165.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>123</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="155.htm">上一层</a>][<a href="166.htm">下一篇</a>]
<hr><p align="left"><small>发信人: digger (欧阳疯), 信区: Socket <br>
标  题: Raw IP Networking FAQ <br>
发信站: 华南网木棉站 (Wed Aug  5 19:22:04 1998), 转信 <br>
  <br>
                 Raw IP Networking FAQ <br>
                 --------------------- <br>
  <br>
Version 0.6 <br>
  <br>
  Last Modified on: Thu Apr 16 01:41:13 PDT 1998 <br>
  <br>
  The master copy of this FAQ is currently kept at <br>
  <br>
  http://www.whitefang.com/rin/ <br>
  <br>
  The webpage also contains material that supplements this FAQ, along <br>
  with a very spiffy html version. <br>
  <br>
  If you wish to mirror it officially, please contact me for details. <br>
  <br>
Copyright <br>
--------- <br>
  <br>
  <br>
I, Thamer Al-Herbish reserve a collective copyright on this FAQ. <br>
Individual contributions made to this FAQ are the intellectual <br>
property of the contributor. <br>
  <br>
I am responsible for the validity of all information found in this <br>
FAQ. <br>
  <br>
This FAQ may contain errors, or inaccurate material. Use it at your <br>
own risk. Although an effort is made to keep all the material <br>
presented here accurate, the contributors and maintainer of this FAQ <br>
will not be held responsible for any damage -- direct or indirect -- <br>
which may result from inaccuracies. <br>
  <br>
You may redistribute this document as long as you keep it in its <br>
current form, without any modifications. Please keep it updated if <br>
you decide to place it on a publicly accessible server. <br>
  <br>
Introduction <br>
------------ <br>
  <br>
The following FAQ attempts to answer questions regarding raw IP or <br>
low level IP networking, including raw sockets, and network <br>

monitoring APIs such as BPF and DLPI. <br>
  <br>
Additions and Contributions <br>
--------------------------- <br>
  <br>
If you find anything you can add, have some corrections for me or <br>
would like a question answered, please send email to: <br>
  <br>
Thamer Al-Herbish <shadows@whitefang.com> <br>
  <br>
Please remember to include whether or not you want your email address <br>
reproduced on the FAQ (if you're contributing). Also remember that <br>
you may want to post your question to Usenet, instead of sending it <br>
to me. If you get a response which is not found on this FAQ, and you <br>
feel is relevant, mail me both copies and I'll attempt to include it. <br>
  <br>
Special thanks to John W. Temples <john@whitefang.com> for his <br>
constant healthy criticism and editing of the FAQ. <br>
  <br>
Credit is given to the contributor as his/her contribution appears in <br>
the FAQ, along with a list of all contributors at the end of this <br>
document. <br>
document. <br>
  <br>
Caveat <br>
------ <br>
  <br>
This FAQ covers only information relevant to the UNIX environment. <br>
  <br>
Table of Contents <br>
----------------- <br>
  <br>
  1) General Questions: <br>
  <br>
    1.1) What tools/sniffers can I use to monitor my network? <br>
    1.2) What packet capturing facilities are available? <br>
    1.3) Is there a portable API I can use to capture packets? <br>
    1.4) How does a packet capturing facility work? <br>
    1.5) How do I limit packet loss when sniffing a network? <br>
    1.6) What is packet capturing usually used for? <br>
  <br>
  2) RAW socket questions: <br>
  <br>
    2.1) What is a RAW socket? <br>
    2.2) How do I use a raw socket? <br>

  <br>
      2.2.1) How do I send a TCP/IP packet through a raw socket? <br>
      2.2.2) How do I build a TCP/IP packet? <br>
      2.2.3) How can I listen for packets with a raw socket? <br>
  <br>
    2.3) What bugs should I look out for when using a raw socket? <br>
  <br>
      2.3.1) IP header length/offset host/network byte order <br>
      (feature/bug?) <br>
      2.3.2) Transport header on Solaris 2.4/2.5 checksum weirdness. <br>
      2.3.3) Further IP packet processing by Solaris 2.x and Irix 6.x <br>
    2.4) What are raw sockets commonly used for? <br>
  <br>
  3) libpcap (A Portable Packet Capturing Library) <br>
  <br>
    3.1) Why should I use libpcap, instead of using the native API on <br>
    my operating system for packet capturing? <br>
    3.2) Does libpcap have any disadvantages which I should be aware <br>
    of? <br>
    3.3) Where can I find example libpcap source code? <br>
  <br>
  4) List of contributors <br>

  <br>
    1) General Questions: <br>
    --------------------- <br>
  <br>
        1.1) What tools/sniffers can I use to monitor my network? <br>
  <br>
        Depending on your operating system, the following is a list <br>
        of available tools: <br>
  <br>
        tcpdump:     Found out-of-the-box on most BSD variants, and <br>
                     also available separately from <br>
                     ftp://ftp.ee.lbl.gov/tcpdump.tar.Z along with <br>
                     libpcap (see below) and various other tools. This <br>
                     tool, in particular, has been ported to multiple <br>
                     platforms thanks to libpcap. <br>
  <br>
        snoop:       Solaris, IRIX. <br>
  <br>
        etherfind:   SunOS. <br>
  <br>
        Packetman:   SunOS, DEC-MIPS, SGI, DEC-Alpha, and Solaris. <br>
                     Available at <br>

                     ftp://ftp.cs.curtin.edu.au:/pub/netman/ <br>
  <br>
        SniffIt:     Linux, SunOS, Solaris, FreeBSD, and IRIX. <br>
                     Available at <br>
                     http://reptile.rug.ac.be/~coder/sniffit/sniffit.html <br>
  <br>
  <br>
        nettl/ntfmt: HP/UX <br>
  <br>
        tcptrace: <br>
                     http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html <br>
                     Not an actual sniffer, but can read from the logs <br>
                     produced by many other well known sniffers to <br>
                     produce output in different formats and in <br>
                     adjustable details (includes diagnostics). <br>
  <br>
  <br>
        1.2) What packet capturing facilities are available? <br>
  <br>
        Depending on your operating system (different versions may <br>
        vary): <br>
  <br>
  <br>
        BPF:                Berkeley Packet Filter. Commonly found on BSD <br>
                            variants. <br>
  <br>
        DLPI:               Data Link Provider Interface. Solaris, HP-UX, SCO <br>
                            Openserver. <br>
  <br>
        NIT:                Network Interface Tap. SunOS. <br>
  <br>
        SNOOP:              (???). IRIX. <br>
  <br>
        SNIT:               STREAMS Network Interface Tap. (??) <br>
  <br>
        SOCK_PACKET:        Linux. <br>
  <br>
  <br>
        1.3) Is there a portable API I can use to capture packets? <br>
  <br>
        Yes. libpcap from ftp://ftp.ee.lbl.gov/libpcap.tar.Z attempts <br>
        to provide a single API that interfaces with different <br>
        OS-dependent packet capturing APIs. It's always best, of <br>
        course, to learn the underlying APIs in case this library <br>
        might hide some interesting features. It's important to warn <br>

        that I have seen different versions of libpcap break backward <br>
        compatibility. <br>
  <br>
        1.4) How does a packet capturing facility work? <br>
  <br>
        The exact details are dependent on the operating system. <br>
        However, the following will attempt to illustrate the usual <br>
        technique used in various implementations: <br>
  <br>
        The user process opens a device or issues a system call which <br>
        gives it a descriptor with which it can read packets off the <br>
        wire. The kernel then passes the packets straight to the <br>
        process. <br>
  <br>
        However, this wouldn't work too well on a busy network or a <br>
        slow machine. The user process has to read the packets as <br>
        fast as they appear on the network. That's where buffering <br>
        and packet filtering come in. <br>
  <br>
        The kernel will buffer up to X bytes of packet data, and pass <br>
        the packets one by one at the user's request. If the amount <br>
        exceeds a certain limit (resources are finite), the packets <br>

        are dropped and are not placed in the buffer. <br>
  <br>
        Packet filters allow a process to dictate which packets it's <br>
        interested in. The usual way is to have a set of opcodes for <br>
        routines to perform on the packet, reading values off it, and <br>
        deciding whether or not it's wanted. These opcodes usually <br>
        perform very simple operations, allowing powerful filters to <br>
        be constructed. <br>
  <br>
        BPF filters and then buffers; this is optimal since the <br>
        buffer only contains packets that are interesting to the <br>
        process. It's hoped that the filter cuts down the amount of <br>
        packets buffered to stop overflowing the buffer, which leads <br>
        to packet loss. <br>
  <br>
        NIT, unfortunately, does not do this; it applies the filter <br>
        after buffering, when the user process starts to read from <br>
        the buffered data. <br>
  <br>
        Your mileage may vary with other packet capturing facilities. <br>
  <br>
        1.5) How do I limit packet loss when sniffing a network? <br>

  <br>
        If you're experiencing a lot of packet loss, you may want to <br>
        limit the scope of the packets read by using filters. This <br>
        will only work if the filtering is done before any buffering. <br>
        If this still doesn't work because your packet capturing <br>
        facility is broken like NIT, you'll have to read the packets <br>
        faster in a user process and send them to another process -- <br>
        basically attempt to do additional buffering in user space. <br>
  <br>
        Another way of improving performance, is by using a larger <br>
        buffer. On Irix using SNOOP, the man page recommends using <br>
        SO_RCVBUF. On BSD with BPF one can use the BIOCSBLEN ioctl <br>
        call to increase the buffer size. On Solaris bufmod and pfmod <br>
        can be used for altering buffer size and filters <br>
        respectively. <br>
  <br>
        Remember, the longer your process is busy and not attending <br>
        the incoming packets, the quicker they'll be dropped by the <br>
        kernel. <br>
  <br>
        1.6) What is packet capturing usualy used for? <br>
        ---------------------------------------------- <br>

  <br>
        (Question suggested by Michael T. Stolarchuk <mts@rare.net> <br>
        along with some suggestions for the answer.) <br>
  <br>
            Network diagnostics such as the verification of a <br>
            network's setup, examples are tools like arp, that report <br>