2

I started a project that needs using network level packets such as IP/ICMP/UDP/TCP packets.

There is two main approach to handle it: Raw sockets and Winpcap/libpcap.

I know pcap installs a driver on OS and allows programmer to capture and send packets. On the other hand there is raw sockets which have some limitations in Windows 7 or above.

The project needs sending some IP/ICMP/UDP/TCP packets to a router and analyzes the responses, such as IP-Identifier, TTL, ... . Also I want it works in Linux and Windows.

Can you list a comparison about these two approach?

masoud
  • 55,379
  • 16
  • 141
  • 208
  • Not enough for a answer but raw sockets are [not available on non-server versions of windows after XP SP2](http://msdn.microsoft.com/en-us/library/windows/desktop/ms740548%28v=vs.85%29.aspx#limitations_on_raw_sockets) (under certain conditions) not just Windows 7. – Scott Chamberlain Feb 20 '12 at 20:51
  • In fact I do not know if the pcap driver can send data, I thought it only can capture. Using a Server OS for Windows may be a requirement to be able to Tx packets. This is because malware has abused this for so long they disabled it for everyone but servers (as a end user should never need to forge raw packets) – Scott Chamberlain Feb 20 '12 at 20:56

2 Answers2

1

If you want the code to be portable, then you can't use the raw socket API (which is rather different on Linux and Windows). Winpcap is generally compatible with libpcap, and the pcap API is generally reasonable, considering what it's doing.

bdow
  • 181
  • 4
0

in your situation, RAW sockets will work but you have to do something like sock_raw_tcp = socket(AF_INET , SOCK_RAW , IPPROTO_TCP); sock_raw_udp = socket(AF_INET , SOCK_RAW , IPPROTO_UDP); sock_raw_icmp = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);

You dont have an option like IP_PROTO_IP. Now, with RAW sockets, you will get only IP headers + transport level headers but not ethernet headers. So, if you are only interested in application layer data and want to use IP header for Ipaddress & TTL and transport header for port numbers etc, then its OK. Keep in mind that for TCP you might have to do check sums and reassembly also. Some checksums will also be required for UDP.

However, winpcap solves many management issues for you since it uses a device driver to connect your NIC's data link layer OR layer 2. Here you will also get an ethernet frame and wont have to open different types of RAW sockets. You still will have to apply the application related logic of dealing with packets as you would do on the network layer (Layer 3).

Ashley
  • 629
  • 3
  • 6
  • 16
  • If you are using JAVA, then you can use either JPCAP for layer 2 OR if you want to use Layer 3, then you can use savarese's raw socket library to capture raw packets along with savarese's virtual services TCP IP for your data manipulation. However, another advantage of using JPCAP is to be able to get the source and destination MAC addresses from the ethernet headers. On the other hand, the savarese's virtual services has an advantage of more refined api in terms of say calculating a TCP checksum, which JPCAP lacks. For jpcap, use Keita Fuji's library as it doesnt have memory leaks. – Ashley Oct 03 '13 at 14:29
  • You can actually use both of them together. – Ashley Oct 03 '13 at 14:35