home *** CD-ROM | disk | FTP | other *** search
- WSOCK32 Winsock Spy Facility
- Version .90 By Walt Howard
- April 7, 1996
- Email: walth@netcom.com
-
- WSOCK32 spy is a personal tool I am making available free to WINSOCK
- programmers worldwide. I would appreciate bug reports and feedback to
- make it the best product possible. I will make source code available
- once I'm sure it is of high enough quality.
-
- QUICK SETUP
- -----------
-
- 0) WSOCK32 only monitors 32 bit, Windows 95 applications. It will
- definitely NOT work with 16bit WINSOCK apps, and though I haven't tried
- it, I highly doubt it will work with Win32s, or NT.
-
- 1) Copy this special, spy enabled WSOCK32.DLL to the directory where the
- EXE file you want to spy on resides.
-
- 2) Set the following environment variables:
-
- SET WSOCK_LOG=LOG
- SET WSOCK_FLAGS=s
-
- 3) Normally windows installs the standard WSOCK32.DLL at
- C:\WINDOWS\SYSTEM\WSOCK32.DLL. If your setup is different, set the
- following environment variable to where your standard WSOCK32.DLL DOES
- exist:
-
- SET WSOCK_PATH=<the full path to your WSOCK32.DLL>
-
- 4) Execute your WINSOCK app
-
- 5) You should get a message box notifying you that logging is on.
-
- 6) Exit your WINSOCK app
-
- 7) Look for a file called LOG.xxx where xxx is a 3 digit hex
- number.
-
- 8) That file will contain the log of your winsock session. Treasure it
- for all time.
-
- WHY WSOCK32
- -----------
-
- While getting familiar with the WINSOCK API is not trivial, it is easy
- when compared to learning the myriad protocols built on top of it like
- SMTP, POP3, NNTP, FTP, TELNET, NFS, NTP, etc.
-
- The RFC ( Request for Clarification?) documents the govern the standards
- are complete, but too complete for a beginner. Without experience it is
- difficult to tell what parts of a protocol are important, and what are
- not.
-
- WSOCK32 lets you spy on professional WINSOCK apps and shows you exactly
- what some of the best programmers in the world are doing with WINSOCK.
- You will VERY rapidly cut right to the chase and see exactly how NNTP,
- SMPT, TELNET and FTP among others, work.
-
- It will also aid you in debugging your own apps.
-
- WSOCK32 is NOT a full debugger. It is merely a way to jump start your
- WINSOCK programming months or years ahead.
-
- HOW IT WORKS
- ------------
-
- WSOCK32.DLL is a dll that "slips between" your 32 bit, WINDOWS 95
- application and the REAL WSOCK32.DLL. WSOCK32.DLL spy intercepts the
- calls to Winsock and outputs trace information that tells you each
- WINSOCK call made and some relevant information about it. WSOCK32 does
- NOT work with old 16 bit Winsock. It doesn't interfere. It just doesn't
- even know that kind of app is running because it is tracing the
- WSOCK32.DLL, NOT the WINSOCK.DLL.
-
- To use WSOCK32, place it in the directory that contains the executeable
- you want to trace. The point being that you want that program to load
- THIS WSOCK.DLL before finding the standard WSOCK32.DLL
-
- OPTIONS
- -------
-
- Since WSOCK32 is a DLL, there is no way to control it via command line
- options. Control is facilitated by the use of environment variables.
-
- Before executing the program you want to trace, you must set one or more
- of the following environment variables.
-
- WSOCK_LOG=<logfile>
- -------------------
-
- IMPORTANT!!! This is a MANDATORY option. Without it, WSOCK32 will NOT
- output any debug information. This is the switch that turns logging on.
-
- Whatever value you give, WSOCK32 will construct a log file by appending
- 3 digits of the process id of the process you are tracing.
-
- EXAMPLE:
-
- SET WSOCK_LOG=C:\TRACE\LOG will place logging information into files
- in the C:\TRACE directory, and they will all be LOG.* such as LOG.34a,
- LOG.F1C, etc.
-
- If you need to watch the trace output in realtime you will need to get
- the WSOCK32 PRO PACKAGE (which I just thought of this minute so don't hold
- your breath). In the meantime you have several options. The DOS "type"
- command will dump the contents of the trace file, even though it is open
- for write. You can view it that way, or copy it to another file like this:
- "type LOG.34b >savefile".
-
- The UNIX tail command will continuously read a file and keep dumping it
- to the screen as it is growing. Use the -f option i.e. tail -f LOG.43a
- If you don't know UNIX you might want to start getting familiar with it
- as a large percentage of your interaction with WINSOCK might end up
- being with UNIX TCPIP programs.
-
- WSOCK_FLAGS=<single character options>
- --------------------------------------
-
- This is a string of single, lower case characters, that modify some
- aspect of WSOCK32 behavior. You would specify it like this:
-
- SET WSOCK_FLAGS=sfd
-
- f = Flush trace information immediately, don't buffer.
- d = NoData. Don't show the data stream, just the WINSOCK calls
- s = Show source of data stream for send/recv/sendto/recvfrom calls
- i = Log inbound data only
- o = Log outbound data only
- q = Suppress notification message box
- n = No binary data. Don't show non alphanumeric bytes
-
- Unless the n option is set, WSOCK32 shows unprintable characters as
- their hex value, preceeded by a # sign. For example, #ff would be 0xff.
- I used the # because both 0x and \x (the normal C hex signifiers) each
- have two characters; very bothersome when you have pages and pages of
- hex ouput.
-
- WSOCK_PATH=<path of REAL wsock32.dll>
- -------------------------------------
-
- WSOCK32 traps your API calls, outputs information about them, then relays
- them to the REAL WSOCK32.DLL. It uses LoadLibrary to load the REAL
- WSOCK32.DLL. By default, it will load C:\WINDOWS\SYSTEM\WSOCK32. If your
- REAL WSOCK32.DLL is in a different directory than that, you need to set
- this environment variable to its full pathname.
-
- TRACE FILE
- ----------
- The trace file WSOCK32 creates shows each WSOCK32.DLL function call
- with a little relevant information. Calls appear in square brackets
- [] with socket number, :, callname, information and (return code). Like
- this:
-
- [SOCKET:FUNCTIONNAME: data (RETURN VALUE)]
-
- or an example:
-
- [8:connect: 204.236.30.2.119 (-1)]
- ^ ^ ^ ^
- | | Information Return Value
- | Function Name
- Socket Handle
-
- Here is an example of a trace of AGENT, a popular WINSOCK mail reader,
- doing its thing. (My notes are in ANGLE BRACKETS <> and would not appear
- in a normal trace)
- ---------------------------------------------------------------------
-
- [WSAStartup (0)] <WSAStartup gets called, return value 0>
-
- [socket: 7] <the socket call allocated socket number 7>
-
- [7:setsockopt (0)] <set socket options of socket 7 >
-
- [getservbyname] <standard stuff, etc>
-
- [socket: 8]
-
- [8:setsockopt (0)]
-
- [inet_addr: news.alt.net (0xffffffff)] <???? I don't know>
-
- [WSAAsyncGetHostByName: news.alt.net] <attempt to get ip address>
-
- [8:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)]
-
- <VERY import WINSOCK function so I display ALL
- the parameters>
-
- [8:connect: 204.236.30.2.119 (-1)]
-
- <connect return a -1, a fail>
-
- [WSAGetLastError: (10035)]
-
- [getservbyname]
-
- [socket: 15]
-
- [15:setsockopt (0)]
-
- [inet_addr: netcom.com (0xffffffff)]
-
- [WSAAsyncGetHostByName: netcom.com]
-
- [WSAGetLastError: (10035)]
-
- [8:recv]<-200 Mail info@alt.net for info about $5/month NNTP access (posting ok).
-
-
- <we just contacted the news server, now it gets interesting>
-
- [8:send]->MODE READER
-
- <hmmm! interesting NNTP command>
-
- [WSAGetLastError: (10035)]
-
- [15:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)]
-
- [15:connect: 192.100.81.100.110 (-1)]
-
- [WSAGetLastError: (10035)]
-
- [WSAIsBlocking (false)]
-
- [8:recv]<-200 news.alt.net InterNetNews NNRP server INN 1.4unoff2 7-Aug-95 ready (posting ok).
-
-
- [8:send]->AUTHINFO USER hoser <log into the NNTP server>
-
- [WSAGetLastError: (10035)]
-
- [WSAGetLastError: (10035)]
-
- [WSAIsBlocking (false)]
-
- [WSAIsBlocking (false)]
-
- [8:recv]<-381 PASS required
-
- [8:send]->AUTHINFO PASS bozo <give it a password>
-
- [WSAGetLastError: (10035)]
-
- [15:recv]<-+OK UCB Pop server (version 1.831beta) at netcom starting.
-
- <log into a POP server>
-
- [15:send]->USER yomomma
-
- [WSAGetLastError: (10035)]
-
- [8:recv]<-281 Ok
-
- [8:send]->GROUP alt.bite.me
-
- [WSAGetLastError: (10035)]
-
- [15:recv]<-+OK Password required for yomomma
-
- [15:send]->PASS YoMommabeaho
-
- [WSAGetLastError: (10035)]
-
- [WSAIsBlocking (false)]
-
- [WSAIsBlocking (false)]
-
- [15:recv]<-+OK yomomma has 0 message(s) (0 octets).
-
- BUGS
- ----
-
- For some reason PING will not work using this DLL.
-
- I have not done extensive testing at all with this as I don't use ALL
- the WINSOCK functions. Please be sure to send me notification of any
- problems with enough info to allow me to reproduce the problem.
-
- Walt Howard
- Email: walth@netcom.com
-
-