Magenta Systems Internet Packet Monitoring Components are a set of Delphi components designed to capture and monitor internet packets using either raw sockets or the WinPcap device driver. Hardware permitting, ethernet packets may be captured and interpreted, and statistics maintained about the traffic. Uses of packet monitoring include totalling internet traffic by IP address and service, monitoring external or internal IP addresses and services accessed, network diagnostics, and many other applications. The component includes two demonstration applications, one that displays raw packets, the other that totals internet traffic. The components include various filters to reduce the number of packets that need to be processed, by allowing specific IP addresses to be ignored, LAN mask to ignore local traffic, and ignore non-IP traffic such as ARP.
The components capture packets using two different techniques, with differing benefits and features:
1 - Raw sockets which are available with Windows 2000 and later. This uses WSocket V6 from the François Piette internet component suite, from
http://www.overbyte.be/. Major benefit is that no other software needs to be installed, but raw sockets don't seem to work fully with some network adaptors, and ignore non-IP protocols. Some adaptors may capture received packets, but ignore anything sent.
2 - WinPcap (Windows Packet Library) device driver, needs to be installed (it installs two small DLLs and a driver), but captures all packets including non-IP. WinPcap may be downloaded from
http://www.winpcap.org/, and version 4.0.2 is included in this package. Note the Delphi WinPcap pcap.pas and packet32.pas modules were originally written by Lars Peter Christiansen, but have several bug fixes and many new features. In theory WinPcap will run on Windows 9x, but it's not been tested. Use of the latest WinPcap version 4.0.2 9th November 2007 is strongly recommended, but the component also supports older versions 3.1 5th August 2005 and 3.0 10 February 2003.
Component Overview
There are two main low level components, TMonitorSocket in monsock.pas which supports raw window sockets, and TMonitorPcap in monpcap.pas that supports WinPcap. Both have very similar properties and return ethernet packets using identical events, formatted identically, allowing the same application to use either or both low level components. There are subtle differences, raw sockets monitors a specific IP address, whereas WinPcap monitors all traffic on an adaptor. Both may potentially monitor traffic other than the local PC, depending on LAN structure. Common functions and declarations are in packhdrs.pas
Common Types
TMacAddr = array [0..5] of byte ; // a MAC address
// record used to return packet to application for both raw sockets and winpcap
TPacketInfo = record
PacketLen: integer ; // total length of packet
EtherProto: word ; // ethernet protocol
EtherSrc: TMacAddr ; // ethernet MAC addresses
EtherDest: TMacAddr ;
AddrSrc: TInAddr ; // IP addresses are 32-bit binary
AddrDest: TInAddr ;
PortSrc: integer ; // transport layer ports
PortDest: integer ;
ProtoType: byte ; // transport layer protocol
TcpFlags: word ; // TCP/IP packet type flags
SendFlag: boolean ; // true if packet being sent from local IP
IcmpType: byte ; // ICMP packet type
DataLen: integer ; // length of data (less headers)
DataBuf: string ; // packet data (may be blank even if datalen<>0)
PacketDT: TDateTime ; // when packet was captured
end ;
TPacketEvent = procedure (Sender: TObject; PacketInfo: TPacketInfo) of object;
// record used for maintaining traffic statistics
TTrafficInfo = packed record
AddrLoc: TInAddr ; // IP addresses are 32-bit binary
AddrRem: TInAddr ;
ServPort: word ; // service port
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc
HostLoc: string ; // host domains for IP addresses, if available
HostRem: string ;
ServName: string ; // looked up
BytesSent: int64 ; // traffic
BytesRecv: int64 ;
PacksSent: integer ;
PacksRecv: integer ;
LookupAttempts: integer ; // how many host name lookup attempts
FirstDT: TDateTime ; // when this traffic started
LastDT: TDateTime ; // last traffic update
end ;
PTrafficInfo = ^TTrafficInfo ;
TServiceInfo = packed record
ServPort: word ; // service port
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc
ServName: string ; // looked up
TotalHosts: integer;// how many different hosts for this service
BytesSent: int64 ; // traffic
BytesRecv: int64 ;
PacksSent: integer ;
PacksRecv: integer ;
end ;
PServiceInfo = ^TServiceInfo ;
THdrEthernet = packed record // Ethernet frame header - Network Interface Layer
dmac: TMacAddr;
smac: TMacAddr;
protocol: WORD;
end;
PHdrEthernet = ^THdrEthernet ;
Class TMonitorSocket
The component may be installed on palette, but is non-visual so it's usually easier to create it in code. This class is for monitoring raw sockets on Windows 2000 and better.
TMonitorSocket is a descendent of TCustomWSocket (in wsocket.pas).
The following properties should be set before monitoring is started:
Addr - IP address on which to listen for packets.
AddrMask - IP mask of address to ignore
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
The LocalIPList public variable lists all IP addresses available for monitoring.
The StartMonitor and StopMonitor methods start and stop raw packet monitoring, with the onPacketEvent event being called, often several times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes, TotSendBytes, TotRecvPackets and TotSendPackets which are reset each time monitoring starts.
Class TMonitorPcap
The component may be installed on palette, but is non-visual so it's usually easier to create it in code. This class uses WinPcap that must have been previously installed. The high level WinPcap functions are in pcap.pas, packet32.pas, ndis_def.pas and bpf.pas. The interface to WinPcap is packet.dll, and all functions are loaded dynamically with
LoadPacketDll so the application will work even if the DLL is not available. The component uses a thread internally to poll the device driver for new packets.
The following properties should be set before monitoring is started:
MonAdapter - index of adaptor to monitor, selected from AdapterDescList
Addr - local IP address (see below)
AddrMask - IP mask for IP address
Promiscuous - true/false, true to monitor sent packets, but may not work
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used to ignore local traffic
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
There are other exposed WinPcap methods:
GetAdapters - fills the AdapterNameList and AdapterDescList lists with the names of network adaptors GetIPAddresses - returns three lists of IPs, masks and broadcast IPs for a specific network adaptor.
The StartMonitor and StopMonitor methods start and stop WinPcap packet monitoring, with the onPacketEvent event being called, often several times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes, TotSendBytes, TotRecvPackets and TotSendPackets which are reset each time monitoring starts.
Class TTrafficClass
This component is used to accumulate internet traffic statistics. It is the basis of the Traffic Monitor demo application. Use is very simple, just call the Add method from onPacketEvent. The component checks for unique remote IP addresses and ports (ie services), and totals traffic for them in TTrafficInfo. The UpdateService method may be called to update TServiceInfo records which consolidate traffic for any IP into service. The component automatically reverse looks-up IP address into
domain names, where possible.
Demonstration Application
Two Windows demonstration applications are supplied, with source and compiled programs, SOCKMON.EXE displays raw packets, while SOCKSTAT totals internet traffic.
History
29th October 2005 - 1.1 - baseline
8th August 2008 - 1.2 - updated to support ICS V6 and V7, and Delphi 2009 and later. When stopping capture ignore any buffered data so it stops faster. Tested with WinPCap 4.0.1 which is now included
Compatible with Delphi 6/7/2005/2006/2007/2009/2010, tested with Windows 2000, XP, 2003, Vista, 2008 and 7.
The Internet Packet Monitoring Components is copyright by Magenta Systems Ltd, but may be used freely.
Magenta Systems Ltd, 9 Vincent Road, Croydon CR0 6ED, United Kingdom
Phone 020 8656 3636, International Phone +44 20 8656 3636
Fax 020 8656 8127, International Fax +44 20 8656 8127
http://www.magsys.co.uk/
Copyright © 2010 Magenta Systems Ltd, England. All Rights Reserved.