Magenta Systems Internet Packet Monitoring Components v1.1
Updated by Angus Robertson, Magenta Systems Ltd, England, 31st October 2005
delphi@magsys.co.uk, http://www.magsys.co.uk/delphi/
Copyright Magenta Systems Ltd
Introduction
Magenta Systems Internet Packet Monitoring Components are a set of Delphi components designed to capture and monitor internet packets using either raw sockets or the WinPcap device driver. Hardware permitting, ethernet packets may be captured and interpreted, and statistics maintained about the traffic. Uses of packet monitoring include totalling internet traffic by IP address and service, monitoring external or internal IP addresses and services accessed, network diagnostics, and many other applications. The component includes two demonstration applications, one that displays raw packets, the other that totals internet traffic. The components include various filters to reduce the number of packets that need to be processed, by allowing specific IP addresses to be ignored, LAN mask to ignore local traffic, and ignore non-IP traffic such as ARP.
The components capture packets using two different techniques, with differing benefits and features:
1 - Raw sockets which are available with Windows 2000 and later. This uses WSocket from the Fran鏾is Piette internet component suite, from http://www.overbyte.be/. Major benefit is that no other oftware needs to be installed, but raw sockets don't seem to work fully with some network adaptors, and ignore non-IP protocols. Some adaptors may capture received packets, but ignore anything sent.
2 - WinPcap (Windows Packet Library) device driver, needs to be installed (it installs two small DLLs and a driver), but captures all packets including non-IP. WinPcap may be downloaded from http://www.winpcap.org/, and version 3.1 is included in this package. Note the Delphi WinPcap pcap.pas and packet32.pas modules were originally written by Lars Peter Christiansen, but have several bug fixes and many new features. In theory WinPcap will run on Windows 9x, but it's not been tested. Use of the latest WinPcap version 3.1 5th August 2005 is strongly recommended, but the component also supports WinPcap 3.0 10 February 2003.
Component Overview
There are two main low level components, TMonitorSocket in monsock.pas which supports raw window sockets, andTMonitorPcap in monpcap.pas that supports WinPcap. Both have very similar properties and return ethernet packets using identical events, formatted identically, allowing the same application to use either or both low level components. There are subtle differences, raw sockets monitors a specific IP address, whereas WinPcap monitors all traffic on an adaptor. Both may potentially monitor traffic other than the local PC, depending on LAN structure. Common functions and declarations are in packhdrs.pas
Common Types
TMacAddr = array [0..5] of byte ; // a MAC address 定义MAC地址
// record used to return packet to application for both raw sockets and winpcap 向应用程序返回分组记录(非常重用传递参数)
TPacketInfo = record //定义分组记录
PacketLen: integer ; // total length of packet 分组长度
EtherProto: word ; // ethernet protocol 网络协议
EtherSrc: TMacAddr ; // ethernet MAC addresses 网络MAC地址
EtherDest: TMacAddr ;
AddrSrc: TInAddr ; // IP addresses are 32-bit binary 网络IP地址
AddrDest: TInAddr ;
PortSrc: integer ; // transport layer ports 传输层协议端口号
PortDest: integer ;
ProtoType: byte ; // transport layer protocol 传输层协议
TcpFlags: word ; // TCP/IP packet type flags TCP/IP类型分组指示
SendFlag: boolean ; // true if packet being sent from local IP 分组发送指示
IcmpType: byte ; // ICMP packet type ICMP 协议分组类型
DataLen: integer ; // length of data (less headers) 分组包含数据长度
DataBuf: string ; // packet data (may be blank even if datalen<>0) 分组包含内容
PacketDT: TDateTime ; // when packet was captured 分组捕获时间
end ;
TPacketEvent = procedure (Sender: TObject; PacketInfo: TPacketInfo) of object; 定义过程使用记录
// record used for maintaining traffic statistics 向应用程序返回分组业务统计信息(非常重用传递参数)
TTrafficInfo = packed record
AddrLoc: TInAddr ; // IP addresses are 32-bit binary
AddrRem: TInAddr ;
ServPort: word ; // service port IP业务端口
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc IP业务类型
HostLoc: string ; // host domains for IP addresses, if available 若存在,IP主机所在域
HostRem: string ;
ServName: string ; // looked up 主机名
BytesSent: int64 ; // traffic 业务量 发送字节数
BytesRecv: int64 ; // traffic 业务量 接收字节数
PacksSent: integer ; // traffic 业务量 发送分组数
PacksRecv: integer ; // traffic 业务量 接受分组数
LookupAttempts: integer ; // how many host name lookup attempts 检查网内主机数
FirstDT: TDateTime ; // when this traffic started 话务统计启动时间
LastDT: TDateTime ; // last traffic update 话务统计截止时间
end ;
PTrafficInfo = ^TTrafficInfo ;
TServiceInfo = packed record // 参考上面说明
ServPort: word ; // service port
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc
ServName: string ; // looked up
TotalHosts: integer; // how many different hosts for this service
BytesSent: int64 ; // traffic
BytesRecv: int64 ;
PacksSent: integer ;
PacksRecv: integer ;
end ;
PServiceInfo = ^TServiceInfo ;
THdrEthernet = packed record // Ethernet frame header - Network Interface Layer 网络层帧头信息
dmac: TMacAddr;
smac: TMacAddr;
protocol: WORD;
end;
PHdrEthernet = ^THdrEthernet ;
Class TMonitorSocket -采用WINSOCK进行监视
The component may be installed on palette, but is non-visual so it's usually easier to create it in code. This class is for monitoring raw sockets on Windows 2000 and better.
TMonitorSocket is a descendent of TCustomWSocket (in wsocket.pas).
The following properties should be set before monitoring is started:
Addr - IP address on which to listen for packets.
AddrMask - IP mask of address to ignore
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
The LocalIPList public variable lists all IP addresses available for monitoring.
The StartMonitor and StopMonitor methods start and stop raw packet monitoring, with the onPacketEvent event being called, often several times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes,TotSendBytes, TotRecvPackets and TotSendPackets which are reset each time monitoring starts.
Class TMonitorPcap -采用WINPCAP进行监视
The component may be installed on palette, but is non-visual so it's usually easier to create it in code. This class uses WinPcap that must have been previously installed. The high level WinPcap functions
are in pcap.pas, packet32.pas, ndis_def.pas and bpf.pas. The interface to WinPcap is packet.dll, and all functions are loaded dynamically with LoadPacketDll so the application will work even if the DLL is not
available. The component uses a thread internally to poll the device driver for new packets.
The following properties should be set before monitoring is started:
MonAdapter - index of adaptor to monitor, selected from AdapterDescList
Addr - local IP address (see below)
AddrMask - IP mask for IP address
Promiscuous - true/false, true to monitor sent packets, but may not work
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used to ignore local traffic
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
There are other exposed WinPcap methods:
GetAdapters - fills the AdapterNameList and AdapterDescList lists with the names of network adaptors
GetIPAddresses - returns three lists of IPs, masks and broadcast IPs for a specific network adaptor.
The StartMonitor and StopMonitor methods start and stop WinPcap packet monitoring, with the onPacketEvent event being called, often several times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes,TotSendBytes, TotRecvPackets and TotSendPackets which are reset each time monitoring starts.
Class TTrafficClass- 采用WINSOCK进行监视
This component is used to accumulate internet traffic statistics. It is the basis of the Traffic Monitor demo application. Use is very simple, just call the Add method from onPacketEvent. The component checks for
unique remote IP addresses and ports (ie services), and totals traffic for them in TTrafficInfo. The UpdateService method may be called to update TServiceInfo records which consolidate traffic for any IP into service. The component automatically reverse looks-up IP address into domain names, where possible.
Demonstration Application
Two Windows demonstration applications are supplied, with source and compiled programs, SOCKMON.EXE displays raw packets, while SOCKSTAT totals internet traffic.
Files Enclosed 文件封装
=Demo Applications 示例文件
monmain.dfm
monmain.pas
sockmon.dpr
sockmon.exe
sockmon.res
statmain.dfm
statmain.pas
sockstat.dpr
sockstat.exe
sockstat.res
=Component 组件文件 需调用
bpf.pas
monpcap.pas
monsock.pas
Ndis_def.pas
Packet32.pas
packhdrs.pas
Pcap.pas
=Support files 支持文件 需调用
magsubs1.pas
MagClasses.pas
WinPcap_3_1.exe
ports.txt
protocols.txt
=ICS files 因特网连接共享文件 需调用
wsocket.pas
wsockbuf.pas
incdefs.inc
系统软件需求 Requirements
Compatible with Delphi 6/7/2005/2006, tested with Windows 2000, XP and 2003.
Copyright Information
Magenta Systems Internet Packet Monitoring Components are freeware, but are still copyrighted by Magenta Systems Ltd who may change the status or withdraw it at any time, without notice.
Magenta Systems Internet Packet Monitoring Components may be freely distributed via web pages, FTP sites, BBS and conferencing systems or on CD-ROM in unaltered zip format, but no charge may be made other than reasonable media or bandwidth cost.
Magenta Systems Ltd
9 Vincent Road
Croydon
CR0 6ED
United Kingdom
Phone 020 8656 3636, International Phone +44 20 8656 3636
Fax 020 8656 8127, International Fax +44 20 8656 8127
Email: delphi@magsys.co.uk
Web: http://www.magsys.co.uk/delphi/ |
