Delphi Developers
Internet Packet Monitoring Components
Download
magmonsock
v1.1 - 16 Nov 2005
(1,138,071 bytes)
Other Magenta
Sites
CamCollect
view and save
webcam pictures
CodeLook
lookup telephone
numbers and cost
ComCap v4
data capture utility
DUN Manager
broadband and dial-up
networking enhancement
Update Windows
Registration Details
Magenta Systems Internet Packet Monitoring Components are a set of Delphi components designed to capture and monitor internet packets using either raw sockets or the WinPcap device driver. Hardware permitting, ethernet packets may be captured and interpreted, and statistics maintained about the traffic. Uses of packet monitoring include totalling internet traffic by IP address and service, monitoring external or internal IP addresses and services accessed, network diagnostics, and many other applications. The component includes two demonstration applications, one that displays raw packets, the other that totals internet traffic. The components include various filters to reduce the number of packets that need to be processed, by allowing specific IP addresses to be ignored, LAN mask to ignore local traffic, and ignore non-IP traffic such as ARP.
The components capture packets using two different techniques, with
differing benefits and features:
1 - Raw sockets which are available with Windows 2000 and later. This
uses WSocket from the François Piette internet component suite, from http://www.overbyte.be/. Major benefit is that no other software needs
to be installed, but raw sockets don't seem to work fully with some
network adaptors, and ignore non-IP protocols. Some adaptors may capture
received packets, but ignore anything sent.
2 - WinPcap (Windows Packet Library) device driver, needs to be installed
(it installs two small DLLs and a driver), but captures all packets
including non-IP. WinPcap may be downloaded from http://www.winpcap.org/,
and version 3.1 is included in this package. Note the Delphi
WinPcap pcap.pas and packet32.pas modules were originally written by Lars
Peter Christiansen, but have several bug fixes and many new features.
In theory WinPcap will run on Windows 9x, but it's not been tested.
Use of the latest WinPcap version 3.1 5th August 2005 is strongly
recommended, but the component also supports WinPcap 3.0 10 February 2003.
Component Overview
There are two main low level components, TMonitorSocket in monsock.pas
which supports raw window sockets, and TMonitorPcap in monpcap.pas that
supports WinPcap. Both have very similar properties and return ethernet
packets using identical events, formatted identically, allowing the same
application to use either or both low level components. There are subtle
differences, raw sockets monitors a specific IP address, whereas WinPcap
monitors all traffic on an adaptor. Both may potentially monitor traffic
other than the local PC, depending on LAN structure. Common functions
and declarations are in packhdrs.pas
Common Types
TMacAddr = array [0..5] of byte ; // a MAC address
// record used to return packet to application for both raw sockets and winpcap
TPacketInfo = record
PacketLen: integer ; // total length of packet
EtherProto: word ; // ethernet protocol
EtherSrc: TMacAddr ; // ethernet MAC addresses
EtherDest: TMacAddr ;
AddrSrc: TInAddr ; // IP addresses are 32-bit binary
AddrDest: TInAddr ;
PortSrc: integer ; // transport layer ports
PortDest: integer ;
ProtoType: byte ; // transport layer protocol
TcpFlags: word ; // TCP/IP packet type flags
SendFlag: boolean ; // true if packet being sent from local IP
IcmpType: byte ; // ICMP packet type
DataLen: integer ; // length of data (less headers)
DataBuf: string ; // packet data (may be blank even if datalen<>0)
PacketDT: TDateTime ; // when packet was captured
end ;
TPacketEvent = procedure (Sender: TObject; PacketInfo: TPacketInfo) of object;
// record used for maintaining traffic statistics
TTrafficInfo = packed record
AddrLoc: TInAddr ; // IP addresses are 32-bit binary
AddrRem: TInAddr ;
ServPort: word ; // service port
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc
HostLoc: string ; // host domains for IP addresses, if available
HostRem: string ;
ServName: string ; // looked up
BytesSent: int64 ; // traffic
BytesRecv: int64 ;
PacksSent: integer ;
PacksRecv: integer ;
LookupAttempts: integer ; // how many host name lookup attempts
FirstDT: TDateTime ; // when this traffic started
LastDT: TDateTime ; // last traffic update
end ;
PTrafficInfo = ^TTrafficInfo ;
TServiceInfo = packed record
ServPort: word ; // service port
PackType: word ; // protocol or packet type, TCP, UDP, ARP, ICMP, etc
ServName: string ; // looked up
TotalHosts: integer;// how many different hosts for this service
BytesSent: int64 ; // traffic
BytesRecv: int64 ;
PacksSent: integer ;
PacksRecv: integer ;
end ;
PServiceInfo = ^TServiceInfo ;
THdrEthernet = packed record // Ethernet frame header - Network Interface Layer
dmac: TMacAddr;
smac: TMacAddr;
protocol: WORD;
end;
PHdrEthernet = ^THdrEthernet ;
Class TMonitorSocket
The component may be installed on palette, but is non-visual so it's
usually easier to create it in code. This class is for monitoring
raw sockets on Windows 2000 and better.
TMonitorSocket is a descendent of TCustomWSocket (in wsocket.pas).
The following properties should be set before monitoring is started:
Addr - IP address on which to listen for packets.
AddrMask - IP mask of address to ignore
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
The LocalIPList public variable lists all IP addresses available for
monitoring.
The StartMonitor and StopMonitor methods start and stop raw packet
monitoring, with the onPacketEvent event being called, often several
times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes,
TotSendBytes, TotRecvPackets and TotSendPackets which are reset each
time monitoring starts.
Class TMonitorPcap
The component may be installed on palette, but is non-visual so it's
usually easier to create it in code. This class uses WinPcap that
must have been previously installed. The high level WinPcap functions
are in pcap.pas, packet32.pas, ndis_def.pas and bpf.pas. The interface
to WinPcap is packet.dll, and all functions are loaded dynamically with
LoadPacketDll so the application will work even if the DLL is not
available. The component uses a thread internally to poll the device
driver for new packets.
The following properties should be set before monitoring is started:
MonAdapter - index of adaptor to monitor, selected from AdapterDescList
Addr - local IP address (see below)
AddrMask - IP mask for IP address
Promiscuous - true/false, true to monitor sent packets, but may not work
IgnoreData - true/false, true if only doing statistics
IgnoreLAN - if AddrMask should be used to ignore local traffic
SetIgnoreIP - a list of IP addresses that should be ignored
onPacketEvent - the event in which packets will be returned
There are other exposed WinPcap methods:
GetAdapters - fills the AdapterNameList and AdapterDescList lists with
the names of network adaptors
GetIPAddresses - returns three lists of IPs, masks and broadcast IPs for
a specific network adaptor.
The StartMonitor and StopMonitor methods start and stop WinPcap packet
monitoring, with the onPacketEvent event being called, often several
times a second, as a TPacketInfo record.
There are also four cumulative traffic properties, TotRecvBytes,
TotSendBytes, TotRecvPackets and TotSendPackets which are reset each
time monitoring starts.
Class TTrafficClass
This component is used to accumulate internet traffic statistics. It is
the basis of the Traffic Monitor demo application. Use is very simple,
just call the Add method from onPacketEvent. The component checks for
unique remote IP addresses and ports (ie services), and totals traffic
for them in TTrafficInfo. The UpdateService method may be called to
update TServiceInfo records which consolidate traffic for any IP into
service. The component automatically reverse looks-up IP address into
domain names, where possible.
Demonstration Application
Two Windows demonstration applications are supplied, with source and
compiled programs, SOCKMON.EXE displays raw packets, while SOCKSTAT totals
internet traffic.
Compatible with Delphi 6/7/2005/2006, tested with Windows 2000, XP and
2003.
The Internet Packet Monitoring Components is copyright by Magenta Systems Ltd, but may be used freely.
Magenta Systems Ltd, 9 Vincent Road,
Croydon CR0 6ED, United Kingdom
Phone 020 8656 3636, International Phone +44 20 8656 3636
Fax 020 8656 8127, International Fax +44 20 8656 8127
http://www.magsys.co.uk/
Copyright © 2008 Magenta Systems Ltd, England. All Rights Reserved.