Sniffing all network traffic in C

Question

I was looking the most straightforward tutorial on making a tiny network sniffer and found this one. I followed it, but the method advised to sniff packets is:

sock_raw = socket( AF_PACKET , SOCK_RAW , htons(ETH_P_ALL)) ;;
while(1)
{
  data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
}

With the rational:

A raw socket when put in recvfrom loop receives all incoming packets. This is because it is not bound to a particular address or port.

It seemed to me that this would only monitor network traffic coming in and out of my own computer, and not the whole LAN. A test-run confirmed my intuition.

Is it correct? Can this method only sniff packets coming in and out of my laptop?

Which approach should I take to sniff all network traffic (ie: netsniff-ng, Wireshark)?

I want to avoid using libpcap in this case.

You can not monitor traffic which does not originate from your NIC, or end up in it. No existing tool will help you with that. — Michael Foukarakis, Feb 16 '15 at 12:59

Aaron Digulla · Accepted Answer · 2015-02-16T13:32:50.737

3

That depends on your network, especially the types and configuration of the routers and switches that connect everything. In most installations, computers are not connected directly to each other. Instead, they talk to a switch. The switch will only send you the packets which are meant for your computer - the rationale is that it doesn't make sense for the switch to elaborately push electrons towards you which you'll only throw away.

But a computer can tell a switch to go into "promiscuous mode". That will configure your port of the switch to send you a copy of every packet that the switch sees. There are two catches:

The switch still can't see packets which other switches/routers don't send to it. Promiscuous mode doesn't propagate - otherwise, you'd quickly get a copy of every packet sent over the Internet anywhere. Not even Google or the NSA could handle this kind of traffic.
If your switch isn't the plug&play kind, your system admin will have disabled this feature.

[EDIT] Wireshark uses libpcap which is a low-level library which does everything from configuring your network device to fetching and filtering the packets that it can see. So you should try to find the source code of this library to understand better how it is done.

FedEx Bandwidth: When - if ever - will the bandwidth of the Internet surpass that of FedEx?

edited Feb 16 '15 at 13:32

answered Feb 16 '15 at 13:09

Aaron Digulla

321,842
108
597
820

With Wireshark I can currently see my second computers HTTP interaction with a remote server (note, both my main and second computers are on WiFi which is probably why I can see all traffic). Since I can monitor this 'conversation' with Wireshark, I'm trying to understand how I can reproduce this with raw sockets. – Juicy Feb 16 '15 at 13:18
@Juicy: The first thing is to bring your socket into "promiscuous mode"; without this, it won't show you packets that are means for a different MAC address. I can't comment on the "raw socket or not" part; but if you want to be able to intercept any kind of packet, a raw socket makes sense for me. – Aaron Digulla Feb 16 '15 at 13:26
That said, Wireshark is an OSS project, so there should be source somewhere :-) Download it, then you can see how they do it. – Aaron Digulla Feb 16 '15 at 13:28
@AaronDigulla Thanks! That was exactly the tip I was looking for. There are a few code samples around. – Juicy Feb 16 '15 at 13:29
1

@Juicy Wireshark is using libpcap – hek2mgl Feb 16 '15 at 13:29
@hek2mgl Havn't looked in details yet but there seems to be quite a few simple solutions for raw sockets sniffing all traffic in promiscuous mode without libcap. http://stackoverflow.com/questions/114804/reading-from-a-promiscuous-network-device Admittedly the guy does recommend using libpcap for complex tasks but I'm trying to avoid it if I can. I just need to demonstrate the principle. – Juicy Feb 16 '15 at 13:32
1

Packet sniffers - like libpcap - use an interface provided by the kernel to obtain the raw packet data. I suggest to read https://github.com/the-tcpdump-group/libpcap/blob/master/README.linux – hek2mgl Feb 16 '15 at 13:47
1

@Juicy I must say sorry!! You were right with that *raw sockets*. Having support from the kernel, the `AF_PACKET` pseudo address family can be used for sniffing. Never knew this, always used libpcap and thought that they are using some `ioctl()` or whatever.. Sorry again, and thanks for pointing this out! :) I will be AFK a while but can try to build an example later... (however, you still didn't told *why* you don't want to use libpcap) – hek2mgl Feb 16 '15 at 13:57
1

@hek2mgl No problem haha, well in a nutshell as part of a hacking project for my course I'm demonstrating how I can create custom firmware for little IP camera. The thing has very little room (less than 1mb for playing). With dropbear ssh server and netcat, I have about 600kb free left. I'm trying to get a very simple, very basic packet sniffer in there just 'for the show', more of a proof of concept thing. Because I couldn't find any tiny lightweight packet sniffers I thought I'd have a go at making a very basic one, hence why I'm trying to avoid libpcap for space. – Juicy Feb 16 '15 at 14:35
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/71029/discussion-between-hek2mgl-and-juicy). – hek2mgl Feb 16 '15 at 15:43

Sniffing all network traffic in C

1 Answers1