Thread: Packet Sniffer

Hey guys, I have been looking at the following guide:
http://dl.packetstormsecurity.net/sniffers/Sniffer2.txt
This is the second part of a two part guide talking about making a packet sniffer. So here is my question, I have compiled the code as written and I am still only receiving the packets bound for my interface (incoming). I am not getting any outgoing and I am certainly not getting all of the traffic that is on the network. I am not getting any sort of errors or anything. I would post my code but it is the same code thats in the guide at the link. My goal is to make a simple sniffer, and before anyone suggests it, I am not allowed to use the libpcap library. I wish I could do that but I can't. Most of the references I have found online relate to using the libpcap library so I am hoping that someone here has had some more experience in this department. Or other references that I can read up on. Anything is helpful. Thanks in advance!

I'm assuming you're using Linux, otherwise most of the ioctl() calls wouldn't work. In the future it's best to be specific when you're asking questions that only pertain to a certain OS.

How do you know that you're not getting the packets? You should post the output of your program at the very least.

Also, something looks a bit fishy about that code, especially because the socket is never bound to a certain interface. Also, the socket is created with:

Code:

socket(AF_INET, SOCK_RAW, IPPROTO_TCP);

and should be created with:

Code:

socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

if you want an effective packet sniffer.

OK, for the purposes of this excersize I changed the socket call to:

Code:

socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);

Makes it easier to test but should still have the same effect.
Ok and here is my output:

Code:

[bill@SilverFoxFedoraVM sniffer]$ sudo ./sniff
The interface is ::: eth0
Retrieved flags from interface successfully: Success
Setting interface ::: eth0 ::: to promiscBytes received :::    84
Source Address ::: 74.125.228.64
IP Header Length ::: 5
Protocol ::: 1
Source port ::: 0
Dest port ::: 52195
Bytes received :::    84
Source Address ::: 74.125.228.64
IP Header Length ::: 5
Protocol ::: 1
Source port ::: 0
Dest port ::: 45786
Bytes received :::    84
Source Address ::: 74.125.228.64
IP Header Length ::: 5
Protocol ::: 1
Source port ::: 0
Dest port ::: 41682
Bytes received :::    84
Source Address ::: 74.125.228.64
IP Header Length ::: 5
Protocol ::: 1
Source port ::: 0
Dest port ::: 37065
Bytes received :::    84
Source Address ::: 74.125.228.64
IP Header Length ::: 5
Protocol ::: 1
Source port ::: 0
Dest port ::: 27840

When running ping I allowed 5 pings to be sent. I infact only see 5 packets. I should be seeing 10. One for the request and one for the reply. When I ping from another machine on the same network, I get nothing.

Another thought, would it make a difference how the different machines are on the network, say if they are both wireless or both switched or a combo of the two? My thoughts would be that if the sniffer is on a wireless network then I would ONLY see the other wireless traffic and if wired then I would NOT see any of the wireless traffic.

Originally Posted by breimer273

When I ping from another machine on the same network, I get nothing.

For that to happen you have to set your network interface to promiscuous mode. But that is almost everything I know about your problem.
Kurt

Originally Posted by ZuK

For that to happen you have to set your network interface to promiscuous mode. But that is almost everything I know about your problem.
Kurt

Yes, I am attempting to do that with the following calls:

Code:

	struct ifreq ifr;
	strncpy(ifr.ifr_name, interface, strlen(interface) + 1);
	if((ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)) {
		/*Could not retrieve flags for the interface*/
		perror("ioctl");
		exit(EXIT_FAILURE);
	}
	printf("The interface is ::: %s\n", interface);
	perror("Retrieved flags from interface successfully");

        /*now that the flags have been retrieved*/
        /* set the flags to PROMISC */
	ifr.ifr_flags |= IFF_PROMISC;
	if(ioctl (sock, SIOCSIFFLAGS, &ifr) == -1 ) {
                /*Could not set the flags on the interface */
		perror("ioctl");
		exit(EXIT_FAILURE);
	}
	printf("Setting interface ::: %s ::: to promisc", interface);

	return(0);

if you are on a wired network with a switch rather than a hub, you will not see packets that are not directed to a NIC on your machine. a switch makes point to point connections.

Originally Posted by memcpy

I'm assuming you're using Linux, otherwise most of the ioctl() calls wouldn't work. In the future it's best to be specific when you're asking questions that only pertain to a certain OS.

How do you know that you're not getting the packets? You should post the output of your program at the very least.

Also, something looks a bit fishy about that code, especially because the socket is never bound to a certain interface. Also, the socket is created with:

Code:

socket(AF_INET, SOCK_RAW, IPPROTO_TCP);

and should be created with:

Code:

socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

if you want an effective packet sniffer.

So, just to see I went ahead and changed my socket call to this. Now my header information is not correct so I am not sure if it is working like it should but I am seeing a lot more packets, seems to be promising. I will continue to play with it and give some more info once I have it. Thanks for the information!

Originally Posted by cfanatic

I am interested in socket programming. What reference books or resources are you using, breimer273?

Well, A pretty standard getting started place is Beej's guide:
Beej's Guide to Network Programming

It's been a while since I looked at that guide, I also reference a systems programming book and a book that is called TCP/IP programming in C. The first one was just a book I used in College and held onto it. Good all around but I definitely like the second one for socket programming.

Second book:
Amazon.com: TCP/IP Sockets in C Bundle: TCP/IP Sockets in C, Second Edition: Practical Guide for Programmers (Morgan Kaufmann Practical Guides) (9780123745408): Michael J. Donahoo, Kenneth L. Calvert: Books

Now if you are more interested in raw socket programming (like what I am doing here) then I found these websites helpful as a starting point but obviously not complete:
Raw Sockets Basics Presentation
Packet Injection Basics Presentation
dl.packetstormsecurity.net/sniffers/Sniffer_construction.txt
dl.packetstormsecurity.net/sniffers/Sniffer2.txt

Just wanted to let everyone know that I think I have fixed the issue. I ended up using the socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) call. I was worried that the header(s) would be different, not really sure why sounds stupid when I say it now. Anyway I am having an issue getting the correct IP address I think its because the pointer for the source IP addr is point at the destination ip addr field and then the destination ip addr pointer is pointing at the data after the ip address. I'll get back to it on Monday. Thanks for the responses from everyone though!