Windows 10: How to get the IPv6 headers on Windows using raw-socket ?

I would like to implement a sniffer for incident response and forensic investigations, to sniff the traffic and identifying malicious packets and C2 C&C -Command and Control IP.In incident response i can't install npcap/winpcap or other librairies detected by antivirus softwares and i should use the faster way to sniff the local traffic. So i would like to develop a simple CLI sniffer it must be launched on Windows core servers in a simple executable file to copy/paste it on the server and launch it with admin privileges.Context example: a ransomware is running o

:)

 

Setting SIO_RCVALL option for windows kernel socket

I am developing a kernel driver to capture icmp router advertisement message. Following are the steps :

1. Create a raw socket using WskSocket: CreateSocket(AF_INET, SOCK_RAW, IPPROTO_IP, WSK_FLAG_DATAGRAM_SOCKET);

2. Bind it to a specific interface and port 0

3. Invoke Receive from

I read online that for raw sockets to sniff all IP packets we need to set IOCTL SIO_RCVALL. However I didn't find an equivalent option in Winsock Kernel. From NetMon I see the icmp packet reaching the VM (Windows Hyper V VM), however the driver isn't able
to intercept. The driver is able to receive udp packets. One more observation, the destination Ethernet for the packets received by the driver is FF-FF-FF-FF-FF-FF. The icmp packets received by NetMon have well defined Ethernet destination.

a. Kindly let me know if additional steps are needed to make raw sockets sniff all ip packets in kernel mode.

b. Would NDIS Protocol Drivers be an easier way to go forward?

I was able to establish icmp communication using raw sockets in user mode (Winsock) and I have replicated exact same steps.

 

Error message "missing registry socket"

Hi Harry,

Thank you for bringing up your query on Microsoft Community.

I realize this may be frustrating. Now that you have me with you, let me take care of this.

Winsock or Windows Sockets is a technical specification that defines how Windows network software should access network services.

Let us try the following steps and check if it helps.

Step 1: Perform a Winsock Reset

• Open the Windows Start Screen or Start Menu and type
  cmd in the search box.
• Right-click Command Prompt or cmd in the search results and select
  Run as Administrator.
• Type netsh winsock reset in the Command Prompt window and press
  Enter. Wait for Windows to finish resetting your Winsock configuration.
• Reboot your computer.

Step 2: I suggest you to follow the steps suggested by

Suvarna Govinda (replied on February 16, 2016) and check if it helps.

"Windows Sockets registry entries required for network connectivity are missing" Connectivity Issues in Windows 10

Redirecting

Hope it helps.

Let us know the status, we are glad to assist you further

 

Save RAW drive - Don't want data


Open Admin command prompt, then type:

1. diskpart
2. list disk ======> Take note of disk # of the RAW drive
3. select disk # ======> is the number in step 2
4. clean
5. exit

Open Disk Management and initialize it, Create Simple, format.