Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    write my own packet sniffer

    Actually, i would like to write my own packet sniffer, using packet sockets (not interested in pcap). I've search deeply for some kind of tutorial, but only found reference to client-server raw sockets docs.

    Man pages offer some help, but its not enough and a bit confusing.
    Anyone knows where i can find some documentation?

  2. #2
    Some basic documentation can be found at: - even though the article is titled toward IP capture, the basic concept works.

    The updated Unix Network Programming (vol 1) also has some good info (a little expensive though).

    And not to argue with the first poster, but you do need to set your card into promiscous mode (sometimes another protocol may have it set already) - however, you can now set the socket to promiscous instead (a much better solution) - at least according to the documentation (man 7 packet; look for PACKET_MR_PROMISC) - however, you must be root to run it.

  3. #3
    Done all that. Got that great book (Second edition) and its not necessary to use promiscuous mode. A packet socket with protocol ETH_P_ALL does the trick (sniffs incoming and outgoing packets).

    There are few docs on the web that offer info on packets sockets, but those that do exists are really good.

    If anyone is interested, I'll leave some links here:

    Thanks for your replay EthernetRaw

  4. $spacer_open
  5. #4
    Thanks for the links - I also had previously found them to be useful as well.

    However, back to ETHER_P_ALL - I would like to clear up a misconception. ETHER_P_ALL does not receive all ethernet packets on the network - rather, this informs the kernel to listen to/forward all Ethernet packets that are arriving from the device driver/card and pass them on to the socket. If the NIC is not set up to hear the network address in question, the kernel can listen all it wants - it will not "hear" the packet. A difference between "listening" and "hearing". (poor example: if ears cannot hear a 25KHz tone, the brain can listen all day and, although the tone arrives at the ears, it will still not arrive to the listening brain from the ears). The Promisc flag, and now the PACKET_MR_PROMISC socket option, tells the NIC (not the kernel) to hear all packets. If you examine tcpdump/pcap, this method is used (see man on tcpdump, you actually have to specify the "-p" option to prevent tcpdump from set the card into promiscous mode)

    There are discussions on the security implications of this on the web, as well as the report of a "bug" because the interface doesn't report itself as being in promiscous mode when it really is based on pcap (such as tcpdump usage) at:

    That said, ETHER_P_ALL appears to work for most instances as the card is already set to receive multiple addresses by other applications (ifconfig will show that, normally, the NIC is already listening to all multicast and all broadcast, as well as all pt-to-pt messages). As most NICs have a limited ability to filter - at some point, even if not requested to go into promiscous, the NIC will throw up its virtual hands, and just toss all packets at the kernel and let the kernel sort them all out. Unfortunately, as indicated in the above link, there is no way to query the kernel and ask what "mode" the card is really in - the return value is basically lying if you use the socket option.

    A way to verify this is to install another NIC, but do not config an IP address on this card or allow other applications to play with it. Then use the ETHER_P_ALL receive filter to listen to a point to point request (such as a ping) to another node on this card. Unless the promiscous flag is set, the card happily ignores this data.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts