Does multiple socket "duplicate" data?

Question

An application I'm working on needs to keep track of the connectivity of another application, meaning check that the other application is generating and receiving IP traffic.

We have no API to the other application, and so are tracking the IP traffic via WinSock. We do this by defining a RAW IP socket and setting the IO control with something equivalent to -

int opt = RCVALL_ON;
WSAIoctl((socket) s, SIO_RCV_ALL, &opt, sizeof(opt), NULL, ...); //The rest is "empty"

We then read data from the socket asynchronously and look at the IP header to see the traffic belongs to the tracked application.

Two questions arise -

1. Is there another, better way to track the IP traffic? In specific we need to know which hosts sent data to the machine and to which hosts data was sent, and when.
2. Using the above method, is the data intercepted "stolen" from the target application? Or the target application get it in its socket without interruption?

Thanks,
Asaf

Answer 1

1. This is the way to track traffic if you don't want drivers. If you accept drivers, WinPCap is the way to go. With some more constraints, you could look at established tcp connections (like netstat), but with your requirements I'd definitely go for the raw socket approach you're using.

2. Using your method, data is copied, not stolen. The only explicit documentation I can find stating this is on MSDN: "Received datagrams are copied into all SOCK_RAW sockets ..."

Answer 2

I would take a serious look at http://en.wikipedia.org/wiki/Pcap

it's what WireShark uses to monitor traffic, and when i took a look their API look really usefull....