use of raw sockets / libcap ?

use of raw sockets / libcap ?

Post by Emmanuel Pless » Tue, 12 Sep 2000 19:19:56



Hi,

I have to write a programm which has to catch on a first ethernet board all
IP packets coming from an IP address OR aiming at a certain IP address (UDP
or TCP or whatever) and then sends them on an another ethernet interface.

Is there any standard UNIX library enabling a program to retreive any IP
packet according to specific criteria such as the origin IP address or
destination IP address ... ?

I first thought of using raw sockets. Is it the good way ?
If so, how do I create the socket by which I read the input packets ?

I have been told about a library called "libcap". Can anybody tell me more
about it ?

Thanks.

Emmanuel

 
 
 

use of raw sockets / libcap ?

Post by Alexander Bezroutchk » Tue, 12 Sep 2000 21:11:44



> Hi,

> I have to write a programm which has to catch on a first ethernet board all
> IP packets coming from an IP address OR aiming at a certain IP address (UDP
> or TCP or whatever) and then sends them on an another ethernet interface.

IMHO it is easier to use ipfilter (see 'dup-to' and 'to' options).

--
Alexander Bezroutchko

 
 
 

use of raw sockets / libcap ?

Post by Emmanuel Pless » Tue, 12 Sep 2000 22:30:53


Thanks but I really need to make it by programm since I have to change
little things from the moment I get them and the moment I inject them to the
seconf interface




> > Hi,

> > I have to write a programm which has to catch on a first ethernet board
all
> > IP packets coming from an IP address OR aiming at a certain IP address
(UDP
> > or TCP or whatever) and then sends them on an another ethernet
interface.

> IMHO it is easier to use ipfilter (see 'dup-to' and 'to' options).

> --
> Alexander Bezroutchko

 
 
 

use of raw sockets / libcap ?

Post by Stephen Wait » Wed, 13 Sep 2000 01:11:21


This is a pretty serious undertaking, probably best suited at the kernel
level (where ipfw and ipfilter each live).  If you're not into working
at the kernel level you might be able to get something done with
libpcap, "a library for user-level packet capture".  'man pcap' for more
info (on FreeBSD and probably most Linuxes by default).

--Steve


> Thanks but I really need to make it by programm since I have to change
> little things from the moment I get them and the moment I inject them to the
> seconf interface




> > > Hi,

> > > I have to write a programm which has to catch on a first ethernet board
> all
> > > IP packets coming from an IP address OR aiming at a certain IP address
> (UDP
> > > or TCP or whatever) and then sends them on an another ethernet
> interface.

> > IMHO it is easier to use ipfilter (see 'dup-to' and 'to' options).

> > --
> > Alexander Bezroutchko

 
 
 

use of raw sockets / libcap ?

Post by Emmanuel Pless » Wed, 13 Sep 2000 19:02:36


Thanks for your help.

I still would appreciate any comment about the comparison
between raw sockets / libcap / DLPI (data link provider interface used on
SCO openserver)



> This is a pretty serious undertaking, probably best suited at the kernel
> level (where ipfw and ipfilter each live).  If you're not into working
> at the kernel level you might be able to get something done with
> libpcap, "a library for user-level packet capture".  'man pcap' for more
> info (on FreeBSD and probably most Linuxes by default).

> --Steve


> > Thanks but I really need to make it by programm since I have to change
> > little things from the moment I get them and the moment I inject them to
the
> > seconf interface




> > > > Hi,

> > > > I have to write a programm which has to catch on a first ethernet
board
> > all
> > > > IP packets coming from an IP address OR aiming at a certain IP
address
> > (UDP
> > > > or TCP or whatever) and then sends them on an another ethernet
> > interface.

> > > IMHO it is easier to use ipfilter (see 'dup-to' and 'to' options).

> > > --
> > > Alexander Bezroutchko

 
 
 

use of raw sockets / libcap ?

Post by Andrew Gabri » Wed, 13 Sep 2000 21:56:42




Quote:> Thanks for your help.

> I still would appreciate any comment about the comparison
> between raw sockets / libcap / DLPI (data link provider interface used on
> SCO openserver)

libcap is a library which gives you a consistant API for accessing raw
network drivers, regardless of the actual implementation in the
operating system. It's best known use is by the tcpdump program, and it
considerably helps make tcpdump portable to a wide range of different
unixs with different raw network APIs. I would encourage you to use it
if you can.

SCO openserver is a SVR3.2 unix, and these use LLI rather than DLPI
for network interfaces. LLI is an early attempt at DLPI and you will
find lots of similarities, enough that you can normally make the same
piece of code talk LLI or DLPI with only a few different conditional
compilation blocks.

DLPI is the SVR4 interface to network level drivers, which are all
STREAMS based and can be accessed both by other STREAMS modules in the
kernel (such as IP and ARP), and also directly through a standard
stream head from user programs (such as tcpdump/libpcap, and snoop on
Solaris).

--
Andrew Gabriel
Consultant Software Engineer

 
 
 

use of raw sockets / libcap ?

Post by Emmanuel Pless » Thu, 14 Sep 2000 00:42:49


Thanks.
Just some other (hopefully the last ones) question/remark:

On the "raw ip networking faq" located at
http://www.whitefang.com/rin/rawfaq.html, it is clearly said that DLPI is
the packet capturing facility for SCO open server.

Besides, they say that only BPF is optimal for filtering/buffering and that
"libpcap will only use in-kernel packet filtering when using BPF".
What do you think ?

Also, don't you think raw socket could be a sufficent for sniffing UDP/TCP
packet ?

I really do appreciate everybody's help.





> > Thanks for your help.

> > I still would appreciate any comment about the comparison
> > between raw sockets / libcap / DLPI (data link provider interface used
on
> > SCO openserver)

> libcap is a library which gives you a consistant API for accessing raw
> network drivers, regardless of the actual implementation in the
> operating system. It's best known use is by the tcpdump program, and it
> considerably helps make tcpdump portable to a wide range of different
> unixs with different raw network APIs. I would encourage you to use it
> if you can.

> SCO openserver is a SVR3.2 unix, and these use LLI rather than DLPI
> for network interfaces. LLI is an early attempt at DLPI and you will
> find lots of similarities, enough that you can normally make the same
> piece of code talk LLI or DLPI with only a few different conditional
> compilation blocks.

> DLPI is the SVR4 interface to network level drivers, which are all
> STREAMS based and can be accessed both by other STREAMS modules in the
> kernel (such as IP and ARP), and also directly through a standard
> stream head from user programs (such as tcpdump/libpcap, and snoop on
> Solaris).

> --
> Andrew Gabriel
> Consultant Software Engineer

 
 
 

use of raw sockets / libcap ?

Post by Andrew Gabri » Thu, 14 Sep 2000 04:49:37




Quote:>Thanks.
>Just some other (hopefully the last ones) question/remark:

>On the "raw ip networking faq" located at
>http://www.whitefang.com/rin/rawfaq.html, it is clearly said that DLPI is
>the packet capturing facility for SCO open server.

I suppose SCO might have added DLPI support (they have yanked some SVR4
functionality back into SCO SVR3.2), but certainly when I was writing
applications to interface directly with network cards on the SCO and
Interactive SVR3.2 unixs some 6 years ago, they only supported LLI.
As I said, the interfaces are very similar - I used the same code to
interface to both LLI and DLPI drivers, without all that many #ifdefs
to select one or the other. (Note that SCO Unixware is DLPI, being SVR4,
but certainly in the era of Unixware 1, its DLPI interface was far
too broken to be usable.)

Quote:>Besides, they say that only BPF is optimal for filtering/buffering and that
>"libpcap will only use in-kernel packet filtering when using BPF".
>What do you think ?

I think this is true (it was last time I looked at libpcap anyway).
I'm surprised no one has made libpcap use pfmod and bufmod yet (at
least on Solaris - not sure if they exist on other SVR4 unixs). These
would improve libpcap's packet capture ability as used by tcpdump,
at least. If ever I get some spare time (ho ho:-), I might do it.

Quote:>Also, don't you think raw socket could be a sufficent for sniffing UDP/TCP
>packet ?

Sorry, raw socket interface is not my strong point.
I suspect it is not suitable if you are not intending to plumb the
network interface since IP won't know about that interface, but if
you are plumbing that network interface, it might work for you.
You don't say if you want any regular IP access over this interface,
or only IP through your relay software.

--
Andrew Gabriel
Consultant Software Engineer

 
 
 

use of raw sockets / libcap ?

Post by Emmanuel Pless » Thu, 14 Sep 2000 18:40:59


Ok now the final questions.

1) Is there any place where I can get any documentation (presentation,
principles, function explanation, ..) about libcap ? (as there is an
excellent explanation of the use of libnet on the libnet web site)

2) Do you know if it runs on UNIXWARE ?

Thanks all.





> >Thanks.
> >Just some other (hopefully the last ones) question/remark:

> >On the "raw ip networking faq" located at
> >http://www.whitefang.com/rin/rawfaq.html, it is clearly said that DLPI is
> >the packet capturing facility for SCO open server.

> I suppose SCO might have added DLPI support (they have yanked some SVR4
> functionality back into SCO SVR3.2), but certainly when I was writing
> applications to interface directly with network cards on the SCO and
> Interactive SVR3.2 unixs some 6 years ago, they only supported LLI.
> As I said, the interfaces are very similar - I used the same code to
> interface to both LLI and DLPI drivers, without all that many #ifdefs
> to select one or the other. (Note that SCO Unixware is DLPI, being SVR4,
> but certainly in the era of Unixware 1, its DLPI interface was far
> too broken to be usable.)

> >Besides, they say that only BPF is optimal for filtering/buffering and
that
> >"libpcap will only use in-kernel packet filtering when using BPF".
> >What do you think ?

> I think this is true (it was last time I looked at libpcap anyway).
> I'm surprised no one has made libpcap use pfmod and bufmod yet (at
> least on Solaris - not sure if they exist on other SVR4 unixs). These
> would improve libpcap's packet capture ability as used by tcpdump,
> at least. If ever I get some spare time (ho ho:-), I might do it.

> >Also, don't you think raw socket could be a sufficent for sniffing
UDP/TCP
> >packet ?

> Sorry, raw socket interface is not my strong point.
> I suspect it is not suitable if you are not intending to plumb the
> network interface since IP won't know about that interface, but if
> you are plumbing that network interface, it might work for you.
> You don't say if you want any regular IP access over this interface,
> or only IP through your relay software.

> --
> Andrew Gabriel
> Consultant Software Engineer

 
 
 

use of raw sockets / libcap ?

Post by Andrew Gabri » Thu, 14 Sep 2000 21:16:46




Quote:>1) Is there any place where I can get any documentation (presentation,
>principles, function explanation, ..) about libcap ? (as there is an
>excellent explanation of the use of libnet on the libnet web site)

The man page which comes with libpcap is normally good enough.
You could look at tcpdump as a sample application.

     ftp://ftp.ee.lbl.gov/libpcap.tar.Z

Quote:>2) Do you know if it runs on UNIXWARE ?

I don't believe the standard libpcap does.

It looks like someone may have made a separate version which might:

     ftp://ftp1.freebird.org/pub/mirror/freebird/internet/systools/

--
Andrew Gabriel
Consultant Software Engineer