Comments on: How to code a Packet Sniffer in C with Linux Sockets – Part 2

By: Rick

Rick — Thu, 09 Nov 2023 07:28:06 +0000

Hi… Thank you for the Excellent Tutorials and practical program examples.
I was trying to sniff only ARP/RARP and DHCP (or if needed BootP) packets on my network, because it is a mix of DHCP and static IP configurations. I was wondering what would be the values in the third option of the socket(…,…,???) function?
Help would be greatly appreciated.
Thanks..

By: agha

agha — Tue, 26 Jan 2021 07:00:59 +0000

In reply to Silver Moon. how can we check the HTTP packet type (GET and POST) of application layer

By: Alisson Oliveira Chaves

Alisson Oliveira Chaves — Sun, 11 Oct 2020 18:53:51 +0000

“1. Sniff both incoming and outgoing traffic.”

Outgoing is only in ETH_P_ALL option? or can i set custom protocol and filter outgoing traffic ?

By: Riku

Riku — Wed, 23 Sep 2020 15:12:05 +0000

Hey there !
First up: Thank you mate, you helped me alot.
But I got one question: Are you sure:

sock_raw = socket( AF_PACKET , SOCK_RAW , htons(ETH_P_IP|ETH_P_ARP)) ;

works this way ? I Tried to filter IPV4 (0x8000) and a fieldbus protocol (0x8892) but I cant seem to make it work. For some reason it only detects the fieldbus protocol. I tested each protocol seperatly and it works fine. My line of code looks like this:

sock_raw = socket( AF_PACKET , SOCK_RAW , htons(0x8000|0x8892)) ;

Maybe you got an idea.

By: Silver Moon

Silver Moon — Thu, 30 Jul 2020 04:59:57 +0000

In reply to aw. thanks for the comment. glad that you liked the post.

By: aw

aw — Tue, 21 Jul 2020 21:46:50 +0000

you deserve a medal for this! Thank you!

By: novice

novice — Fri, 26 Jan 2018 18:15:48 +0000

I am struggling to use source code (part 2). Unfortunately I don’t have experience how to use source code, so what I did was copied the code into a file using
vi capture-
then saved the file and issued
chmod u+x capture-

[root@server ~]# ./capture-
./capture-code: line 21: syntax error near unexpected token `(‘
./capture-code: line 21: `void ProcessPacket(unsigned char* , int);’

Please advise how to get this working. More over can I save the captured data in a format to be opened with Wireshark ?

Thanks

By: crob

crob — Thu, 19 Oct 2017 02:24:32 +0000

good example, learned!
i come here as libpcap drop udp packet, after some google, they tell me the pcap_setuserbuf not implement for linux, so I have to use raw sock, you showed a good sample code.
thank you.
my website is http://www.crobsoft.com

By: nouman

nouman — Sat, 04 Mar 2017 12:14:55 +0000

In reply to Binary Tides. socket error : operation failed

By: fleur

fleur — Tue, 28 Feb 2017 23:12:12 +0000

can someone please explain me more details about this code

By: ricky

ricky — Tue, 14 Feb 2017 15:43:24 +0000

Hi, I think the hyperlink “previous part” is not working! I wanted to write a C/C++ program that make use of divert sockets (FreeBSD) which will block all incoming icmp packets. Any clue on how to do that ? Thanks in advance.

By: Narendra

Narendra — Wed, 14 Dec 2016 11:41:57 +0000

Hi,

I want to capture a random tcp packet.
The program has to run as an ordinary user.
Any idea, how this can be done?
If it is not possible to capture tcp packet, is it possible to capture a http packet or any other protocol packet?
Please suggest.

Thanks,
Narendra

By: Jason Chien

Jason Chien — Fri, 25 Nov 2016 08:50:27 +0000

this code works on my centos 6.8 i386, but I also did some fixes.

if you just copy & paste on your platform, it may show compile error.
you have to refer to your include files to fix those issues.
there are a lot of different in the struct.

By: Nick

Nick — Tue, 23 Aug 2016 22:34:28 +0000

Will this work on other distributions? I’m about to install kali and I use this as a guide for my project so that information will be helpful to me a lot

By: sania

sania — Fri, 01 Apr 2016 04:13:49 +0000

this program is not displaying apllication layer headers.
can you help me with this please

By: sania

sania — Fri, 01 Apr 2016 04:12:21 +0000

how to display apllcation layer prtocol headers in this program?

By: ๋Jack

๋Jack — Thu, 25 Feb 2016 13:49:40 +0000

If I want the program to show MAC address . Could you tell me about that . Thanks.

By: lilington

lilington — Tue, 23 Feb 2016 09:24:41 +0000

In reply to QmQ. Look's like he let it like this on purpose to be useful only to those who are not just copying the code. If you wrote it yourself you will notice and correct it.

By: lilington

lilington — Tue, 23 Feb 2016 09:18:18 +0000

just to tell i notice an error in your code for all Print functions you forgot to shift before writting data.

fprintf(stdout,”IP Header\n”);
Print_data((pkt + sizeof(struct ethhdr)),s_iph);

fprintf(stdout,”TCP Header\n”);
Print_data(pkt + sizeof(struct ethhdr) + s_iph,tcph->doff * 4);

fprintf(stdout,”Data Payload\n”);
Print_data(pkt + sizeof(struct ethhdr) + s_iph + tcph->doff * 4, (s_pkt – tcph->doff * 4 – s_iph – sizeof(struct ethhdr)));

By: Rick

Rick — Thu, 18 Feb 2016 18:47:56 +0000

Very nice piece of code. One question – If I want to read UDP only from a single interface (eth1), but I want the full ethernet frame passed along, is that possible?