raw sockets

[jesusitoLinux]

Hi friends!!! I am studying computer science and I have to develop a sniffer for one of my subjects, using the Linux sockets. This sniffer has to capture all the packets in the network from/to other hosts. Can you give me any reference please??

I forgot to say that I manage to program sockets, but only to capture data, in the transport layer. But I find it difficult to develop a program to sniff all the packets in the network.

I found this example in the web: http://security-freak.net/raw-socket..._ip_tcp_data.c

But it doesn't capture all the packets, it only captures the packets from/to my computer.

thank you very much!!!!

[JohnGraham]

I found this example in the web: http://security-freak.net/raw-socket..._ip_tcp_data.c

But it doesn't capture all the packets, it only captures the packets from/to my computer.

Are you sure this isn't just because other packets are being routed away from your computer? Are you seeing things like ARP requests?

Try looking at how libpcap works (you can use Wireshark as a "front-end" to libpcap).

[jesusitoLinux]

What about this? If I use ETH_P_ALL instead of ETH_P_IP, I can sniff all the packets, but i get "segmentation fault"!!!! why?

[JohnGraham]

What about this? If I use ETH_P_ALL instead of ETH_P_IP, I can sniff all the packets, but i get "segmentation fault"!!!! why?

Nobody can help you without specifics. Track down where the segmentation fault happens (with gdb/ddd or printf-style debugging) and post the code concerned. Also, the link you posted earlier does not point to the correct address.

[jesusitoLinux]

this is the link: http://security-freak.net/raw-socket..._ip_tcp_data.c. I'll try gdb.

thank you very much!!!!

[JohnGraham]

Well, I get a segfault right away from the following in BindRawSocketToInterface:

Code:

	struct ifreq ifr;

	bzero(&ifr, sizeof(ifr));

	strncpy((char *)ifr.ifr_name, device, IFNAMSIZ);

I also notice a fair few warnings when I try and compile this. Get it to compile without any warnings using the -Wall and -Wextra flags before going any further, or you're not doing yourself any favours.

[jesusitoLinux]

I'm not very sure, but I think the seg fault raises when I try to print a packet which is not an IP packet, i.e, when type ID is not ETH_P_IP.....

Because if I change the protocol to ETH_P_ALL, then I get all the packets, but when ETH_P_IP, i only get packets from/to my computer, but I there is no seg fault.

What is the difference between ETH_P_ALL and ETH_P_IP?? Why can't I capture all the packets with ETH_P_IP, in spite of put my card network to promiscuous mode (ifconfig wlan0 promisc)

Thank you very much!