How to code Packet Sniffer in C with Sockets on Linux

By | August 5, 2020

Packet sniffer

Packet sniffers are programs that intercept the network traffic flowing in and out of a system through network interfaces.

So if you are browsing the internet then traffic is flowing and a packet sniffer would be able to catch it in the form of packets and display them for whatever reasons required.

Packet sniffers are used for various needs like analysing protocols, monitoring network, and assessing the security of a network.

Wireshark for example is the most popular packet sniffer out there and is available for all platforms. Its gui based and very easy to use.

In this post we are going to talk about how to code and make our own packet sniffer in C and on the linux platform. By Linux it means that the code sample shown here would work only on linux and not windows.

Packet sniffers can be coded by either using sockets api provided by the kernel, or by using some packet capture library like libpcap. In this tutorial we shall be covering the first method, that is by using sockets.

Basic Sniffer using sockets

To code a very simply sniffer in C the steps would be

1. Create a raw socket.
2. Put it in a recvfrom loop and receive data on it.

A raw socket when put in recvfrom loop receives all incoming packets. This is because it is not bound to a particular address or port.

sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
while(1)
{
data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
}

Thats all. The buffer will hold the data sniffed or picked up. The sniffing part is actually complete over here. The next task is to actually read the captured packet, analyse it and present it to the user in a readable format.

The following code shows an example of such a sniffer. Note that it sniffs only incoming packets.

Code

#include<stdio.h>	//For standard things
#include<stdlib.h>	//malloc
#include<string.h>	//memset
#include<netinet/ip_icmp.h>	//Provides declarations for icmp header
#include<netinet/udp.h>	//Provides declarations for udp header
#include<netinet/tcp.h>	//Provides declarations for tcp header
#include<netinet/ip.h>	//Provides declarations for ip header
#include<sys/socket.h>
#include<arpa/inet.h>

void ProcessPacket(unsigned char* , int);
void print_ip_header(unsigned char* , int);
void print_tcp_packet(unsigned char* , int);
void print_udp_packet(unsigned char * , int);
void print_icmp_packet(unsigned char* , int);
void PrintData (unsigned char* , int);

int sock_raw;
FILE *logfile;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
struct sockaddr_in source,dest;

int main()
{
	int saddr_size , data_size;
	struct sockaddr saddr;
	struct in_addr in;
	
	unsigned char *buffer = (unsigned char *)malloc(65536); //Its Big!
	
	logfile=fopen("log.txt","w");
	if(logfile==NULL) printf("Unable to create file.");
	printf("Starting...\n");
	//Create a raw socket that shall sniff
	sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
	if(sock_raw < 0)
	{
		printf("Socket Error\n");
		return 1;
	}
	while(1)
	{
		saddr_size = sizeof saddr;
		//Receive a packet
		data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
		if(data_size <0 )
		{
			printf("Recvfrom error , failed to get packets\n");
			return 1;
		}
		//Now process the packet
		ProcessPacket(buffer , data_size);
	}
	close(sock_raw);
	printf("Finished");
	return 0;
}

void ProcessPacket(unsigned char* buffer, int size)
{
	//Get the IP Header part of this packet
	struct iphdr *iph = (struct iphdr*)buffer;
	++total;
	switch (iph->protocol) //Check the Protocol and do accordingly...
	{
		case 1:  //ICMP Protocol
			++icmp;
			//PrintIcmpPacket(Buffer,Size);
			break;
		
		case 2:  //IGMP Protocol
			++igmp;
			break;
		
		case 6:  //TCP Protocol
			++tcp;
			print_tcp_packet(buffer , size);
			break;
		
		case 17: //UDP Protocol
			++udp;
			print_udp_packet(buffer , size);
			break;
		
		default: //Some Other Protocol like ARP etc.
			++others;
			break;
	}
	printf("TCP : %d   UDP : %d   ICMP : %d   IGMP : %d   Others : %d   Total : %d\r",tcp,udp,icmp,igmp,others,total);
}

void print_ip_header(unsigned char* Buffer, int Size)
{
	unsigned short iphdrlen;
		
	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen =iph->ihl*4;
	
	memset(&source, 0, sizeof(source));
	source.sin_addr.s_addr = iph->saddr;
	
	memset(&dest, 0, sizeof(dest));
	dest.sin_addr.s_addr = iph->daddr;
	
	fprintf(logfile,"\n");
	fprintf(logfile,"IP Header\n");
	fprintf(logfile,"   |-IP Version        : %d\n",(unsigned int)iph->version);
	fprintf(logfile,"   |-IP Header Length  : %d DWORDS or %d Bytes\n",(unsigned int)iph->ihl,((unsigned int)(iph->ihl))*4);
	fprintf(logfile,"   |-Type Of Service   : %d\n",(unsigned int)iph->tos);
	fprintf(logfile,"   |-IP Total Length   : %d  Bytes(Size of Packet)\n",ntohs(iph->tot_len));
	fprintf(logfile,"   |-Identification    : %d\n",ntohs(iph->id));
	//fprintf(logfile,"   |-Reserved ZERO Field   : %d\n",(unsigned int)iphdr->ip_reserved_zero);
	//fprintf(logfile,"   |-Dont Fragment Field   : %d\n",(unsigned int)iphdr->ip_dont_fragment);
	//fprintf(logfile,"   |-More Fragment Field   : %d\n",(unsigned int)iphdr->ip_more_fragment);
	fprintf(logfile,"   |-TTL      : %d\n",(unsigned int)iph->ttl);
	fprintf(logfile,"   |-Protocol : %d\n",(unsigned int)iph->protocol);
	fprintf(logfile,"   |-Checksum : %d\n",ntohs(iph->check));
	fprintf(logfile,"   |-Source IP        : %s\n",inet_ntoa(source.sin_addr));
	fprintf(logfile,"   |-Destination IP   : %s\n",inet_ntoa(dest.sin_addr));
}

void print_tcp_packet(unsigned char* Buffer, int Size)
{
	unsigned short iphdrlen;
	
	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;
	
	struct tcphdr *tcph=(struct tcphdr*)(Buffer + iphdrlen);
			
	fprintf(logfile,"\n\n***********************TCP Packet*************************\n");	
		
	print_ip_header(Buffer,Size);
		
	fprintf(logfile,"\n");
	fprintf(logfile,"TCP Header\n");
	fprintf(logfile,"   |-Source Port      : %u\n",ntohs(tcph->source));
	fprintf(logfile,"   |-Destination Port : %u\n",ntohs(tcph->dest));
	fprintf(logfile,"   |-Sequence Number    : %u\n",ntohl(tcph->seq));
	fprintf(logfile,"   |-Acknowledge Number : %u\n",ntohl(tcph->ack_seq));
	fprintf(logfile,"   |-Header Length      : %d DWORDS or %d BYTES\n" ,(unsigned int)tcph->doff,(unsigned int)tcph->doff*4);
	//fprintf(logfile,"   |-CWR Flag : %d\n",(unsigned int)tcph->cwr);
	//fprintf(logfile,"   |-ECN Flag : %d\n",(unsigned int)tcph->ece);
	fprintf(logfile,"   |-Urgent Flag          : %d\n",(unsigned int)tcph->urg);
	fprintf(logfile,"   |-Acknowledgement Flag : %d\n",(unsigned int)tcph->ack);
	fprintf(logfile,"   |-Push Flag            : %d\n",(unsigned int)tcph->psh);
	fprintf(logfile,"   |-Reset Flag           : %d\n",(unsigned int)tcph->rst);
	fprintf(logfile,"   |-Synchronise Flag     : %d\n",(unsigned int)tcph->syn);
	fprintf(logfile,"   |-Finish Flag          : %d\n",(unsigned int)tcph->fin);
	fprintf(logfile,"   |-Window         : %d\n",ntohs(tcph->window));
	fprintf(logfile,"   |-Checksum       : %d\n",ntohs(tcph->check));
	fprintf(logfile,"   |-Urgent Pointer : %d\n",tcph->urg_ptr);
	fprintf(logfile,"\n");
	fprintf(logfile,"                        DATA Dump                         ");
	fprintf(logfile,"\n");
		
	fprintf(logfile,"IP Header\n");
	PrintData(Buffer,iphdrlen);
		
	fprintf(logfile,"TCP Header\n");
	PrintData(Buffer+iphdrlen,tcph->doff*4);
		
	fprintf(logfile,"Data Payload\n");	
	PrintData(Buffer + iphdrlen + tcph->doff*4 , (Size - tcph->doff*4-iph->ihl*4) );
						
	fprintf(logfile,"\n###########################################################");
}

void print_udp_packet(unsigned char *Buffer , int Size)
{
	
	unsigned short iphdrlen;
	
	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;
	
	struct udphdr *udph = (struct udphdr*)(Buffer + iphdrlen);
	
	fprintf(logfile,"\n\n***********************UDP Packet*************************\n");
	
	print_ip_header(Buffer,Size);			
	
	fprintf(logfile,"\nUDP Header\n");
	fprintf(logfile,"   |-Source Port      : %d\n" , ntohs(udph->source));
	fprintf(logfile,"   |-Destination Port : %d\n" , ntohs(udph->dest));
	fprintf(logfile,"   |-UDP Length       : %d\n" , ntohs(udph->len));
	fprintf(logfile,"   |-UDP Checksum     : %d\n" , ntohs(udph->check));
	
	fprintf(logfile,"\n");
	fprintf(logfile,"IP Header\n");
	PrintData(Buffer , iphdrlen);
		
	fprintf(logfile,"UDP Header\n");
	PrintData(Buffer+iphdrlen , sizeof udph);
		
	fprintf(logfile,"Data Payload\n");	
	PrintData(Buffer + iphdrlen + sizeof udph ,( Size - sizeof udph - iph->ihl * 4 ));
	
	fprintf(logfile,"\n###########################################################");
}

void print_icmp_packet(unsigned char* Buffer , int Size)
{
	unsigned short iphdrlen;
	
	struct iphdr *iph = (struct iphdr *)Buffer;
	iphdrlen = iph->ihl*4;
	
	struct icmphdr *icmph = (struct icmphdr *)(Buffer + iphdrlen);
			
	fprintf(logfile,"\n\n***********************ICMP Packet*************************\n");	
	
	print_ip_header(Buffer , Size);
			
	fprintf(logfile,"\n");
		
	fprintf(logfile,"ICMP Header\n");
	fprintf(logfile,"   |-Type : %d",(unsigned int)(icmph->type));
			
	if((unsigned int)(icmph->type) == 11) 
		fprintf(logfile,"  (TTL Expired)\n");
	else if((unsigned int)(icmph->type) == ICMP_ECHOREPLY) 
		fprintf(logfile,"  (ICMP Echo Reply)\n");
	fprintf(logfile,"   |-Code : %d\n",(unsigned int)(icmph->code));
	fprintf(logfile,"   |-Checksum : %d\n",ntohs(icmph->checksum));
	//fprintf(logfile,"   |-ID       : %d\n",ntohs(icmph->id));
	//fprintf(logfile,"   |-Sequence : %d\n",ntohs(icmph->sequence));
	fprintf(logfile,"\n");

	fprintf(logfile,"IP Header\n");
	PrintData(Buffer,iphdrlen);
		
	fprintf(logfile,"UDP Header\n");
	PrintData(Buffer + iphdrlen , sizeof icmph);
		
	fprintf(logfile,"Data Payload\n");	
	PrintData(Buffer + iphdrlen + sizeof icmph , (Size - sizeof icmph - iph->ihl * 4));
	
	fprintf(logfile,"\n###########################################################");
}

void PrintData (unsigned char* data , int Size)
{
	
	for(i=0 ; i < Size ; i++)
	{
		if( i!=0 && i%16==0)   //if one line of hex printing is complete...
		{
			fprintf(logfile,"         ");
			for(j=i-16 ; j<i ; j++)
			{
				if(data[j]>=32 && data[j]<=128)
					fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet
				
				else fprintf(logfile,"."); //otherwise print a dot
			}
			fprintf(logfile,"\n");
		} 
		
		if(i%16==0) fprintf(logfile,"   ");
			fprintf(logfile," %02X",(unsigned int)data[i]);
				
		if( i==Size-1)  //print the last spaces
		{
			for(j=0;j<15-i%16;j++) fprintf(logfile,"   "); //extra spaces
			
			fprintf(logfile,"         ");
			
			for(j=i-i%16 ; j<=i ; j++)
			{
				if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char)data[j]);
				else fprintf(logfile,".");
			}
			fprintf(logfile,"\n");
		}
	}
}

Compile and Run

$ gcc sniffer.c && sudo ./a.out

The program must be run as root user or superuser privileges. e.g. sudo ./a.out in ubuntu
The program creates raw sockets which require root access.

The output in the log file is something like this :

***********************TCP Packet*************************

IP Header
   |-IP Version        : 4
   |-IP Header Length  : 5 DWORDS or 20 Bytes
   |-Type Of Service   : 32
   |-IP Total Length   : 137  Bytes(Size of Packet)
   |-Identification    : 35640
   |-TTL      : 51
   |-Protocol : 6
   |-Checksum : 54397
   |-Source IP        : 174.143.119.91
   |-Destination IP   : 192.168.1.6

TCP Header
   |-Source Port      : 6667
   |-Destination Port : 38265
   |-Sequence Number    : 1237278529
   |-Acknowledge Number : 65363511
   |-Header Length      : 5 DWORDS or 20 BYTES
   |-Urgent Flag          : 0
   |-Acknowledgement Flag : 1
   |-Push Flag            : 1
   |-Reset Flag           : 0
   |-Synchronise Flag     : 0
   |-Finish Flag          : 0
   |-Window         : 9648
   |-Checksum       : 46727
   |-Urgent Pointer : 0

                        DATA Dump                         
IP Header
    45 20 00 89 8B 38 40 00 33 06 D4 7D AE 8F 77 5B         E [email protected]..}..w[
    C0 A8 01 06                                             ....
TCP Header
    1A 0B 95 79 49 BF 5F 41 03 E5 5E 37 50 18 25 B0         ...yI._A..^7P.%.
    B6 87 00 00                                             ....
Data Payload
    3A 6B 61 74 65 60 21 7E 6B 61 74 65 40 75 6E 61         :kate`!~kate@una
    66 66 69 6C 69 61 74 65 64 2F 6B 61 74 65 2F 78         ffiliated/kate/x
    2D 30 30 30 30 30 30 31 20 50 52 49 56 4D 53 47         -0000001 PRIVMSG
    20 23 23 63 20 3A 69 20 6E 65 65 64 20 65 78 61          ##c :i need exa
    63 74 6C 79 20 74 68 65 20 72 69 67 68 74 20 6E         ctly the right n
    75 6D 62 65 72 20 6F 66 20 73 6F 63 6B 73 21 0D         umber of socks!.
    0A                                                      .

###########################################################

***********************TCP Packet*************************

IP Header
   |-IP Version        : 4
   |-IP Header Length  : 5 DWORDS or 20 Bytes
   |-Type Of Service   : 32
   |-IP Total Length   : 186  Bytes(Size of Packet)
   |-Identification    : 56556
   |-TTL      : 48
   |-Protocol : 6
   |-Checksum : 22899
   |-Source IP        : 74.125.71.147
   |-Destination IP   : 192.168.1.6

TCP Header
   |-Source Port      : 80
   |-Destination Port : 49374
   |-Sequence Number    : 3136045905
   |-Acknowledge Number : 2488580377
   |-Header Length      : 5 DWORDS or 20 BYTES
   |-Urgent Flag          : 0
   |-Acknowledgement Flag : 1
   |-Push Flag            : 1
   |-Reset Flag           : 0
   |-Synchronise Flag     : 0
   |-Finish Flag          : 0
   |-Window         : 44765
   |-Checksum       : 15078
   |-Urgent Pointer : 0

                        DATA Dump                         
IP Header
    45 20 00 BA DC EC 00 00 30 06 59 73 4A 7D 47 93         E ......0.YsJ}G.
    C0 A8 01 06                                             ....
TCP Header
    00 50 C0 DE BA EC 43 51 94 54 B9 19 50 18 AE DD         .P....CQ.T..P...
    3A E6 00 00                                             :...
Data Payload
    48 54 54 50 2F 31 2E 31 20 33 30 34 20 4E 6F 74         HTTP/1.1 304 Not
    20 4D 6F 64 69 66 69 65 64 0D 0A 58 2D 43 6F 6E          Modified..X-Con
    74 65 6E 74 2D 54 79 70 65 2D 4F 70 74 69 6F 6E         tent-Type-Option
    73 3A 20 6E 6F 73 6E 69 66 66 0D 0A 44 61 74 65         s: nosniff..Date
    3A 20 54 68 75 2C 20 30 31 20 44 65 63 20 32 30         : Thu, 01 Dec 20
    31 31 20 31 33 3A 31 36 3A 34 30 20 47 4D 54 0D         11 13:16:40 GMT.
    0A 53 65 72 76 65 72 3A 20 73 66 66 65 0D 0A 58         .Server: sffe..X
    2D 58 53 53 2D 50 72 6F 74 65 63 74 69 6F 6E 3A         -XSS-Protection:
    20 31 3B 20 6D 6F 64 65 3D 62 6C 6F 63 6B 0D 0A          1; mode=block..
    0D 0A                                                   ..

###########################################################

Note

1. The above sniffer picks up only TCP packets, because of the declaration :

sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);

For UDP and ICMP the declaration has to be :

sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);

You might be tempted to think of doing :

sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);

but this will not work , since IPPROTO_IP is a dummy protocol not a real one.

2. This sniffer picks up only incoming packets.

3. It provides the application with IP frames, which means that ethernet headers are not available.

4. It is not very accurate since it misses out some packets even in the incoming ones.

5. libpcap can also be used to write sniffers. Code example here.

In Part 2 we shall see how the above mentioned drawbacks can be overcome.

Conclusion

The next part of this tutorial shows how to sniff Ethernet headers with a packet sniffer. Check this here:
How to code a Packet Sniffer in C with Linux Sockets - Part 2

To learn how to code a packet sniffer using Libpcap library check out this post:
How to code a Packet Sniffer in C with Libpcap on Linux

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

52 Comments

How to code Packet Sniffer in C with Sockets on Linux
  1. suraj kumar

    HOW TO EXTRACT THE WEBSITE ADDRESS FROM SOURCE AND DESTINATION ADDRESS??

    i got the output as:

    ***********************TCP Packet*************************

    IP Header
    |-IP Version : 4
    |-IP Header Length : 5 DWORDS or 20 Bytes
    |-Type Of Service : 40
    |-IP Total Length : 52 Bytes(Size of Packet)
    |-Identification : 19032
    |-TTL : 55
    |-Protocol : 6
    |-Checksum : 43676
    |-Source IP : 117.18.237.29
    |-Destination IP : 192.168.43.207

    TCP Header
    |-Source Port : 80
    |-Destination Port : 56273
    |-Sequence Number : 1092319184
    |-Acknowledge Number : 1740369094
    |-Header Length : 8 DWORDS or 32 BYTES
    |-Urgent Flag : 0
    |-Acknowledgement Flag : 1
    |-Push Flag : 0
    |-Reset Flag : 0
    |-Synchronise Flag : 0
    |-Finish Flag : 0
    |-Window : 287
    |-Checksum : 58902
    |-Urgent Pointer : 0

    DATA Dump
    IP Header
    45 28 00 34 4A 58 40 00 37 06 AA 9C 75 12 ED 1D E([email protected]…u…
    C0 A8 2B CF ..+.
    TCP Header
    00 50 DB D1 41 1B 77 D0 67 BB EC C6 80 10 01 1F .P..A.w.g…\80…
    E6 16 00 00 01 01 08 0A 0F 9D 5C DD 00 09 EA CC ……….\…..
    Data Payload

  2. Anand KR

    Hi,

    How can we extract “ethernet header” information from the captured packets.
    I am surprised to see that you are casting the buffer to iphdr struct directly, so in that case what about the ethernet header part of the frame.

    Kindly explain the same. I am new to networking.

    Thanks in advance.

  3. Kate

    Don’t cast malloc :) And have your code handle the case where malloc returns NULL. I’d probably use void * for the function’s buffer argument on line 59 (leaving the array as unsigned char), and size_t for its size. Also if you re-order your source, you can avoid needing to write explicit prototypes. Line 218, unsigned int is the wrong type for %d. And unsigned short is the wrong type for iphdrlen; use size_t there, too.

    Think of using the appropriate type as an example of abstraction; here you’re abstracting the meaning of your variable from the implementation requirements for whatever type the struct used. Likewise for your buffer argument being void *.

  4. Kutlan Turan

    how can ı decode this collected packets? have you got any suggession? ı mean for example ı got packets of sıp or text sended how can ı decode this?

  5. aysh

    Hi moon..I used ur coding for my project …the coding was gud..the nly problem s aftr compiling I got nly starting..nd nthng was displayed in log.txt..its empty ..wt shld I do to get the right output…pls help me

  6. Anand

    I tried to use the raw sockets to capture the packets from wlan0 and p2p0 (wireless interfaces) but I faced following issue:
    1) The packet was of following format
    ——…….
    In the capture we used read option to get the packet being sent out and received at the wlan0 interface.

    2) The issues happens when sending the packet out, the ethernet frame is not completely shown in the dump printed by using the read.
    The first 8 bytes of the ethernet header (same as LLC+SNAP header size) are missing from the capture.

    I also checked same packet at wireshark and it was properly captured.

    3) On RX side the packet is properly received as per the dump.

    Please let me know in which direction I can proceed to check the same.

  7. kostya

    great code!
    can you explain me some thing? I’m just beginner in socket programming.
    You use construction as socket(AF_INET , SOCK_RAW , IPPROTO_TMP). i don’t understand it. we get defferent packets (as UDP, TCP) which is above ip-level. Why you don’t use parameter IPPROTO_IP?

  8. M.Usman

    Hi
    I want to make a simple packet analyzer which only display the incoming packet header information but i want to do this with Linux signals any help will be appreciated.

    Thanks

      1. M.USMAN

        I’m a linux signals newbie so I apologize for lame questions :-)
        I just want to khow is that is there any signals which dispatches when data(network packet) arrives on raw sockets so i read a packet header information….

  9. Harish

    Hi,

    I tried to use the above program to get the ttl value from the ip header. Everything else compiles fine , but i get an error when i try to reference the ttl value

    struct iphrd *ip_header = (struct iphrd *)buffer;

    int recv_hopcount = (unsigned int)(ip_header->totlen);

    Error: dereferencing pointer to an incomplete type

    Any help.

  10. samualY

    How hard would it be to take the code you’ve provided above, rewrite it for ipv6 ?
    I have been giving it a try, I feel I just don’t understand enough. The program above compiles and runs great !

    1. Binary Tides Post author

      the above code does not process ipv6 packets. in ipv6 the processing has to be different since ip header structure is different.

  11. chirag

    i got this error while i compile this code:

    sachin@ubuntu:~$ sudo -s
    root@ubuntu:~# cd Documents/
    root@ubuntu:~/Documents# gcc -c sniffer.c
    sniffer.c: In function ‘main’:
    sniffer.c:63:46: warning: incompatible implicit declaration of built-in function ‘malloc’
    sniffer.c:95:9: warning: passing argument 5 of ‘recvfrom’ from incompatible pointer type
    /usr/include/sys/socket.h:166:16: note: expected ‘struct sockaddr * __restrict__’
    but argument is of type ‘struct sockaddr_in *’
    sniffer.c: In function ‘print_ip_header’:
    sniffer.c:203:5: warning: incompatible implicit declaration of built-in function ‘memset’
    sniffer.c: At top level:
    sniffer.c:249:6: warning: conflicting types for ‘print_tcp_packet’
    sniffer.c:159:13: note: previous implicit declaration of ‘print_tcp_packet’ was here
    sniffer.c:343:6: warning: conflicting types for ‘print_udp_packet’
    sniffer.c:169:13: note: previous implicit declaration of ‘print_udp_packet’ was here
    sniffer.c:489:6: warning: conflicting types for ‘PrintData’
    sniffer.c:321:5: note: previous implicit declaration of ‘PrintData’ was here

    please help me…how i run this program.

    Thanks
    Chirag Verma

  12. sri

    sir this program is only tracing tcp packets .what is the proper output of this code.can u just send me the output details plzzzzzzz

    1. Binary Tides Post author

      Yes, this will capture only TCP packet because of the socket definition as :
      sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);

      For UDP and ICMP you have to use :
      sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
      sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);

      It is also possible to capture all packets together using linux sockets. Check :

      https://www.binarytides.com/blog/packet-sniffer-code-in-c-using-linux-sockets-bsd-part-2/

      Libpcap can also be used :

      https://www.binarytides.com/blog/c-packet-sniffer-code-with-libpcap-and-linux-sockets-bsd/

  13. ant

    Sry for dupled- add if it’s possible.

    recvfrom seems can use non- connection-oriented sockets. It’s a wonder for me.
    But, how to make it listen the port I need?

  14. ant

    How can that work, if there’s no even bind?! Only creating socket- no binding and istening! No parameters added to RAW socket!
    Or maybe it has some explanations?
    When I ran that, I saw no output, only “Starting..” It loop into recvfrom and does nothing.

  15. anjibabu

    Add fflush(logfile);
    at the end of each print_xxxx_xxxx() method;
    i.e
    after fprintf(…) statements.
    then one can able to see the log messages in log file.

  16. shriket

    hi,
    the above program is gettin compiled with some warnings but at run time it gives the error like” error while loading shared libraries:libpcap.so.1:cannot open shared object file:no such file or directory”

  17. ksrpaniraj

    I still could not figure out how to capture icmp packets. Icmp packets doen’t get incremented. I actually wanted to capture vlan id. Can anyone have the solution for this

    1. Binary Tides Post author

      to capture icmp packets create socket like this :

      sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);

  18. faeze

    hi
    i have the same problem. Does anyone solve it? or have another code for sniffing? Can anyone suggest me some reffrences for raw socket programming?

  19. guddu

    @sumit

    The above program will work if you edit the statement
    sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP); to
    sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);

    (atleast in my case it was working)
    but there’s still a bug
    it just filters out the UDP Packets.
    also if anyone can help me with how to enable timestamp option in IP packets

  20. Sumit

    hi
    i have bee trying to run the above c program in my system but its not working. Though the compilation is done with some warnings but the execution gets stuck.Log file is created but its blank.
    i want to know if i am doing it right way or some other steps are involved.
    the program doesn’t ask any port address to sniff data from.

    Please help
    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *