Using C and libpcap in linux

Mridulj · 04-15-2009, 12:49 AM

I want to build a internet traffic pattern analyser
using C and libpcap in linux . can anyone suggest how should
I proceed .

pramod.srk · 04-15-2009, 01:20 AM

Use pcap library ..

chakka.lokesh · 04-15-2009, 11:17 PM

Quote:

Originally Posted by Mridulj

I want to build a internet traffic pattern analyser

what analysis you want to do?

Mridulj · 04-16-2009, 12:11 PM

packet analysis when you are connected to the internet

chakka.lokesh · 04-16-2009, 11:09 PM

dear mridul,

it is very obvious that any body will do only and only packet analysis. Because other than packets there will be nothing in the network.

What I am asking is . . .

what is your objective?
What information you want to consume from the packets?
What precisely you will be analyzing with respect to the collected packets?

Mridulj · 04-18-2009, 05:00 AM

we should be able to measure packet traffic going out and coming when I
connect to a network .

chakka.lokesh · 04-18-2009, 11:22 PM

Is it that, you want to measure the number of packets per unit time?

Mridulj · 04-19-2009, 01:39 PM

ya ..........

say ... no.of packets , wats the protocol used , length of the packet destination IP , etc .

chakka.lokesh · 04-19-2009, 11:13 PM

To me it seems to be homework. Doesn't matter it is or not, I will give only hints; not answers.

hint-1:

did you refered this

Mridulj · 04-20-2009, 01:58 AM

hav pcap installed in my pc

nxt Hint 2: ??

chakka.lokesh · 04-20-2009, 11:14 PM

hint - 2:
with the help of link I gave, in the hint-1, write a program that captures the traffic.

Mridulj · 04-22-2009, 04:18 AM

#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/if_ether.h>

int main(int argc, char **argv)
{
int i;
char *dev;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t* descr;
const u_char *packet;
struct pcap_pkthdr hdr;
struct ether_header *eptr;

u_char *ptr;
dev = pcap_lookupdev(errbuf);

if(dev == NULL)
{
printf("%s\n",errbuf);
exit(1);
}

printf("DEV: %s\n",dev);

descr = pcap_open_live(dev,BUFSIZ,0,-1,errbuf);

if(descr == NULL)
{
printf("pcap_open_live(): %s\n",errbuf);
exit(1);
}

packet = pcap_next(descr,&hdr);

if(packet == NULL)
{
printf("Didn't grab packet\n");
exit(1);
}

printf("Grabbed packet of length %d\n",hdr.len);
printf("Recieved at ..... %s\n",ctime((consttime_t*)&hdr.ts.tv_sec));
printf("Ethernet address length is %d\n",ETHER_HDR_LEN);

eptr = (struct ether_header *) packet;

if (ntohs (eptr->ether_type) == ETHERTYPE_IP)
{
printf("Ethernet type hex:%x dec:%d is an IP packet\n",
ntohs(eptr->ether_type),
ntohs(eptr->ether_type));
}else if (ntohs (eptr->ether_type) == ETHERTYPE_ARP)
{
printf("Ethernet type hex:%x dec:%d is an ARP packet\n",
ntohs(eptr->ether_type),
ntohs(eptr->ether_type));
}else {
printf("Ethernet type %x not IP", ntohs(eptr->ether_type));
exit(1);
}

ptr = eptr->ether_dhost;
i = ETHER_ADDR_LEN;
printf(" Destination Address: ");
do{
printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
}while(--i>0);
printf("\n");

ptr = eptr->ether_shost;
i = ETHER_ADDR_LEN;
printf(" Source Address: ");
do{
printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
}while(--i>0);
printf("\n");

return 0;
}

chakka.lokesh · 04-23-2009, 03:46 AM

I didn't tested your code. Any way you do it on your own.

hint - 3:
now get in to "rfc 791".