Monster Media 1996 #15

home *** CD-ROM | disk | FTP | other *** search

/ Monster Media 1996 #15 / Monster Media Number 15 (Monster Media)(July 1996).ISO / internet / wsockspy.zip / WSOCK32.DOC < prev

Wrap

Text File | 1996-04-12 | 9KB | 256 lines

WSOCK32 Winsock Spy Facility Version .91 By Walt Howard April 12, 1996 Email: walth@netcom.com WSOCK32 spy is a personal tool I am making available free to WINSOCK programmers worldwide. I would appreciate bug reports and feedback to make it the best product possible. I will make source code available once I'm sure it is of high enough quality. QUICK SETUP ----------- 0) WSOCK32 only monitors 32 bit, Windows 95 applications. It will definitely NOT work with 16bit WINSOCK apps, and though I haven't tried it, I highly doubt it will work with Win32s, or NT. 1) Copy this special, spy enabled WSOCK32.DLL to the directory where the EXE file you want to spy on resides. 2) Set the following environment variables: SET WSOCK_LOG=LOG SET WSOCK_FLAGS=s 3) Normally windows installs the standard WSOCK32.DLL at C:\WINDOWS\SYSTEM\WSOCK32.DLL. If your setup is different, set the following environment variable to where your standard WSOCK32.DLL DOES exist: SET WSOCK_PATH=<the full path to your WSOCK32.DLL> 4) Execute your WINSOCK app 5) You should get a message box notifying you that logging is on. 6) Exit your WINSOCK app 7) Look for a file called LOG.xxx where xxx is a 3 digit hex number. 8) That file will contain the log of your winsock session. Treasure it for all time. WHY WSOCK32 ----------- While getting familiar with the WINSOCK API is not trivial, it is easy when compared to learning the myriad protocols built on top of it like SMTP, POP3, NNTP, FTP, TELNET, NFS, NTP, etc. The RFC ( Request for Clarification?) documents the govern the standards are complete, but too complete for a beginner. Without experience it is difficult to tell what parts of a protocol are important, and what are not. WSOCK32 lets you spy on professional WINSOCK apps and shows you exactly what some of the best programmers in the world are doing with WINSOCK. You will VERY rapidly cut right to the chase and see exactly how NNTP, SMPT, TELNET and FTP among others, work. It will also aid you in debugging your own apps. WSOCK32 is NOT a full debugger. It is merely a way to jump start your WINSOCK programming months or years ahead. HOW IT WORKS ------------ WSOCK32.DLL is a dll that "slips between" your 32 bit, WINDOWS 95 application and the REAL WSOCK32.DLL. WSOCK32.DLL spy intercepts the calls to Winsock and outputs trace information that tells you each WINSOCK call made and some relevant information about it. WSOCK32 does NOT work with old 16 bit Winsock. It doesn't interfere. It just doesn't even know that kind of app is running because it is tracing the WSOCK32.DLL, NOT the WINSOCK.DLL. To use WSOCK32, place it in the directory that contains the executeable you want to trace. The point being that you want that program to load THIS WSOCK.DLL before finding the standard WSOCK32.DLL OPTIONS ------- Since WSOCK32 is a DLL, there is no way to control it via command line options. Control is facilitated by the use of environment variables. Before executing the program you want to trace, you must set one or more of the following environment variables. WSOCK_LOG=<logfile> ------------------- IMPORTANT!!! This is a MANDATORY option. Without it, WSOCK32 will NOT output any debug information. This is the switch that turns logging on. Whatever value you give, WSOCK32 will construct a log file by appending 3 digits of the process id of the process you are tracing. EXAMPLE: SET WSOCK_LOG=C:\TRACE\LOG will place logging information into files in the C:\TRACE directory, and they will all be LOG.* such as LOG.34a, LOG.F1C, etc. If you need to watch the trace output in realtime you will need to get the WSOCK32 PRO PACKAGE (which I just thought of this minute so don't hold your breath). In the meantime you have several options. The DOS "type" command will dump the contents of the trace file, even though it is open for write. You can view it that way, or copy it to another file like this: "type LOG.34b >savefile". The UNIX tail command will continuously read a file and keep dumping it to the screen as it is growing. Use the -f option i.e. tail -f LOG.43a If you don't know UNIX you might want to start getting familiar with it as a large percentage of your interaction with WINSOCK might end up being with UNIX TCPIP programs. WSOCK_FLAGS=<single character options> -------------------------------------- This is a string of single, lower case characters, that modify some aspect of WSOCK32 behavior. You would specify it like this: SET WSOCK_FLAGS=sfdt f = Flush trace information immediately, don't buffer. d = NoData. Don't show the data stream, just the WINSOCK calls s = Show source of data stream for send/recv/sendto/recvfrom calls i = Log inbound data only o = Log outbound data only q = Suppress notification message box n = No binary data. Don't show non alphanumeric bytes t = Display Timing Marks (millisecond resolution) h = Display High Resolution Timing Marks (microsecond resolution) Unless the "n" option is set, WSOCK32 shows unprintable characters as their hex value, preceeded by a # sign. For example, #ff would be 0xff. I used the # because both 0x and \x (the normal C hex signifiers) each have two characters; very bothersome when you have pages and pages of hex ouput. Timing marks appear between brackets with "ms" for milliseconds and "u" for microseconds: <3978087ms> <8682674566u> If the "n" option is set, binary data is just summarized between { and }. If 16 unprintable characters came through, it would print as {16}. WSOCK_PATH=<path of REAL wsock32.dll> ------------------------------------- WSOCK32 traps your API calls, outputs information about them, then relays them to the REAL WSOCK32.DLL. It uses LoadLibrary to load the REAL WSOCK32.DLL. By default, it will load C:\WINDOWS\SYSTEM\WSOCK32. If your REAL WSOCK32.DLL is in a different directory than that, you need to set this environment variable to its full pathname. TRACE FILE ---------- The trace file WSOCK32 creates shows each WSOCK32.DLL function call with a little relevant information. Calls appear in square brackets [] with socket number, :, callname, information and (return code). Like this: [SOCKET:FUNCTIONNAME: data (RETURN VALUE)] or an example: [8:connect: 204.236.30.2.119 (-1)] ^ ^ ^ ^ | | Information Return Value | Function Name Socket Handle Here is an example of a trace of AGENT, a popular WINSOCK mail reader, doing its thing. (My notes are in PARENTHESES () and would not appear in a normal trace) --------------------------------------------------------------------- [WSAStartup (0)] (WSAStartup gets called, return value 0) [socket: 7] (the socket call allocated socket number 7) [7:setsockopt (0)] (set socket options of socket 7 ) [getservbyname] (standard stuff, etc) [socket: 8] [8:setsockopt (0)] [inet_addr: news.alt.net (0xffffffff)] (???? I don't know) [WSAAsyncGetHostByName: news.alt.net] (attempt to get ip address) [8:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)] (VERY import WINSOCK function so I display ALL the parameters) [8:connect: 204.236.30.2.119 (-1)] (connect return a -1, a fail) [WSAGetLastError: (10035)] [getservbyname] [socket: 15] [15:setsockopt (0)] [inet_addr: netcom.com (0xffffffff)] [WSAAsyncGetHostByName: netcom.com] [WSAGetLastError: (10035)] [8:recv]<-200 Mail info@alt.net for info about $5/month NNTP access (posting ok). (we just contacted the news server, now it gets interesting) [8:send]->MODE READER (hmmm! interesting NNTP command) [WSAGetLastError: (10035)] [15:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)] [15:connect: 192.100.81.100.110 (-1)] [WSAGetLastError: (10035)] [WSAIsBlocking (false)] [8:recv]<-200 news.alt.net InterNetNews NNRP server INN 1.4unoff2 7-Aug-95 ready (posting ok). [8:send]->AUTHINFO USER hoser (log into the NNTP server) [WSAGetLastError: (10035)] [WSAGetLastError: (10035)] [WSAIsBlocking (false)] [WSAIsBlocking (false)] [8:recv]<-381 PASS required [8:send]->AUTHINFO PASS bozo (give it a password) [WSAGetLastError: (10035)] [15:recv]<-+OK UCB Pop server (version 1.831beta) at netcom starting. (log into a POP server) [15:send]->USER yomomma [WSAGetLastError: (10035)] [8:recv]<-281 Ok [8:send]->GROUP alt.bite.me [WSAGetLastError: (10035)] [15:recv]<-+OK Password required for yomomma [15:send]->PASS YoMommabeaho [WSAGetLastError: (10035)] [WSAIsBlocking (false)] [WSAIsBlocking (false)] [15:recv]<-+OK yomomma has 0 message(s) (0 octets). DEVELOPER NOTES --------------- As I've delivered it, the compilation will result in 15 warnings about the return types being different levels of indirection. That is OK. This is not a problem. It is because the return value of GetProcAddress is a FARPROC and manually casting it to the proper value negates the value of the generic macro DYNAPROC. BUGS ---- For some reason PING will not work using this DLL. I have not done extensive testing at all with this as I don't use ALL the WINSOCK functions. Please be sure to send me notification of any problems with enough info to allow me to reproduce the problem. Walt Howard Email: walth@netcom.com