{"id":13826528,"url":"https://github.com/nospaceships/raw-socket-sniffer","last_synced_at":"2025-04-12T21:18:08.684Z","repository":{"id":37646022,"uuid":"148375778","full_name":"nospaceships/raw-socket-sniffer","owner":"nospaceships","description":"Packet capture on Windows without a kernel driver","archived":false,"fork":false,"pushed_at":"2018-10-01T21:24:32.000Z","size":29,"stargazers_count":184,"open_issues_count":0,"forks_count":46,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-12T21:18:03.302Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nospaceships.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-11T20:24:47.000Z","updated_at":"2025-03-28T11:10:39.000Z","dependencies_parsed_at":"2022-07-12T16:42:13.437Z","dependency_job_id":null,"html_url":"https://github.com/nospaceships/raw-socket-sniffer","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nospaceships%2Fraw-socket-sniffer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nospaceships%2Fraw-socket-sniffer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nospaceships%2Fraw-socket-sniffer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nospaceships%2Fraw-socket-sniffer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nospaceships","download_url":"https://codeload.github.com/nospaceships/raw-socket-sniffer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631779,"owners_count":21136563,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T09:01:39.767Z","updated_at":"2025-04-12T21:18:08.652Z","avatar_url":"https://github.com/nospaceships.png","language":"C","funding_links":[],"categories":["\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具","Operating Systems"],"sub_categories":["\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff","Windows"],"readme":"\n# raw-socket-sniffer\n\nThis repository contains several programs which demonstrate how to capture IP\npackets on Windows using just raw sockets.\n\nThe programs require no additional software, such as WinPCAP or npcap, and will\nsimply use existing operating system functionality.\n\nEach program saves captured packets to a file in PCAP format so that it can be\nopened on a separate host with a tool such as Wireshark.\n\nAn implementation in PowerShell and the C programming language is given.  The\nC program is considerably faster than the PowerShell program, and it also has\nthe advantage that Windows Firewall can grant permissions to a specific program\ninstead of all programs run by `PowerShell.exe`.\n\n# Ethernet Headers\n\nThe programs in this repository use raw sockets to capture IP packets.  A side\neffect of this is that no ethernet header is included in the data received.  If\nit is required to capture ethernet header data then another tool should be used.\n\nSince these programs produce PCAP files, and PCAP files include fully formed\npackets, a fake ethernet header is synthesized for each packet using the all\nzeros source and destination ethernet addresses.\n\nThis does not affect other protocol layers, and, for example, TCP streams\ncan still be reassembled, and IP layer source and destination addresses are\nall still valid.\n\n# PowerShell Implementation\n\nTransfer the `raw-socket-sniffer.ps1` program to the host on which packet\ncapture should be performed.  Then run the following command to capture packets:\n\n    PowerShell.exe -ExecutionPolicy bypass raw-socket-sniffer.ps1 \"127.0.0.1\" \"capture.cap\"\n\nReplace `127.0.0.1` with an IP address from the network interface for which\npackets should be captured, and the file `capture.cap` with the name of the\nfile to which to write packets.\n\nIf the Windows Firewall is enabled it will likely require an update to allow\nboth inbound and outbound packets to be captured.  For the PowerShell script\nthe `PowerShell.exe` program must be permitted similar to the following:\n\n    netsh advfirewall firewall add rule name=\"Windows PowerShell\" dir=\"in\" action=\"allow\" program=\"%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\"\n\n**NOTE** This may not be desired, in which case the C program should be\nconsidered so that the filewall permission can be given only to the single\ncompiled C program.\n\nOnce finished simply press `CTRL+C` to stop the program.\n\nTransfer the `capture.cap` to a host with Wireshark installed (or another\nsimilar program), and then open the `capture.cap` file.\n\n# C Implementation\n\nOnce the project has been checked out simply run the following command to\ncompile the C program:\n\n    cd \u003crepository\u003e\n    nmake\n\nThe file `raw-socket-sniffer.exe` will be placed in to the root of the\nrepository.\n\nTransfer the `raw-socket-sniffer.exe` program to the host on which packet\ncapture should be performed.  Then run the following command to capture packets:\n\n    raw-socket-sniffer.exe 127.0.0.1 capture.cap\n\nReplace `127.0.0.1` with an IP address from the network interface for which\npackets should be captured, and the file `capture.cap` with the name of the\nfile to which to write packets.\n\nIf the Windows Firewall is enabled it will likely require an update to allow\nboth inbound and outbound packets to be captured.  For the C program it must be\npermitted similar to the following (here the `raw-socket-sniffer.exe` program\nshould be specified as its full path):\n\n    netsh advfirewall firewall add rule name=\"Windows PowerShell\" dir=\"in\" action=\"allow\" program=\"\u003cpath-to\u003e\\raw-socket-sniffer.exe\"\n\nOnce finished simply press `CTRL+C` to stop the program.\n\nTransfer the `capture.cap` to a host with Wireshark installed (or another\nsimilar program), and then open the `capture.cap` file.\n\n# Changes\n\n## Version 1.0.0 - 12/09/2018\n\n * Initial version\n\n## Version 2.0.0 - 20/09/2018\n\n * Document how ethernet headers are synthesized and why\n * Review standard compile options\n * Document firewall requirement\n * Implement a PowerShell raw socket sniffer\n\n## Version 2.0.1 - 21/09/2018\n\n * Correct various typos in source comments and the README.md\n\n## Version 2.1.0 - 01/10/2018\n\n * Minor updates to the README.md file\n * Output PCAP packet header and packet data in a single write() to prevent\n   corruption on exception\n\n# License\n\nCopyright 2018 NoSpaceships Ltd\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnospaceships%2Fraw-socket-sniffer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnospaceships%2Fraw-socket-sniffer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnospaceships%2Fraw-socket-sniffer/lists"}