LinuxQuestions.org - Packet Captureing/Sniffing w/ BSD Sockets

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - Packet Captureing/Sniffing w/ BSD Sockets (https://www.linuxquestions.org/questions/programming-9/packet-captureing-sniffing-w-bsd-sockets-397897/)

Packet Captureing/Sniffing w/ BSD Sockets

I'm looking for resources to create a simple packet capturing app...

Platform = MacOSX (BSD Sockets)
Goal = Capture traffic to/from my PC
(looking for some specific info from port X via TCP in this case and then do something with it)

creating the socket is easy and processing is easy but how do i configure the socket to listen?

I think my problem is either in bind() or ioctl() but it is not an easy thing to search for... (lots of linux results and linux does things differently (I'll add that later =)

Note: I would like to stay away from 3rd party libraries.

BSD Sockets = berkley sockets which i believe besides a very few things is compatiable around most os's(including winsock as its based on bsd)
http://beej.us/guide/bgnet/output/html/index.html
<edit>
If there are any differences between linux and mac implementation of bsd I would appreciate a point in the right direction; as I'm currently making a cross platfrom app which used this.
cheers
</edit>

Unfortunately the link doesn't help me much in this case... I will recheck the IOCTL() functions just in case...

Linux, Mac, Windows... Most functions are the same...
accept() connect() recv() recvfrom() etc...

There are a few differences but most are *nix to win...
(I'll post this just in case it may save you some time :-)

Code:

#ifndef WIN32

# define u_int unsigned int

# define SOCKET u_int /* could be an INT */

# define INVALID_SOCKET (SOCKET)(~0) /* -1 if INT */ 

# define SOCKET_ERROR (SOCKET)(~0) /* -1 if INT */

# define WSAGetLastError() errno

# define closesocket close

# define ioctlsocket ioctl

# define INADDR_NONE 0xffffffff

#else

# define socklen_t int

# define EAFNOSUPPORT WSAEAFNOSUPPORT

#endif

NOTE: I did not figure that out - I saw the same or similar techniques around the web a built upon them with the above. Basically, it allows you to code one style instead of #ifdef's through out the code.

As far as the differences from what I am doing... It looks like Linux and BSD use different includes and variables....

I was going to give an example, but can't find them ATM... Linux allows for a lower level (kernel I think) workings with the packets than BSD Sockets would allow. (I haven't checked windows yet)

I am not findng much information on how to use:

Code:

int s = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);

Most informations deal with creating your own packet whereas I am just wanting to "sniff" or "capture" the packets. Or they just don't work... (also spent 20 min to figure out SOCK_RAW requires root credentials)

thanks for the reply, but it seems ive got most of them an ones which are not in a header are #ifdef, for the likes of close and closesocket.

Code:

#ifdef WINDOWS_BUILD

#pragma comment(lib, "WS2_32.lib")//link the lib

#include <winsock2.h>//and include winsock

#define MY_INVALID_SOCKET        INVALID_SOCKET

#define MY_SOCKET_ERROR                SOCKET_ERROR

#define MY_IPPROTO_TCP                IPPROTO_TCP

#define MY_SOCKET                        SOCKET

#define MY_NO_ERROR                        NO_ERROR

#endif //WINDOWS_BUILD



#if ( defined(UNIX_BUILD) || defined(MAC_BUILD) )

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#include <fcntl.h>

#define MY_INVALID_SOCKET        (-1)

#define MY_SOCKET_ERROR                MY_INVALID_SOCKET

#define MY_IPPROTO_TCP                0//this gives us the default in bsd

#define MY_SOCKET                        int//unsigned in winsock

#define MY_NO_ERROR                        0L

#endif //UNIX_BUILD || MAC_BUILD

Quick Update:
http://www.machacking.net/forums/ind...23&hl=sock_raw

Code:

int s = socket(PF_INET, SOCK_RAW, 0);

ok, ICMP works, but not TCP... =/

Does anyone know how to get TCP/UDP to work with BSD Sockets? (even with Winsock) -- or perhaps where to go to ask =)

On Linux >= 2.2 you use PF_PACKET, SOCK_PACKET otherwise. I suggest you browse the libpcap code, you may find the MacOS X specifics there

Quote:

Originally Posted by primo

On Linux >= 2.2 you use PF_PACKET, SOCK_PACKET otherwise. I suggest you browse the libpcap code, you may find the MacOS X specifics there

Linux is the greater of the 3 OSs in this respect... My primary targeted OSs for this is Mac and Windows then Linux for fun...

ya... think i must go through libpcap code... not my pref though =P

Thanks!

Quote:

Originally Posted by dmail

thanks for the reply, but it seems ive got most of them an ones which are not in a header are #ifdef, for the likes of close and closesocket.

Code:

#ifdef WINDOWS_BUILD

#pragma comment(lib, "WS2_32.lib")//link the lib

#include <winsock2.h>//and include winsock

#define MY_INVALID_SOCKET        INVALID_SOCKET

#define MY_SOCKET_ERROR                SOCKET_ERROR

#define MY_IPPROTO_TCP                IPPROTO_TCP

#define MY_SOCKET                        SOCKET

#define MY_NO_ERROR                        NO_ERROR

#endif //WINDOWS_BUILD



#if ( defined(UNIX_BUILD) || defined(MAC_BUILD) )

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#include <fcntl.h>

#define MY_INVALID_SOCKET        (-1)

#define MY_SOCKET_ERROR                MY_INVALID_SOCKET

#define MY_IPPROTO_TCP                0//this gives us the default in bsd

#define MY_SOCKET                        int//unsigned in winsock

#define MY_NO_ERROR                        0L

#endif //UNIX_BUILD || MAC_BUILD

Thanks! I do need to add the pragma... my winsock is in another file (I don't know why i seperated them to be honest... =)