views:

239

answers:

3

Hi there,

I'd like to somehow hook into the local system's network stack to capture outgoing network packets without using Winpcap. Unfortunately it tends to crash my system every now and then.

Is there a way to "sniff" outgoing traffic of the local system from a user space process written in a .NET language?

Thanks a lot!

Hendrik

+2  A: 

What you want is the Network Monitor API. Here's a C# example of how to use the APIs: NMCaptureData. More here and here.

Mike Atlas
+1  A: 

Yes, the System.Net classes have tracing capability built in. All you have to do is configure it in your app.exe.config file. It is explained well in this MSDN Library article.

Hans Passant
I don't think this will allow SeveQ to sniff userland traffic, though - only within his own process space, right?
Mike Atlas
Well, any program written in .NET supports tracing.
Hans Passant
I don't think he wants to trace his own application's traffic, though.
Mike Atlas
Yeah, looks like this only allows me to trace traffic of the local process. Nice to have but not what I'm actually looking for. I'd like to trace down HTTP requests of my browsers. SharpPcap somehow unfortunately makes my system crash with a BSOD every now and then.
SeveQ
+2  A: 

I use smsniff from NIRSOFT. You need to be admin on the machine to sniff any traffic.

http://www.nirsoft.net/utils/smsniff.html

I have never seen .net used to sniff traffic. But maybe NetMon from Microsoft has a COM interface you call from .Net

But as always you need to be admin to sniff traffic, since it is needed to put the NIC in promiscuous mode.

ggonsalv
Getting admin rights shouldn't be an issue since the program I'm working on is primarily for my own use. Well, if someone else would like to have a proggy that traces HTTP requests to specific filetypes and, after finding such a request, offers a way to actually download those files (like videos, mp4, flv) I'm sure I can make it public somewhere down the road. I don't want to go through the all the mess of writing a fully functional HTTP proxy, so sniffing is the only alternative.
SeveQ
Try fiddler as a HTTP debugging proxy. IT rulez http://www.fiddler2.com/fiddler2/
ggonsalv
Yes, Fiddler is great. I'm using FiddlerCore to trace the HTTP requests with my application by now. But I'd really like to capture them independently from the proxy settings of the browsers.
SeveQ