is an open source project which supports all necessary for peer-to-peer technologies out of the box:
ICE and STUN (NAT traversal)
DTLS and SRTP (security)
AVPF for quality of streaming.
This may be a little more complicated than what you're looking for, but TCP Hole Punching is a technique that should work. http://en.wikipedia.org/wiki/TCP_hole_punching
Alternatively, UPnP works great for routers / firewalls that support it.
You have another option that is NAT Port Mapping Protocol (NAT-PMP)
NAT-PMP is widely used by VoIP applications like Skype or BitTorrent P2P clients.
For the simple beginnig I would recommend to see hole punching technique. Great video here. But be sure it will not always work relating the network topology. This solves the ICE technique which discovers how connection could be established.
How can I catch TCP SYNC events for particular socket in .NET?
I want to be able to fire off a method which will detect if request for SFTP data transfer is made and on completion to do some action like notification or logging.
Presuming that the socket you want to detect the open and close of is not one your program is responsible for itself, but some other process on the system is handling it, the best way may be to use the winpcap library. winpcap allows you to subscribe to a raw feed of all IP packets coming into and going out of your network interfaces. You c an also provide a filter such as "Only show me TCP packets on port 22". Your program receives the raw packets so you get the ethernet header, followed by the IP header, followed by the TCP header, followed by the data payload (payload will be encrypted for SFTP). Analyising these packets you will be able to detect the TCP handshake on connect and know the IP and port that is connecting and detect when the TCP steam is closed.
I don't use .NET myself, but I did find this winpcap wrapper for .NET on Google which should allow you to use winpcap from your .NET application.
WinPCAP.NET Wrapper
I am using the UDPClient class to send and receive messages on my loopback address. The executables are also interacting with each other. But why doesnt the traffic appear in wireshark?
BTW I am running windows inside parallels on OSX and can select only 1 interface that is my intel pro net network card in wireshark.
Here's the key phrase:
on my loopback address
The loopback address is a complete additional interface, not just an address. Wireshark is configured to listen on a specific interface, and I'm guessing the loopback interface is not it.
The loopback traffic is not captured by the Net Packet Filter driver.
One workaround is to send it to the IP address of your Intel Pro NIC. In my experience, this is enough to hit the NPF capture driver and show up in Wireshark. (Well, to be accurate, my experience in that matter doesn't involve a VM so YMMV).
Of course, the listener should be bound to that NIC IP to receive the packets (and not only to localhost).
Basically, I want to know how can I intercept/sniff all tcp/udp network traffic for some specific application like the tunneling applications do? For example ProxyCap allows to tunnel all traffic for specific application to some proxy. So as I can understand those programs can intercept all traffic before they change/reroute it.
I've tried using winpcap but even Wireshark. But it doesn't work if you have proxycap installed. I mean, it does not capture application traffic:
Traffic from my program intercepted by the ProxyCap
ProxyCap redirects it all to localhost proxy
My localhost proxy is actually a Your-Freedom gateway proxy
Your-freedom proxy sends traffic to their servers (traffic goes to internet).
When I start Wireshark sniffing (which is based on winpcap driver) I see only traffic from step #4 (when it goes to the internet). And this traffic is not raw (it's packed/encoded) so it doesn't work for me to sniff it.
So since I need to sniff all the traffic I thought that I either find a way to sniff before ProxyCap (or after it, but I don't think it's possible since traffic redirected to the loopback proxy).
I want to ask you guys - is there a way to intercept/sniff traffic like ProxyCap (or other tunneling applications) do?