This article describes how to create a simple sniffer for monitoring HTTP traffic on Windows OS. This tool is based on open source technology provided by Microsoft – LSP (Layered Service Provider). This technology is widely used by different software. The majority of these software products are antivirus, firewalls and traffic filtering applications.

To create this tool I`ve taken Microsoft Platform SDK sample (Program Files\Microsoft Platform SDK\Samples\NetDS\WinSock\LSP\) and implemented some additional logic for filtering HTTP traffic and collecting results in one separate storage.

Written by:

Petro Vodopyan,
Junior Developer of Device Team

Content:

1. Concept
2. Basic scheme
3. Getting started
4. Conclusion and Advices
5. Useful links

Concept

The main idea of LSP technology is creation of a new provider that will be embedded into the chain of existing providers.

During the installation of your provider, you can choose its place in the new chain. So, the new chain will be rebuilt according to your new settings. In my case, the provider is installed only over the [TCP/IP] standard provider. Be careful with installation of new providers on your physical machine. If installation fails, it may produce a lot of troubles – loses of network and internet activity, crashes of some network applications. To avoid this problem it is strongly recommended to use Virtual machines to test and debug a provider.

In LSP provider, you have to override all methods of winsock library. Actually, Platform SDK sample is already defined with overridden logic so we only have to add the logic for intercepting, filtering and saving HTTP protocol traffic to the separate storage.

The complete article text is available only for the registered users. Please Log In or Register.