On Tue, Nov 20, 2007 at 08:22:04AM -0500, Daniel Greene wrote:
>
> It was suggested that I post the code. This is the basic dump code that Im
> using.
[my mail reader didn't understand the code snippet you included, so I
tried to format it myself and attached it here]
Do you know what line is giving you the "not implemented" error? What
is the exact error string? If it is from the pcap_open_live() call, my
guess is that the device you're using doesn't support a read timeout,
and you should just set the readtimeout parameter to pcap_open_live()
to zero. From the pcap man page: "Not all platforms support a
read timeout; on platforms that dont, the read timeout is ignored. "
meaning that a bad value should be ignored, but presumably a badly
implemented winpcap might misinterpret that.
As a test, I would download and run my very simple pcap program nload[1]
(ftp://ftp.cs.umd.edu/pub/capveg/nload.tgz) and compile and run it to
see if it works on your system. The other possibility is that your
ethernet driver doesn't support reading raw packets (which would suck),
and testing with another program that is known to work could test that
hypothesis.
I still feel like I don't understand what you're trying to accomplish.
If you just want an IDS that can send alerts to real people, you are
better off trying to install snort (or similar off-the-shelf IDS) that
already has the pcap code written and working, and supports a whole
system of alerts. Although, I definitely understand the desire to
write an IDS from the ground up...
Let me know about the above, and good luck.
- Rob
.
[1] nload takes a tcpdump style filter expression and tells you how
much traffic is going through that filter; quite useful imo.
#include "pcap.h"
/* prototype of the packet handler */
void packet_handler(u_char *param, con= st struct pcap_pkthdr *header, const
u_char *pkt_data);
main(){
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=3D0;
pcap_t *adha= ndle;
char errbuf[PCAP_ERRBUF_SIZE]; /* Retrieve the device list */
if(pca= p_findalldevs(&alldevs, errbuf) =3D=3D -1) {
fprintf(stderr,"Error in pcap= _findalldevs: %s\n", errbuf);
exit(1);
}
/* Print the list */ for(d=3Dall= devs; d; d=3Dd->next) {
printf("%d. %s", ++i, d->name);
if (d->descriptio= n)
printf(" (%s)\n", d->description);
else printf(" (No description available)\n");
}
if(i=3D=3D0) {
printf("\nNo interfaces found! Make sure W= inPcap is
installed.\n");
return -1;
}
printf("Enter the interface number= (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i) {
printf("\nIn= terface number out of range.\n"); /* Free the
device list */
pcap_freeall= devs(alldevs);
return -1;
}
/* Jump to the selected adapter */
for(d=3Dal= ldevs, i=3D0; i< inum-1 ;d=3Dd->next, i++); /* Open the
device */
/* Open = the adapter */
if ((adhandle =pcap_open_live(d->name, // name of the device
65536, // portion of the packet to capture.
// 65536= grants that the whole packet will be captured on all
the MACs.
1, = // promiscuous mode (nonzero means promiscuous)
1000, // read timeout
errbuf // error buffer )) 3D NULL) {
fprintf(stderr,"\nUnable to open the adapter. %s is not
supported by WinPcap\n", d->na= me);
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
printf("\nlistening on %s...\n", d->description); /* At this point, we
do= n't need any more the device list. Free it */
pcap_freealldevs(alldevs); /= * start the capture */
pcap_loop(adhandle, 0, packet_handler, NULL);
pcap_= close(adhandle);
return 0;
}
/* Callback function invoked by libpcap for every incoming
packet */void pa= cket_handler(u_char *param, const struct pcap_pkthdr *header,
const u_char = *pkt_data){
struct tm *ltime;
char timestr[16];
time_t local_tv_sec; /* convert the timestamp to readable format */
local_tv_sec header->ts.tv_se= c;
ltime=localtime(&local_tv_sec);
strftime( timestr, sizeof timestr, "%H= :%M:%S", ltime);
printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, h= eader->len);
}
