On Fri, Jun 14, 2002 at 10:29:53AM -0400, Mike Schiraldi wrote:
> /* No clue if these are the parameters i want to pass to socket() .. i
> * just want to sniff UDP traffic to port 53
> */
> fd = socket (AF_INET, SOCK_DGRAM, 0);
PF_INET/SOCK_DGRAM sockets are sockets you use for applications using
UDP as a communications protocol; you haven't bound that socket to give
it a UDP port number, so no packets can be delivered to it.
They are *not* sockets you use for sniffing packets. They cannot
receive packets unless they've been bound with a "bind()" call, and,
once that's done, they'll receive only packets sent to the machine
running your program and to that port - and if some other process on
your machine has already bound to that UDP port number, your attempt to
bind to the same port number will fail (it may be possible for two
processes to bind to the same port but different IP addresses, but that
won't do what you want).
On Linux, if you want to sniff packets, you would use PF_PACKET/SOCK_RAW
or PF_PACKET/SOCK_DGRAM sockets (or, in 2.0-kernel systems,
PF_INET/SOCK_PACKET, but that mechanism isn't as nice). See the
"packet(7)" man page.
On AIX, there are two mechanisms that could be used, DLPI (documented,
but we've seen problems capturing outgoing packets) and BPF
(undocumented, but works better in some ways - but sometimes appears to
randomly return errors for reasons we haven't yet figured out).
> if (fd < 0) FAIL ("socket");
>
> strcpy(ifr.ifr_name, nic);
>
> rv = ioctl (fd, SIOCGIFFLAGS, &ifr);
> if (rv < 0) FAIL ("ioctl");
>
> ifr.ifr_flags |= IFF_PROMISC;
>
> rv = ioctl (fd, SIOCSIFFLAGS, &ifr);
That may put the *interface* in promiscuous mode, but it won't mean that
a PF_INET/SOCK_DGRAM socket will get promiscuously-received packets - it
won't.
Note also that even if the interface is in promiscuous mode and you
*are* using a PF_PACKET/SOCK_DGRAM or PF_PACKET/SOCK_RAW socket (in
which case there's a better way of setting promiscuous mode in 2.2 and
later kernels; see the "pcap-linux.c" file in the libpcap source),
there's *still* no guarantee that you'll see third-party traffic:
http://www.ethereal.com/faq.html#q4.1
If you really don't want to use libpcap, you'll have to read the libpcap
source and do what it does on the particular platform you're using;
frankly, I suspect *bypassing* libpcap might be more overkill than using
it.
I.e., given how much work you'll have to do in order to write code to do
the sniffing, you will, I suspect, be better off using code that's
already been written to do that - i.e., libpcap.
For example, if you only want to sniff UDP traffic to port 53, you will
have to somehow arrange to discard all non-UDP and non-port-53 traffic,
as the underlying OS packet capture mechanisms, by default, supply *all*
traffic they see.
On some OSes, you can set a filter in the kernel to throw away packets
that don't match a particular pattern; on some of those OSes, libpcap
can do that for you, and, on all the other OSes, libpcap can do that in
user mode for you.
That filter would be in the form of a program for a pseudo-machine; you
would have to construct that program by hand, and use the underlying
OS's mechanism to make that the active filter program. If you use
libpcap, however, you can just hand the string "udp port 53" to
"pcap_compile()" and then use "pcap_setfilter()" to make the generated
program the filter program for your capture device.
If you *really* want to do it by hand, you'll have to read the libpcap
code and figure out how to do it on particular OSes from that code.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
