Im am wondering how wireshark functions. What would be the design of an application that could listen to the traffic on all ports of a given machine? What is the kind of overheard that such an application generates? What would be a good way to go about writing an app that monitors traffic?
Thanks
Well for starters you would need to put the NIC into promiscuous mode so that it captures all traffic that it sees. Then you would have to learn how to capture raw Ethernet frames, using a "raw" socket. Finally, all of this would have to be done very efficiently, most likely in C++, so that you would not drop frames.
One way would be to use the Windows Filtering Platform (this is for Vista+, but a similar feature was possible in XP- - the WFP just makes things easier). The WFP lets you listen to "callouts" in the driver that call your code at various points in the packet-processing stack so that you can capture, filter, and even modify the data as it moves around.