Home

The Linux Socket Filter: Sniffing Bytes over the Network

Issue 86

From Issue #86
June 2001

May 31, 2001  By Gianluca Insolvibile
 in
A feature added to the kernel with the 2.2 release, this LSF can be programmed to let the kernel decide to which packets access should be granted. Here's how.
Conclusions

Sniffing packets over your LAN is an invaluable tool for debugging network problems or collecting measurements. Sometimes the commonly available tools, such as tcpdump or ethereal, will not exactly fit your needs and writing your own sniffer can be of great help. Thanks to the LPF, you can do this in a simple and efficient way.

Resources

Gianluca Insolvibile has been a Linux enthusiast since kernel 0.99pl4. He currently deals with networking and digital video research and development. He can be reached at g.insolvibile@cpr.it.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

only sniff or discard too

xandi's picture
Submitted by xandi (not verified) on Fri, 10/31/2008 - 00:18.

hi,

nice article. i like the simplicity of it. However, I am wondering whether this technique can be used to create firewalls ? can i discard packets based on the criteria that I choose. Libpcap won't help because it creates a copy of the packet so the packet does reach where it is intended.

thanks

In both listing1 and

pepox's picture
Submitted by pepox (not verified) on Sun, 09/21/2008 - 15:08.

In both listing1 and listing2 when i run them i only see "reply" packets, the "request" packets are ignored..

for example:

i run in a console:
zxc@zxc-l:~$ ping -c1 192.168.1.1

while in another was running:
zxc@zxc-l:~$ sudo ./listing2 (or listing1 it's the same output)
----------
98 bytes read
Source MAC address: 00:af:bc:xx:xx:xx
Destination MAC address: 00:1a:2b:xx:xx:xx
Source host 192.168.1.1
Dest host 192.168.1.213
Source,Dest ports 0,10327
Layer-4 protocol 1
----------

However if i do the same with tcpdump, i get this:
zxc@zxc-l:~$ sudo tcpdump -i eth1 -ntUl
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.1.213 > 192.168.1.1: ICMP echo request, id 44322, seq 1, length 64
IP 192.168.1.1 > 192.168.1.213: ICMP echo reply, id 44322, seq 1, length 64

In one word, with your examples i can only see reply packets, in fact always my output is:
Dest host 192.168.1.213 (my computers ip).

So my question is, if there is a way to "sniff" both reply packets and also request packets over the network...

Hoping to receive answer...

Thank you very much....

Question...

Abelardo Rodríguez-Trilla's picture
Submitted by Abelardo Rodríguez-Trilla (not verified) on Thu, 06/14/2007 - 09:39.

Hi Gianluca

Excelent article!. I'm writting from Venezuela, and I wanted to know how do I sniff packets without using the PF_PACKET family. I ask you this because I need to do that without root permissions. Thanks

Great work !

John Kallmer's picture
Submitted by John Kallmer (not verified) on Mon, 05/28/2007 - 00:35.

Really great tutorial !

I also found video tutorials on sniffing at www.security-freak.net . started by a Vivek Ramachandran, they are quite elaborate in coverage and literally spoon feed topics like sniffing, packet injection etc.

Might help ...take a look !

Some changed in list of include files

andyS1976's picture
Submitted by andyS1976 (not verified) on Sun, 11/19/2006 - 04:37.

Without changes for last C programm compillator gives
warning: implicit declaration of function ‘htons’

If this code changed for C++ programm
(replace exit(X) on return X ) the compiller giver error:
‘htons’ was not declared in this scope

So to improve code include files list might be as follow:
#include
#include
#include
#include
// add this header
#include
#include
#include
#include
// changed #include on
#include
#include
#include
#include
#include

Andy

some problem with formating

andyS1976's picture
Submitted by andyS1976 (not verified) on Sun, 11/19/2006 - 04:41.


#include < stdio.h >
#include < string.h >
#include < errno.h >
#include < unistd.h >
// add this header
#include < asm/types.h >
#include < sys/socket.h >
#include < sys/types.h >
#include < netinet/in.h >
// changed #include < linux/in.h > on
#include < netinet/in.h >
#include < linux/if_ether.h >
#include < net/if.h >
#include < linux/filter.h >
#include < sys/ioctl.h >

Setting promiscuous mode

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 08/28/2006 - 08:01.

Great article!
I'd just like to point out that you should not use ioctl() for setting the promiscuous mode. If you do, you're responsible for disabling the promiscuous mode after you're done. Unfortunately, you have no way of knowing if another socket also requested the promiscuous mode while your code was running. Thus, resetting the Ethernet flags to the original value could mess things up.

Instead, you should use setsockopt() with SOL_PACKET, PACKET_ADD_MEMBERSHIP and have PACKET_MR_PROMISC as the argument. This way the kernel will track the promiscuous mode usage and turn it off automatically.

Thanks for the simple way of explanation

Rajesh George's picture
Submitted by Rajesh George (not verified) on Tue, 11/15/2005 - 21:42.

Your article made concept so simple. Thanks

thanx

Jagannath's picture
Submitted by Jagannath (not verified) on Tue, 11/15/2005 - 00:43.

hi,

your document "sniffing bytes over network" is very nice, you have written very clearly so, that we can uderstand. i am a student of master in networking, doing project on filters.

thanking you for your good, nice,and easy to understand document

Regards,
Juxs

Hi Dude....Thu purush naji

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 06/04/2007 - 14:15.

Hi Dude....

Thu purush nahi ho.... Maha purush ho..... Sniff sniff sniff and do the right thing for vx180.... Good luck

Re: Kernel Korner: The Linux Socket Filter: Sniffing Bytes over

Anonymous's picture
Submitted by Anonymous on Mon, 08/25/2003 - 02:00.

thanks much for this informative article on a poorly documented subject. this tied together a lot of the bits and pieces i've been sifting through. i'd advise anyone seeking to learn more about creating your own filters to keep this article + source in one hand and the Van Jacobsen/McCanne paper in the other. - britney_spears@hotpop.com

Sniffing Bytes over the Serial port

bahrian's picture
Submitted by bahrian (not verified) on Thu, 11/02/2006 - 10:17.

ACtually i m bit new with the socket programming stuff..Actually wat i want to read the bytes from the socket using read () subroutine (I am using Fedora Envionment)but when i exc the program; it stops at the same position where i defined the read sub routine and does not giving me anything..could u plz comment on this..thx in advance.

Thanx a lot for your

Pradeep Reddy's picture
Submitted by Pradeep Reddy (not verified) on Mon, 01/22/2007 - 00:58.

Thanx a lot for your informative article.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions