Are there plans to fix the current raw sockets sniffing problems in Windows?
I'm planning to build an application that will monitor network traffic by using raw sockets (by using SocketType.Raw and IOControlCode.ReceiveAll), but I've noticed that the support for socket sniffing is really lacking in Vista and Win7. I can see a point in limiting the possibility to send packets using raw sockets for security reasons, but I don't see any legitimate reason for preventing applications from receiving packets using raw sockets. I've done some tests with a couple of network monitoring tools that can sniff traffic with raw sockets. I'm able to properly sniff traffic in Windows XP (SP3) with NetworkMiner ( http://www.netresec.com/?page=NetworkMiner ) and Nirsoft's SmSniff. Both applications are able to capture both sent and received traffic for TCP, UDP and ICMP when using raw sockets. But it seems as if it is impossible to sniff incoming TCP traffic in Windows 7. Vista (SP1) additionally doesn't seem to capture any outgoing traffic when using raw sockets. I haven't been able to find any official statement from Microsoft on this issue. Are there any plans to fix this broken functionality in Windows Vista and Win7 in future Service Pack releases? Or are there any workarounds that make it possible to sniff incoming and outgoing traffic with Win7 and Vista?
February 17th, 2011 6:00pm

google smartpcap. It works great for low-level packet monitoring. Yes, you should be able to do it in .NET as you describe but my experience mimicks yours -- very unpredictable results.
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 7:32pm

Hi, This was done primarily to block malware from using raw sockets in nefarious ways, the following article mentions that: This change was made to limit the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets (TCP/IP packets with a forged source IP address). TCP/IP Raw Sockets (Windows) Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
February 22nd, 2011 8:42pm

Alex, The text you are referring to is ONLY about sending packets with raw sockets. The sentences before the one you quoted says: "the ability to send traffic over raw sockets has been restricted in several ways:" and "UDP datagrams with an invalid source address cannot be sent over raw sockets." I have not been able to find any documentation that claims that there should be any limitations in Vista and Win7 when it comes to sniffing traffic with raw sockets. The raw sockets implementation for WinXP SP3 works just fine when sniffing with SocketType.Raw (SOCK_RAW) and IOControlCode.ReceiveAll (SIO_RCVALL), but is obviously broken in newer OS's. I therefore hope and suggest that Microsoft will do one of the following: Fix this bug and release a patch/service pack OR Publicly announce that sniffing with raw sockets is no longer supported in OS's newer than XP SP3 There are currently several products available that make use of raw sockets to provide network monitoring functionality, the current flaw in Vista and Win7 cripples these applications for no good reason!
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2011 2:30pm

Hi, Thanks for you feedback. I will send your suggestion to our feedback team. If this is useful for users, hopefully this can be adjusted in further. Thanks again for your effort. Have a nice day. Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
February 27th, 2011 8:58pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics