For reasons that i won't get into here (but i'd be happy to explain if anyone's interested), i need to sample a tiny fraction of the packets on an extremely high-traffic network. I can throw away most of the data; all i need is the source IP address of a UDP packet.
I believe libpcap is overkill for this task, and so i'd like to just sniff the packets directly. Unfortunately, i have to do the sniffing from an AIX box. After skimming through the source to libpcap and doing strace on my Linux box (can't get the equivalent working on AIX), i've come up with the following. But it doesn't work -- recvfrom just hangs. Or, if i play around with the parameters to socket(), that function fails. I was hoping someone on this list might see the problem. Thanks for any help you can provide. int make_sniffer (char * nic) { int rv; int fd; struct ifreq ifr; /* No clue if these are the parameters i want to pass to socket() .. i * just want to sniff UDP traffic to port 53 */ fd = socket (AF_INET, SOCK_DGRAM, 0); if (fd < 0) FAIL ("socket"); strcpy(ifr.ifr_name, nic); rv = ioctl (fd, SIOCGIFFLAGS, &ifr); if (rv < 0) FAIL ("ioctl"); ifr.ifr_flags |= IFF_PROMISC; rv = ioctl (fd, SIOCSIFFLAGS, &ifr); if (rv < 0) FAIL ("ioctl"); return fd; } unsigned long sniff (int fd) { struct sockaddr_in sa; socklen_t len; char packet [8192]; unsigned long ip; len = sizeof (sa); rv = recvfrom (fd, packet, 8192, 0, (struct sockaddr *) &sa, &len); if (rv <= 0 || len != sizeof (sa)) FAIL ("recvfrom"); memcpy (&ip, &sa.sin_addr, 4); return ip; } int main (void) { int fd = make_sniffer ("en0"); unsigned long ip = sniff (fd); printf ("Just sniffed %s\n", inet_ntoa (ip)); return 0; }
smime.p7s
Description: application/pkcs7-signature