sniff.c

LINUX内核编程的一些程序例子

/** @file sniff.c
 *
 * @author marco corvi <marco_corvi@geocities.com>
 * @date mar 2003
 *
 * \brief LSF based packet sniffer
 *
 * after a code by G. Insolvible
 */

#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>      // exit
#include <sys/types.h>   // socket recvfrom
#include <sys/socket.h>  // socket recvfrom
#include <netinet/in.h>  // htons
// #include <linux/in.h>
#include <linux/if_ether.h>

char * ipservices[] = {
  "Routine", "Priority", "Immediate", "Flash",
  "Flash-Override", "Critic", "Inet-Ctrl", "Net-Ctrl"
};

// rfc790
char * ipprotos[] = {
  "Reserved", "ICMP", "none", "G2G", "CMCC",
  "ST", "TCP", "UCL", "none", "Secure", "BBN",    // 10
  "NVP", "PUP", "Pluribus", "Telenet", "XNET",
  "Chaos", "UDP", "M-plex", "DCN", "TAC",         // 20
  "none", "none", "none", "none", "none",
  "none", "none", "none", "none", "none",         // 30
  "none", "none", "none", "none", "none",
  "none", "none", "none", "none", "none",         // 40
  "none", "none", "none", "none", "none",
  "none", "none", "none", "none", "none",         // 50
  "none", "none", "none", "none", "none",
  "none", "none", "none", "none", "none",         // 60
  "none", "none", "Local", "SATNET", "MIT", 
  "none", "none", "none", "SATNET mon", "none",   // 70
  "IPCU", "none", "..."
};


int
main( int argc, char ** argv )
{
  int sock;
  int n;
  char buffer[2048]; 
  unsigned char * ethhead;
  unsigned char * iphead;
  unsigned char * payload;
  unsigned short  ethproto;

  if ( (sock = socket( PF_PACKET, SOCK_RAW, htons( ETH_P_ALL ) ) ) < 0 ) {
    perror("socket");
    exit(1);
  } 

  ethhead = (unsigned char *)buffer;
  iphead  = (unsigned char *)buffer+14;
  payload = (unsigned char *)buffer+14+20;

  while (1) {
    printf("-----------------------------------------------\n");
    // flags = could be an or'ed of 
    //    MSG_OOB      request receiipt of out-of-band data
    //    MSG_PEEK     return data without removing them from the queue 
    //    MSG_WAITALL  wait until te buffer is full
    //    MSG_NOSIGNAL turns off SIGPIPE in case the other end disappear
    //    MSG_TRUNC    return real length of the packet, if truncated
    //    MSG_ERRQUEUE
    // fromaddr = NULL (fromlen=NULL) do not care about 'from' address
    n = recvfrom( sock, buffer, 2048, MSG_TRUNC, NULL, NULL );

    // Ethernet (14) + IT (20 or more) + TCP/UDP (8)
    // IP rfc791
    if ( n < 42 ) {
      perror("recvfrom");
      fprintf(stderr, "incomplete packet (errno %d)\n", errno);
      close(sock);
      exit(2);
    }
    printf("Packet: size %4d ", n);

    ethproto = ethhead[12];
    ethproto = ethproto << 8 | ethhead[13];
    printf("type %04x ", ethproto);
    switch (ethproto) {
    case ETH_P_LOOP:      printf("Loopback \n"); break;
    case ETH_P_PUP:       printf("PUP \n"); break;
    case ETH_P_PUPAT:     printf("PUP addr. transl.\n"); break;
    case ETH_P_IP:        printf("IP \n"); break;
    case ETH_P_X25:       printf("CCITT X25 \n"); break; 
    case ETH_P_ARP:       printf("ARP \n"); break;
    case ETH_P_BPQ:       printf("G88PQ AX.25 \n"); break;
    case ETH_P_IEEEPUP:   printf("IEEE802.3 PUP \n"); break;
    case ETH_P_IEEEPUPAT: printf("IEEE802.3 PUP Addr. Transl. \n"); break;
    case ETH_P_IPX:       printf("IPX over DIX \n"); break;
    case ETH_P_IPV6:      printf("IPv6 over Bluebook\n"); break;
    case ETH_P_PPP_DISC:  printf("PPPoE discovery\n"); break;
    case ETH_P_PPP_SES:   printf("PPPoE session\n"); break;
    case ETH_P_ATMFATE:   printf("ATM frame \n"); break;
    default:
      printf("--- \n");
    }

    printf("src MAC: %02x:%02x:%02x:%02x:%02x:%02x \n",
      ethhead[0], ethhead[1], ethhead[2], ethhead[3], ethhead[4], ethhead[5] );
    printf("dst MAC: %02x:%02x:%02x:%02x:%02x:%02x \n",
      ethhead[6], ethhead[7], ethhead[8], ethhead[9], ethhead[10], ethhead[11]);

    if ( ethproto == ETH_P_IP ) {
      unsigned char ipversion = iphead[0]>>4;     /* version 4 or 6 */
      unsigned char ipihl     = iphead[0] & 0x0f; /* IP header length in 32-bit words */
      unsigned char ipservice = iphead[1];
      unsigned short iplen    = iphead[2];
      unsigned short ipid     = iphead[4];
      // flags 0x4 may fragment
      //       0x2 last fragment
      unsigned char ipflags    = iphead[6] >> 3;   
      unsigned short ipfragoff = iphead[6] & 0x1f;
      unsigned char ipttl      = iphead[8];
      // proto 17 UDP
      //
      unsigned char ipproto    = iphead[9];
      unsigned short ipchksum  = iphead[10];
      iplen = iplen << 8 | iphead[3];
      ipid  = ipid << 8  | iphead[5];
      ipfragoff = ipfragoff << 8 | iphead[7];
      ipchksum  = ipchksum << 8 | iphead[11];
      printf("IP %d  Len %d ID %d Frag %c %s ",
        ipversion, iplen, ipid, 
	(ipflags & 0x2) ? 'Y' : 'N',
	(ipflags & 0x1) ? "last" : "more" );
      printf("Offset %d TTL %d Proto %s ChkSum %d\n",
        ipfragoff, ipttl, ipprotos[ipproto], ipchksum );
      printf("Service: %s  Delay %c Throughput %c Reliability %c\n",
	ipservices[ ipservice>>5 ],
	(ipservice & 0x10) ? 'L' : 'N',
	(ipservice & 0x08) ? 'H' : 'N',
	(ipservice & 0x04) ? 'H' : 'N'
      ); 
      printf("src ip %3d.%3d.%3d.%3d\n",
        iphead[12], iphead[13], iphead[14], iphead[15] );
      printf("dst ip %3d.%3d.%3d.%3d\n",
        iphead[16], iphead[17], iphead[18], iphead[19] );
      for ( n=5; n<ipihl; n++) 
	printf("opt[%d] %02x %02x %02x %02x\n",
	  n, iphead[4*n], iphead[4*n+1], iphead[4*n+2], iphead[4*n+3] );


    }

  }
}