Any solutions??

I tried your PHP sniffer for TCP connections and it works fine.
I would like to get a PHP sniffer to be able to get IGMP messages (not data) : like IGMP join, leave, issued on 224.0.0.22 but other IGMP messages as well.

So I modified your code this way :

$prot = getprotobyname(‘igmp’);
echo “protocole : $protn”;
$socket = socket_create(AF_INET , SOCK_RAW , $prot);
$address = ‘224.0.0.22’;
$tab_mcast = array(“group” => $address, “interface” => 0);
socket_set_option($sock, getprotobyname(‘ip’), MCAST_JOIN_GROUP, $tab_mcast);

if($socket)
{
echo “Starting sniffing…n”;
while(true)
{
//Start receiving on the raw socket
socket_recvfrom ( $socket , $buf , 65536 , 0 );

….

I receive some data but at this time I did not code IP/IGMP packet decoding (I lack information about its structure), and I only get some “0” when transcoding incoming buffer to hexadecimal.
Can you tell me if I am right with this code or would I have to change something ?

Thanks,

Jerome

thats good information.
then maybe libpcap has to be tried.

Thanks a lot for your quick answer and for the SO_BINDTODEVICE explanation. It gave me access to a brand new field of google results :)

FYI, the SO_BINDTODEVICE option is not defined on *BSD systems (as Darwin/OS X). There is actually no way (unless the socket is multicast) to determine the interface it is bound to. This seems to be made automatically based on the routing table.

But the reason for getting nothing does not come from a wrong interface problem….

Quoting a post from http://stackoverflow.com/questions/6878603/strange-raw-socket-on-mac-os-x :
”
FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw
sockets. Such packets need to be read directly at the datalink layer by using
libraries like libpcap or the bpf API. It also *never* passes any fragmented
datagram. Each datagram has to be completeley reassembled before it is passed
to a raw socket.
FreeBSD passes to a raw socket:
a) every IP datagram with a protocol field that is not registered in
the kernel
b) all IGMP packets after kernel finishes processing them
c) all ICMP packets (except echo request, timestamp request and address
mask request) after kernel finishes processes them
”

So, bad news, it won’t be possible to make a sniffer in PHP for OS X. Even opening /dev/bpf and try to read from it won’t give any result as the stream must be setup via ioctl calls and I see no way to do that from PHP (without coding an extension).

Any idea is very welcome.

Thanks for your time, nice blog btw !

selecting a particular device/interface might not be possible in php.

in c it can be done like this :
setsockopt(sock_raw , SOL_SOCKET , SO_BINDTODEVICE , “eth0” , strlen(“eth0”)+ 1 );

but the documentation at
http://www.php.net/manual/en/function.socket-get-option.php
does not define any such option as SO_BINDTODEVICE

you have to experiment to find whether it can be made to work or not.
I have not tested the code on os x.

yes the script ran with root privileges through sudo (that’s why i got the start sniffing output and no errors). My question is how do I select the interface ? How do I know with interface the script reads from ?
The problem is not a privilege thing or something related to PHP i think because after compiling and running the same script in C (posted on this blog too) I got the same result. That is everything is set up correctly but no packet is captured…

(note: i’m trying that on an OS X box; PHP 5.3.10 PHP 5.3.10 with Suhosin-Patch (cli))

yes, the sniffer will capture packets that are received by the browser.
the program should be run with root privileges (sudo on ubuntu for example).
without root it will not be able to capture packets, because it uses raw sockets which require root privileges.
if the interface is correct, the program should pickup packets.

Your code hold my attention so i tried it. While encountering no problem to start it and get the “Starting sniffing…\n” output I did not manage to capture any packet. Am I understanding the thing wrongly if I think this sniffer should be able to capture the packets sent and received when a page is loaded in a browser on my machine ?
I am wondering if the socket may be bound to the wrong interface (like lo0) thus receiving nothing.
Any idea ?

Thanks for sharing this

you need php cli to be installed.
Check it with the command “php -v”
It should show something like this :

PHP 5.3.5-1ubuntu7.4 with Suhosin-Patch (cli) (built: Dec 13 2011 18:30:11)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Xdebug v2.1.0, Copyright (c) 2002-2010, by Derick Rethans

If it says that command not found then its not installed.

Also this code will work only on Linux.

When running the script provide the full path like :

sudo php /var/htdocs/sniff/sniffer.php

or something similar

I am trying to run it, but can’t create the socket. How do you specify to run it as sudo to view/run the script in a browser (I have it saved in: htdocs/sniff/sniffer.php)? Your suggestion of “sudo php sniffer.php” from the command line results in a command not found msg.

Could you please let me know how you are running this awesome script?

Thanks!