For reasons that i won't get into here (but i'd be happy to explain if anyone's interested), i need to sample a tiny fraction of the packets on an extremely high-traffic network. I can throw away most of the data; all i need is the source IP address of a UDP packet.
I believe libpcap is overkill for this task, and so i'd like to just sniff
the packets directly. Unfortunately, i have to do the sniffing from an AIX
box.
After skimming through the source to libpcap and doing strace on my Linux
box (can't get the equivalent working on AIX), i've come up with the
following. But it doesn't work -- recvfrom just hangs. Or, if i play around
with the parameters to socket(), that function fails.
I was hoping someone on this list might see the problem.
Thanks for any help you can provide.
int
make_sniffer (char * nic)
{
int rv;
int fd;
struct ifreq ifr;
/* No clue if these are the parameters i want to pass to socket() .. i
* just want to sniff UDP traffic to port 53
*/
fd = socket (AF_INET, SOCK_DGRAM, 0);
if (fd < 0) FAIL ("socket");
strcpy(ifr.ifr_name, nic);
rv = ioctl (fd, SIOCGIFFLAGS, &ifr);
if (rv < 0) FAIL ("ioctl");
ifr.ifr_flags |= IFF_PROMISC;
rv = ioctl (fd, SIOCSIFFLAGS, &ifr);
if (rv < 0) FAIL ("ioctl");
return fd;
}
unsigned long
sniff (int fd)
{
struct sockaddr_in sa;
socklen_t len;
char packet [8192];
unsigned long ip;
len = sizeof (sa);
rv = recvfrom (fd, packet, 8192, 0, (struct sockaddr *) &sa, &len);
if (rv <= 0 || len != sizeof (sa)) FAIL ("recvfrom");
memcpy (&ip, &sa.sin_addr, 4);
return ip;
}
int
main (void)
{
int fd = make_sniffer ("en0");
unsigned long ip = sniff (fd);
printf ("Just sniffed %s\n", inet_ntoa (ip));
return 0;
}
smime.p7s
Description: application/pkcs7-signature
