writing sniffer in linux

ilnli · 05-23-2007, 09:03 PM

Hi,

I need to write a sniffer in linux can you guys please help me that

1) which is the best IDE should I use
2) which libraries will help me in writing a sniffer
3) what are the things I should consider before start programming
4) I want to use command line interface so which library e.g; ncurses will be best for it?

Regards,
Imran

PatrickNew · 05-23-2007, 10:00 PM

When you say "sniffer" do you mean a packet sniffer? You haven't mentioned what language you wish to code in? This will influence the answers to the rest of the questions.

ilnli · 05-23-2007, 11:11 PM

Sorry for that,
yeah I mean packet sniffer and the language that I would like to use is C (gcc).

paulsm4 · 05-23-2007, 11:23 PM

Hi -

You definitely want to look here:
http://sourceforge.net/projects/libpcap/

Before you dive in, however, definitely familiarize yourself with these resources:

http://www.cet.nau.edu/~mc8/Socket/T.../section1.html

http://www.certforums.co.uk/forums/thread12166.html
http://www.certforums.co.uk/forums/thread12187.html
http://www.certforums.co.uk/forums/thread12493.html

'Hope that helps .. PSM

krizzz · 05-24-2007, 07:17 AM

Also, look at the PF_PACKET socket type. This is a raw socket on the ethernet frame level.

ilnli · 05-24-2007, 11:36 AM

thanks alot guy, I would like if more people can give me more suggestions.

Alien_Hominid · 05-24-2007, 04:07 PM

Check ethereal project/sources.

osor · 05-24-2007, 05:16 PM

Quote:

Originally Posted by Alien_Hominid

Check ethereal project/sources.

Nowadays, it’s called wireshark (I think).

As for answering the OP questions,

Whatever IDE you are most comfortable with.
As has been stated, you can either use the pcap library (much of the work has been done for you here) or implement ethernet-level sockets (you do a lot of wheel-reinventing here).
Is yet another packet sniffer really necessary? Why not help improve an already existing sniffer?
If you want an interactive command line interface, you might use some form of curses. Personally, I would use normal I/O to and from stdout and stdin for a base program (if it might be interactive at all). I might write frontends in ncurses and perhaps a GUI toolkit.

ilnli · 05-24-2007, 07:11 PM

hi I got one more question to ask

when I try to execute the followin code in Anjuta IDE

#include <stdio.h>
#include <pcap.h>

int main(int argc, char *argv[])
{
char *dev, errbuf[PCAP_ERRBUF_SIZE];

dev = pcap_lookupdev(errbuf);
if (dev == NULL) {
fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
return(2);
}
printf("Device: %s\n", dev);
return(0);
}

it gives me following error however I've install libpcap

/root/Projects/test/src/main.c:11: undefined reference to 'pcap_lookupdev'

I can't understand the problem.

regards,
Imran

thanks

osor · 05-24-2007, 07:47 PM

You’re not linking to libpcap. Change the linker option to include “-lpcap”.

ilnli · 05-24-2007, 08:17 PM

Dear Osor,

can you kindly give me the full syntax for gcc cause I'm a newbie in programming and this is my first programming script.

I'm so grateful to all of you guys for help.

Regards,
Imran

thanks

ilnli · 05-24-2007, 08:20 PM

as I've mentioned before that i'm using Anjuta and it shows me the following command

gcc -Wall -g -g -O2 -o Test main.0

where will -lpcap go?

thanks

osor · 05-24-2007, 09:03 PM

Quote:

Originally Posted by ilnli

where will -lpcap go?

It can go anywhere on that line except between the two tokens “-o Test”.

ilnli · 05-26-2007, 06:47 PM

Thanks a lot all of you, it working now