5

I need to write a packet sniffer in Linux that detects HTTPS packet that are sent and save the url from the request. I found code for this in security-freak and ran it. This code runs and only sniffs the received packet but I need to get the sent packet in the sniffer. How do I get the sent packet in this code?

I can't use any library like libcap (forbidden). The code is :sniffer.c

talonx
  • 1,762
  • 1
  • 15
  • 33
Sajad Bahmani
  • 17,325
  • 27
  • 86
  • 108

3 Answers3

12

You should be using ETH_P_ALL instead of ETH_P_IP as the protocol. ETH_P_IP only listens for incoming IP packets.

gte525u
  • 4,594
  • 2
  • 16
  • 8
  • If the goal is to see http packets, why not use ETH_P_IP? You don't need everything. – JXG Nov 03 '09 at 13:42
  • 4
    The goal is to see outgoing http packets. ETH_IP_P only sees incoming packets. See thread: http://lkml.indiana.edu/hypermail/linux/kernel/9604.1/0603.html – gte525u Nov 03 '09 at 15:18
  • Where is the official documentation for these kind of macros? I have been searching all over the POSIX standard but I can't find nothing. Also Linux kernel doesn't say anything! – 71GA Mar 14 '22 at 07:50
2

Why can't you use any library? Homework?

It's hard to answer without having examples from your code, for example how you set sll_pkttype.

The urlsnarf tool in the dnsiff suite could be worth a look.

Anders Lindahl
  • 41,582
  • 9
  • 89
  • 93
1

With appropriate libpcap or DNET usage You should be able to get all network traffic on the desired layer (protocol - 5) (also this outgoing). But You should know that already.

You need to go through the above libraries manuals and find the appropriate filtering.

bua
  • 4,761
  • 1
  • 26
  • 32