SnifferFox

I. What is SnifferFox.
II. How SnifferFox works
III. SnifferFox directory structure
IV. SnifferFox function description.
V. SnifferFox Features
VI. Extend SnifferFox
VII. Author
VIII. Conclusion

I. What is SnifferFox
SnifferFox is a sniffer (Sniffer) running on the Windows platform. Used to intercept all data packets passing through the specified network card of the local computer, and analyze and collect statistics on these packets.
SnifferFox is developed based on Winpcap, which is an open source project. In order to get the original data packets, we chose it (because Socket works at the IP layer and cannot get ARP and RARP packets, so we did not use it). Therefore, please install Winpcap before you install SnifferFox, otherwise you will be prompted that the network card cannot be found.
We chose Borland C++Builder to develop this Sniffer. After nearly 2 months of hard work, we wrote nearly 6,000 lines of code (the file docs/codestat.txt has detailed statistics), and the software has finally been basically developed. , now we can release its Alpha version. However, there may still be many errors that we have not discovered, and these may be corrected in future versions.
SnifferFox is free and a green software that does not require installation or registration. We promise that we will never modify your computer's registry and can be run directly (of course, for your convenience, we have created an installation package).

II. Working Principle of SnifferFox The software first sets the network card to promiscuous mode, then obtains the data received by the network card, analyzes the data packets according to the TCP/IP protocol, filters out some packets according to the user's requirements, and then filters out the remaining packets. The data packet is written into the buffer (a memory block of a specified size, which can be manually set according to the memory size of the user's computer), and is displayed on the user interface. When the buffer is full, the system will automatically write the data in the buffer. Go to external storage.
The picture below is a simple illustration.

SnifferFox is a multi-threaded system, which can be roughly divided into 3 threads (only 2 were actually used during implementation), packet capture thread (Sniffer Thread), protocol analysis and filtering thread, and user interface. Working at the data link layer, it can obtain the original data frame, so SnifferFox can support underlying protocols such as ARP and RARP.
Since the amount of data in the packets intercepted by Sniffer is quite large, it is unrealistic to store all these packets in memory, so here we introduce two concepts in the operating system, Cache and Buffer. Cache is a linked list that temporarily stores data packets. In order not to put too much burden on the user's computer, we limit the maximum length of this linked list to 5000. When the length of this linked list reaches the upper limit set by the user, the system will automatically write the data in the linked list to the Buffer and then clear the Cache.
Buffer is a binary file, which is composed of data packets one by one. We might as well call each package a record. Its length is not fixed, mainly because there is no way to determine the size of the data packet.

It consists of 4 parts, ID (4 bytes), segment offset (4 bytes), data frame related information (16 bytes), data (the length is variable, but it can be calculated according to the calculation formula in the figure) . The segment offset is the record length, which is mainly used to determine the end position of the record and the start position of the next record.

III. SnifferFox Directory Structure Of course, what we must explain here is that the directory structure of the release version and the development version are different. There are more directories in the development version and are more complex, but the directories in the release version are all in the release version, so here we only Introduces the directory of the development version, which can be compared with the release version (refer to docs/dir.txt).
+Snifferfox
+Bin The binary file compiled by the compiler has the dynamic link library file
+Config configuration file
+Images pictures
+Obj intermediate file generated by the compiler
+Docs document directory
+Project project directory
+Core core code, mainly self-defined data structures and their implementation
+Gui code for implementing graphical interface
+Lang multi-language support
+Cache cache directory, used to store temporary files
+3rd party controls used in the 3Com system
+Save user directory, used to save user files

IV. SnifferFox function description
1. Data packet interception Users can specify a computer's network card, and then use SnifferFox to intercept all data packets passing through this network card. After intercepting these packages, the system will display the summary information of the package in the form of a list and the specific information of the package in the form of a panel as required.
2. Packet filtering: After we get the packets that meet our requirements, we can filter the intercepted packets. According to different requirements, we can define 2 different filters: protocol filter and IP address filter. These two filters work at the same time. Only packets that meet these two requirements will be retained, and other packets that do not meet the requirements will be discarded.
3. Packet statistics In order to facilitate users to understand the distribution of intercepted packets, we provide the function of data packet statistics, which counts the percentage and number of packets according to different protocol levels. Display it in diagram form.
4. Protocol analysis According to the type of packet, we will analyze and display the packet data according to different situations. SnifferFox supports a large number of protocol types, from the data link layer to the application layer.
The protocols below the application layer were analyzed in detail and every field in the data packet was taken out. As for the application layer, only 112 protocols have been identified for the time being. However, because there are so many application layer protocols and each protocol is quite complex, we have not conducted in-depth analysis.
5. Smart sorting In order to facilitate users to quickly find specified packages, we provide a smart sorting function. When the user stops intercepting data packets, he only needs to click on one of the fields in the list, and the system will automatically sort the data in the list. To sort in ascending order, click again to switch the sorting method.
6. Detect network card information The system can automatically detect the number of network cards in the system (including virtual network cards) and dynamically display it in the menu list. At the same time, it can detect the relevant information of the network card.
7. After testing as a daemon process for intercepting packets, SnifferFox can run on the computer for several days without crashing. Therefore, we can use it as a specialized packet interception program and run it like a daemon process (of course, this has certain limitations. When When there are too many intercepted packets, such as several gigabytes, it is a bit difficult, because in this version, we have not divided the Buffer file into chunks. This feature may be added in future versions).
8. Dynamic status display In order not to affect the user's other work when intercepting the package, we can minimize SnifferFox, and then it will automatically disappear on the taskbar and only display a small tray icon. While it is working, Its icon will flash dynamically and freeze when stopped. In addition, we also created a small floating window to display the system status, which is placed at the top of the window by default.
9. Saving and loading of data packets. Users can save the intercepted packets to a specified file (extension *.sni), and then load them through SnifferFox when needed. In this way, the data packets and intercepted packets can be viewed. There is no difference at all, and you can also dynamically decide which page to view (the system already has a paging function, and it is dynamic paging. We can define the number of records on each page ourselves).
10. The content of stored user options and system options is saved in config/config.ini, which is an in file. Once the user settings (such as interface, language, etc.) are changed, the changes will be recorded in the file and will be used the next time the system is run. It will automatically respond based on these settings.

V. SnifferFox Features
1. Simple and practical. Simplicity is our goal. Although the design and implementation of the system are relatively complex, we prefer that users see a simple system and a practical system.
2. Beautiful interface
There is nothing to say about the interface of SnifferFox. The system contains 5 sets of standard interfaces (Winxp, MacOS, Protein, DeepBlue, BlueGrass). The system interface can be replaced in time without restarting the system, and it is a complete replacement ( Of course this is thanks to our 3rd party controls).
3. Multi-language support We took this issue into consideration when designing the system, so SnifferFox itself supports multi-language. We can easily extend it. We only need to translate Lang/english into the corresponding language. No need Make any program changes. The system already provides support for Chinese and English languages, which can be easily switched.
4. It has relatively good scalability. We have fully considered its scalability in terms of language, interface, and protocol. Therefore, it is relatively easy to develop a new version based on this version. This allows you to reuse existing code very well.
5. Convenience of operation This is an issue that we consider a lot. We are trying our best to make the system's operation method consistent with people's habits, so that users find it convenient and easy to use.
6. Supports a relatively large number of protocols. In Ethernet, SnifferFox has analyzed almost all protocols below the application layer of the TCP/IP family, and can recognize 112 application layer protocols.

VI. Extend SnifferFox
Extending SnifferFox is not an easy task unless you know its structure very well. Of course, it is difficult to do it just by reading this document now. We can extend it in 3 aspects:
1. Protocol extension
SnifferFox uses an object-oriented method to analyze the design and implementation, so to extend it, you need to write the corresponding protocol analysis Class to solve the problem, and then connect them in the main program. This requires a detailed understanding of the current system structure.
2. Interface expansion is achieved by changing the third-party control SUIPack (3com directory). For details, please refer to the relevant documents of SUIPack.
3. Language expansion This is the simplest part of the expansion function in SnifferFox. Just translate Lang/english files directly.

VII. Author

FoxBackBone Team: zhengsh, gourf

VIII. Conclusion Although SnifferFox is only a small software, we can only understand a small part of it through this document, so if you want to understand it in detail, just through this document is definitely not enough. Further reading is only the source code, because we don't have much time to write out the system design in detail.
If you have any suggestions or ideas about SnifferFox after using it, whether it is praise, criticism or other aspects, please give feedback to our email: shaohui_1983#163.com, gouruifeng_529#sohu.com, thank you for your support .
In addition, the Suipack component and WinPcap are used in the program, please download them from this site