Home‎ > ‎Legacy projects‎ > ‎


This is a free version of a network protocol analyzer for Windows written in C++

This tool allows examination of data from a live network, or from a captured file
First version of AnNet for Windows has been released at the end of 2001.
It relies on Winpcap.

Commercial versions of this software were used for decoding protocols employed in telecommunication equipment.
This version has been purged from proprietary applications, therefore, it is light and may be used freely.

Annet Main Features In Short

  • Real-time Packet Analyzer: Parse and decode Ethernet and TCP/IP protocol suite protocols including
    Ethernet, ARP, IP, UDP, TCP, ICMP, BOOTP, DHCP, TFTP, SunRPC, NetBios
  • Enable on-the-fly content viewing while capturing and analyzing
  • Recognize the reconstructed stream of each TCP and TFTP session
  • Powerful Packet-capturing Filter: Provide a flexible mechanism to monitor specific target host and file types
  • Ethereal engine support: the UI is able to delegate to Ethereal or Wireshark tool (if installed) for decoding of packets dynamically
  • Exact Timestamp
  • Customized Logging: Export LOG file as ENC, XML or customized PKD format. Import LOG file as ENC, Snoop or PKD
  • Remote sniffing and configuration (a WEB interface is provided to configure the snifferd capture service) 
  • IEEE 802.1Q Tag-based VLAN support 
  • DNS host resolution 
  • Easy-installer 
  • XML Tree viewer tool 
  • Easy UI;Drag and Drop facility

Annet - Architecture Overview

Annet is a software product for Windows platform for monitoring network activity capable of capturing and analysing packets and decoding the data flowing on the ethernet bus.
Captured packets are decoded down to the lowest layer with full analysis of the Ethernet and IP protocols including IPv4, TCP, UDP, ICMP, ARP, BOOTP, DHCP, SUNRPC, TFTP.
It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file (in native capture file format).
In addition, Annet can read capture files from snoop,can export in and read from NAI Sniffer (.enc) format.
A flexible system of filters allows to drop packets not needed or to capture only those packets you wish to analyse. The packets can be saved in files for future analysis.
Annet implements client-server architecture. The snifferc client, that provides a graphical user interface, may be located on same computer of the server (snifferd) or on different one. Communication between client and server is performed by using TCP connections. For this reason, if client and server components are located in different workstations, the network interface used for sniffing, shouldn't be used for communication with the client. In this case, the server computer should be equipped with two network interfaces.

Description of protocol for client/server communication 

Snifferc communicates with server (snifferd service) using three channels: command channel, data channel and message channel. The command channel is used to send command such as START_CAPTURE, STOP_CAPTURE and FIL. When snifferc client application starts, it attempts to connect with server (typically through TCP port 28774). However, the user can connect whenever he wants. If the connection is established, the client will be able to send a command. Before to start capturing of the packets, the user must define a filter. When a filter applies, the client sends to the server the FIL command, through command channel, and server responds on same channel with OK or ERROR message. It also sends to client a detailed description of error or success event using the message channel. The command channel is also used to synchronise client and server operations. For this reason a message channel is dedicated to transmit information from server to client. When a filter is defined the user will be able to start capturing of the packets. The filtered packets are sent using the data channel. This channel is opened from the server when it receives the START_CAPTURE command, and it is closed when the server receives the STOP_CAPTURE command. It is not possible to open more than one connection at the same time (the server is able to accept one connection at time).

Packet Capture Driver (Packet.SYS)

The Win32 programming platform provides no direct support for low-level network access. Applications requiring such access must use a custom device driver. The packet capture driver serves as an interface between the underlying Network Interface Controllers (NICs) and the overlying Win32 application. The adopted architecture of such arrangement is illustrated below:

Microsoft networking protocols use the Network Driver Interface Specification (NDIS) to communicate with network card drivers. Much of the Open Systems Interconnection (OSI) model link layer functionality is implemented in the protocol stack. NDIS provides a fully abstracted interface for network adapter-driver development and provides a pair of abstraction layers that are used to connect network drivers to an overlying protocol stack, such as Transmission Control Protocol/Internet Protocol (TCP/IP). The packet driver uses the functionality of NDIS protocol driver on Windows NT/2000/XP. Upon installation, it binds to all real or virtual net adapters. It creates a named device object for each adapter it binds to so that it can be opened by a 32-bit Windows application through symbolic link. At the lower edge, the packet driver uses the NDIS interface to communicate with the NIC driver. Snifferd service uses the services provided by the Packet.dll to interact with the driver.

Packet Interface Library (PACKET.DLL)

PACKET.DLL is a dynamic link library that interfaces the NDIS packet capture driver with the user level application. The DLL implements a set of functions that make simpler the communication with the driver. The DLL provides functions to handle the network adapters, read and write packets from the network, set buffers and filters in the driver, and so on.
WinPcap is a packet capture library that exports a set of functions that are libpcap compatible. Libpcap is a network capture library developed by Network Research Group (NRG) of the Information and Computing Sciences Division (ICSD) at Lawrence Berkeley National Laboratory (LBNL) in Berkeley, California.

The filters

Filters are defined using a simple filter definition language. Each filter can be used from both from snifferd and snifferc components; snifferd executes the filter capturing packets, on the contrary snifferc application can apply filter to the buffer of captured packets also importing that buffer from a .pkd file.

A filter consists of a set of rules.

Example of capture - filters

Caputer all packets: 


Capture all IP packets that contain UDP nested packets:


Capture all IP packets that contain UDP or TCP nested packets:


Capture all IP packets that 
don’t contain UDP or TCP nested packets:


Capture all Ethernet packets that don’t include IP packets that contain UDP or TCP nested packets:


Capture all packets of a telnet session between two hosts ( and

   IP (+ TCP) IP (+ TCP)

Filter's definition language BNF (FDL-BNF)

filter ::= FIL level and_or_cond { nil | filter_params }
filter_params ::= mac_istr_lst | mac_istr_lst filter_params | ip_istr_lst filter_params | tcp_istr_lst filter_params | udp_istr_lst filter_params
level ::= 0|1|2|3|4|5|6|7|8|9| nil
and_or_cond ::= AND | OR | nil
mac_istr_lst ::= mac_istr | mac_istr_lst mac_istr
ip_istr_lst ::= ip_istr | ip_istr_lst ip_istr
tcp_istr_lst ::= tcp_istr | tcp_istr_lst tcp_istr
udp_istr_lst ::= udp_istr | udp_istr_lst udp_istr

plus_min ::= +|-

mac_keyword ::= MAC | ETH

mac_istr ::= mac_keyword(plus_min mac_from_addr mac_to_addr mac_proto [match_op length])
mac_from_addr ::= mac_addr
mac_to_addr ::= mac_addr
mac_proto ::= IP|ARP|ALL|0..FFFF
mac_addr ::= xx:xx:xx:xx:xx:xx|ALL|*
xx ::= 00 |01 | .. | FF | ??

ip_istr ::= IP(plus_min ip_from_addr ip_to_addr ip_proto [match_op length])
ip_from_addr ::= ip_addr
ip_to_addr ::= ip_addr
ip_addr ::= ddd.ddd.ddd.ddd|ALL
ip_proto ::= ddd|UDP|TCP|ICMP|ALL
ddd ::= 0..255

match_op ::= =|<|>|<>|>=|<=
length ::= 0..65535

tcp_istr ::= TCP(plus_min tcp_from_port tcp_to_port [match_op length])
udp_istr ::= UDP(plus_min udp_from_port udp_to_port [match_op length]) 
udp_from_port ::= udp_port
udp_to_port ::= udp_port

tcp_from_port ::= tcp_port
tcp_to_port ::= tcp_port

port ::= 0..65535|ALL