home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1996 #15
/
Monster Media Number 15 (Monster Media)(July 1996).ISO
/
internet
/
wsockspy.zip
/
WSOCK32.DOC
< prev
Wrap
Text File
|
1996-04-12
|
9KB
|
256 lines
WSOCK32 Winsock Spy Facility
Version .91 By Walt Howard
April 12, 1996
Email: walth@netcom.com
WSOCK32 spy is a personal tool I am making available free to WINSOCK
programmers worldwide. I would appreciate bug reports and feedback to
make it the best product possible. I will make source code available
once I'm sure it is of high enough quality.
QUICK SETUP
-----------
0) WSOCK32 only monitors 32 bit, Windows 95 applications. It will
definitely NOT work with 16bit WINSOCK apps, and though I haven't tried
it, I highly doubt it will work with Win32s, or NT.
1) Copy this special, spy enabled WSOCK32.DLL to the directory where the
EXE file you want to spy on resides.
2) Set the following environment variables:
SET WSOCK_LOG=LOG
SET WSOCK_FLAGS=s
3) Normally windows installs the standard WSOCK32.DLL at
C:\WINDOWS\SYSTEM\WSOCK32.DLL. If your setup is different, set the
following environment variable to where your standard WSOCK32.DLL DOES
exist:
SET WSOCK_PATH=<the full path to your WSOCK32.DLL>
4) Execute your WINSOCK app
5) You should get a message box notifying you that logging is on.
6) Exit your WINSOCK app
7) Look for a file called LOG.xxx where xxx is a 3 digit hex
number.
8) That file will contain the log of your winsock session. Treasure it
for all time.
WHY WSOCK32
-----------
While getting familiar with the WINSOCK API is not trivial, it is easy
when compared to learning the myriad protocols built on top of it like
SMTP, POP3, NNTP, FTP, TELNET, NFS, NTP, etc.
The RFC ( Request for Clarification?) documents the govern the standards
are complete, but too complete for a beginner. Without experience it is
difficult to tell what parts of a protocol are important, and what are
not.
WSOCK32 lets you spy on professional WINSOCK apps and shows you exactly
what some of the best programmers in the world are doing with WINSOCK.
You will VERY rapidly cut right to the chase and see exactly how NNTP,
SMPT, TELNET and FTP among others, work.
It will also aid you in debugging your own apps.
WSOCK32 is NOT a full debugger. It is merely a way to jump start your
WINSOCK programming months or years ahead.
HOW IT WORKS
------------
WSOCK32.DLL is a dll that "slips between" your 32 bit, WINDOWS 95
application and the REAL WSOCK32.DLL. WSOCK32.DLL spy intercepts the
calls to Winsock and outputs trace information that tells you each
WINSOCK call made and some relevant information about it. WSOCK32 does
NOT work with old 16 bit Winsock. It doesn't interfere. It just doesn't
even know that kind of app is running because it is tracing the
WSOCK32.DLL, NOT the WINSOCK.DLL.
To use WSOCK32, place it in the directory that contains the executeable
you want to trace. The point being that you want that program to load
THIS WSOCK.DLL before finding the standard WSOCK32.DLL
OPTIONS
-------
Since WSOCK32 is a DLL, there is no way to control it via command line
options. Control is facilitated by the use of environment variables.
Before executing the program you want to trace, you must set one or more
of the following environment variables.
WSOCK_LOG=<logfile>
-------------------
IMPORTANT!!! This is a MANDATORY option. Without it, WSOCK32 will NOT
output any debug information. This is the switch that turns logging on.
Whatever value you give, WSOCK32 will construct a log file by appending
3 digits of the process id of the process you are tracing.
EXAMPLE:
SET WSOCK_LOG=C:\TRACE\LOG will place logging information into files
in the C:\TRACE directory, and they will all be LOG.* such as LOG.34a,
LOG.F1C, etc.
If you need to watch the trace output in realtime you will need to get
the WSOCK32 PRO PACKAGE (which I just thought of this minute so don't hold
your breath). In the meantime you have several options. The DOS "type"
command will dump the contents of the trace file, even though it is open
for write. You can view it that way, or copy it to another file like this:
"type LOG.34b >savefile".
The UNIX tail command will continuously read a file and keep dumping it
to the screen as it is growing. Use the -f option i.e. tail -f LOG.43a
If you don't know UNIX you might want to start getting familiar with it
as a large percentage of your interaction with WINSOCK might end up
being with UNIX TCPIP programs.
WSOCK_FLAGS=<single character options>
--------------------------------------
This is a string of single, lower case characters, that modify some
aspect of WSOCK32 behavior. You would specify it like this:
SET WSOCK_FLAGS=sfdt
f = Flush trace information immediately, don't buffer.
d = NoData. Don't show the data stream, just the WINSOCK calls
s = Show source of data stream for send/recv/sendto/recvfrom calls
i = Log inbound data only
o = Log outbound data only
q = Suppress notification message box
n = No binary data. Don't show non alphanumeric bytes
t = Display Timing Marks (millisecond resolution)
h = Display High Resolution Timing Marks (microsecond resolution)
Unless the "n" option is set, WSOCK32 shows unprintable characters as
their hex value, preceeded by a # sign. For example, #ff would be 0xff.
I used the # because both 0x and \x (the normal C hex signifiers) each
have two characters; very bothersome when you have pages and pages of
hex ouput.
Timing marks appear between brackets with "ms" for milliseconds and "u"
for microseconds:
<3978087ms>
<8682674566u>
If the "n" option is set, binary data is just summarized between { and
}. If 16 unprintable characters came through, it would print as {16}.
WSOCK_PATH=<path of REAL wsock32.dll>
-------------------------------------
WSOCK32 traps your API calls, outputs information about them, then relays
them to the REAL WSOCK32.DLL. It uses LoadLibrary to load the REAL
WSOCK32.DLL. By default, it will load C:\WINDOWS\SYSTEM\WSOCK32. If your
REAL WSOCK32.DLL is in a different directory than that, you need to set
this environment variable to its full pathname.
TRACE FILE
----------
The trace file WSOCK32 creates shows each WSOCK32.DLL function call
with a little relevant information. Calls appear in square brackets
[] with socket number, :, callname, information and (return code). Like
this:
[SOCKET:FUNCTIONNAME: data (RETURN VALUE)]
or an example:
[8:connect: 204.236.30.2.119 (-1)]
^ ^ ^ ^
| | Information Return Value
| Function Name
Socket Handle
Here is an example of a trace of AGENT, a popular WINSOCK mail reader,
doing its thing. (My notes are in PARENTHESES () and would not appear
in a normal trace)
---------------------------------------------------------------------
[WSAStartup (0)] (WSAStartup gets called, return value 0)
[socket: 7] (the socket call allocated socket number 7)
[7:setsockopt (0)] (set socket options of socket 7 )
[getservbyname] (standard stuff, etc)
[socket: 8]
[8:setsockopt (0)]
[inet_addr: news.alt.net (0xffffffff)] (???? I don't know)
[WSAAsyncGetHostByName: news.alt.net] (attempt to get ip address)
[8:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)]
(VERY import WINSOCK function so I display ALL
the parameters)
[8:connect: 204.236.30.2.119 (-1)]
(connect return a -1, a fail)
[WSAGetLastError: (10035)]
[getservbyname]
[socket: 15]
[15:setsockopt (0)]
[inet_addr: netcom.com (0xffffffff)]
[WSAAsyncGetHostByName: netcom.com]
[WSAGetLastError: (10035)]
[8:recv]<-200 Mail info@alt.net for info about $5/month NNTP access (posting ok).
(we just contacted the news server, now it gets interesting)
[8:send]->MODE READER
(hmmm! interesting NNTP command)
[WSAGetLastError: (10035)]
[15:WSAAsyncSelect: HWND:78c msg:1037 mask:59 (0)]
[15:connect: 192.100.81.100.110 (-1)]
[WSAGetLastError: (10035)]
[WSAIsBlocking (false)]
[8:recv]<-200 news.alt.net InterNetNews NNRP server INN 1.4unoff2 7-Aug-95 ready (posting ok).
[8:send]->AUTHINFO USER hoser (log into the NNTP server)
[WSAGetLastError: (10035)]
[WSAGetLastError: (10035)]
[WSAIsBlocking (false)]
[WSAIsBlocking (false)]
[8:recv]<-381 PASS required
[8:send]->AUTHINFO PASS bozo (give it a password)
[WSAGetLastError: (10035)]
[15:recv]<-+OK UCB Pop server (version 1.831beta) at netcom starting.
(log into a POP server)
[15:send]->USER yomomma
[WSAGetLastError: (10035)]
[8:recv]<-281 Ok
[8:send]->GROUP alt.bite.me
[WSAGetLastError: (10035)]
[15:recv]<-+OK Password required for yomomma
[15:send]->PASS YoMommabeaho
[WSAGetLastError: (10035)]
[WSAIsBlocking (false)]
[WSAIsBlocking (false)]
[15:recv]<-+OK yomomma has 0 message(s) (0 octets).
DEVELOPER NOTES
---------------
As I've delivered it, the compilation will result in 15 warnings about
the return types being different levels of indirection. That is OK. This
is not a problem. It is because the return value of GetProcAddress is a
FARPROC and manually casting it to the proper value negates the value of
the generic macro DYNAPROC.
BUGS
----
For some reason PING will not work using this DLL.
I have not done extensive testing at all with this as I don't use ALL
the WINSOCK functions. Please be sure to send me notification of any
problems with enough info to allow me to reproduce the problem.
Walt Howard
Email: walth@netcom.com