1

I am trying to write an application to sniff traffic being sent to an ethernet port on my server. My application never needs to send data. It only needs to receive and decode the 5-tuple.

I am opening the socket with:

socket (AF_INET, SOCK_RAW, htons (ETH_P_ALL))

and setting it to promiscuous mode:

struct ifreq ifr;
ioctl (raw_socket, SIOCGIFFLAGS, &ifr);
/* Set the old flags plus the IFF_PROMISC flag */
ifr.ifr_flags |= IFF_PROMISC;
ioctl (raw_socket, SIOCSIFFLAGS, &ifr);

I am using recv to receive data from the socket, but it appears that I'm not receiving the full packets including the from/to IP addresses inside the packet.

Any idea how best to do this?

jww
  • 97,681
  • 90
  • 411
  • 885
Gatnus
  • 13
  • 1
  • 4
  • I'd suggest taking a look at libpcap, it might provide everything you need. – thurizas Nov 21 '14 at 20:14
  • Trying to make libpcap, but receiving errors. Any idea how to fix?e gcc -fpic -I. -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-linux.c gcc -fpic -I. -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-usb-linux.c ./pcap-dbus.c: In function ‘dbus_write’: ./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function) – Gatnus Nov 24 '14 at 14:28
  • 1
    I am unable to reproduce the error. I downloaded the most recent version of libpcap (version 1.6.2), ran the configure script (./configure) and then ran make. It compiled without error or warnings for me. My build system is a centos-7 host (uname -a gives "Linux broadsword 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux") and am using gcc-4.8.2. Normally a "undeclared" error is due to a missing header file, on my system `DBUS_ERROR_INIT` is found in _dbus/dbus-errors.h_ and is "#define DBUS_ERROR_INIT { NULL, NULL, TRUE, 0, 0, 0, 0, NULL }". – thurizas Nov 24 '14 at 16:05
  • uname -a produces Linux 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux. Could I be missing some dependency? The box is not connected to the internet - it's in a lab network only. – Gatnus Nov 25 '14 at 14:40
  • 1
    Could be a missing dependency, however if a header file was missing I'd expect an error about not being able to find the header file. I'd check to see if you have the dbus development package installed (_i.e._ `dbus-devel-1.6.12-8.el7.x86_64` or the appropriate one for your system), you can use `rpm -qa | grep dbus` to see what is installed on your system. Also, you might be able to install pcap via yum (or just download the RPM's), I would recommend installing the following: `libpcap.x86_64` (if not already present), `libpcap-devel.x86_64` and `libpcap-debuginfo.x86_64` – thurizas Nov 25 '14 at 15:26
  • Also see [Raw Socket promiscuous mode not sniffing what I write](https://stackoverflow.com/q/12177708/608639) – jww Nov 29 '19 at 05:32

0 Answers0