When i run a simple packet sniffer coded in C on my Mac OS X, i got no output at all, this is a strange thing! can someone help me to understand what going on.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void) {
int i, recv_length, sockfd;
u_char buffer[9000];
if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
printf("Socket failed!!\n");
return -1;
}
for(i=0; i < 3; i++) {
recv_length = recv(sockfd, buffer, 8000, 0);
printf("Got some bytes : %d\n", recv_length);
}
return 0;
}
I compile it and run it on my box and nothing is going:
MacOsxBox:Desktop evariste$sudo ./simpleSniffer
Thanks for your help.
The raw socket interface provides direct access to lower layer protocols, such as the Internet Protocol (IP) and Internet Control Message Protocol (ICMP or ICMPv6). You can use raw sockets to test new protocol implementations.
Raw sockets are used to generate/receive packets of a type that the kernel doesn't explicitly support. An easy example that you're probably familiar with is PING. Ping works by sending out an ICMP (internet control message protocol - another IP protocol distinct from TCP or UDP) echo packet.
Raw sockets allow new IPv4 protocols to be implemented in user space. A raw socket receives or sends the raw datagram not including link level headers. The IPv4 layer generates an IP header when sending a packet unless the IP_HDRINCL socket option is enabled on the socket.
This will not work on *BSD (including OSX/Darwin). See the investigation here for more details:
b. FreeBSD
**********
FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw
sockets. Such packets need to be read directly at the datalink layer by using
libraries like libpcap or the bpf API. It also *never* passes any fragmented
datagram. Each datagram has to be completeley reassembled before it is passed
to a raw socket.
FreeBSD passes to a raw socket:
a) every IP datagram with a protocol field that is not registered in
the kernel
b) all IGMP packets after kernel finishes processing them
c) all ICMP packets (except echo request, timestamp request and address
mask request) after kernel finishes processes them
Moral of the story: use libpcap
for this. It will make your life much easier. (If you use MacPorts, do sudo port install libpcap
.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With