17-06-2013, 03:18 PM
Packet Capture With libpcap and other Low Level Network Tricks
Packet Capture.pdf (Size: 95.47 KB / Downloads: 80)
Who this is for: Allright peeps, this tutorial assumes at least a cursory knowledge in networks in
general. For example, what a packet is, how packets are sent, physical vs datalink vs network layers etc.
However, I am not assuming any previous knowledge in network programming, just a basic familiarity
with c. If you already are a c/c++ master, then you might as well just man 3 pcap so you can skip my
annoying writing style. You should have a working c compiler on your system and libpcap installed. We
are only going to concern ourselves with Ethernet datalink layer.. so if you are using some funky
network card like token ring... then you are on your own as to finding your way around the datalink
headers. Finally, all source in this section was written and tested on linux, kernel 2.2.14, while it should
be mostly portable (hehe) I can't guarantee that it will compile or run on other operating systems. You
are going to want to run as root so be careful and be sure not to break your box in the meantime
Packet Analysis
Aha, finally it is time to start using our newly obtained Jedi skills! (wheee!!) This section will focus on
peaking into the packets to extract the information (which is what we wanted to begin with). First off we
must arm ourselves! Go ahead and get all the relevent RFC's. Lets start off with RFC 791 (IP) RFC 768
(UDP) RFC 826 (ARP) RFC 792 (ICMPv4) and of course RFC 793 (TCPv4) The truth is, once you
have these files you dont really need me *sigh* but then again... why right your own code when you can
just copy mine! hehe
I would highly recommend you use another packet sniffer to double check your programs... tcpdump
will do just fine, and ethereal just kicks ass, you can get either (and more!!) at
http://www.tcpdumprelated.html. Both of these programs are capable of analyzing all fields of a
packet, plus the data. Sure we could use them instead of creating our own... but what fun would that be?