📄 sniffers.txt
字号:
This is the most important line in the entire program. Socket() takes three arguments in
this form:
sockfd = socket(int family, int type, int protocol);
The first argument is the family. This could be either AF_UNIX which is used so a process
can communicate with another process on the same host or AF_INET which is used for
internet communication between remote hosts. In this case it will be AF_INET . Next
is the type, the type is usually between 1 of 4 choices (there are others that we will not
discuss here) the main four are :
1. SOCK_DRAM : used for udp datagrams
2. SOCK_STREAM : used for tcp packets
3. SOCK_RAW : used to bypass the transport layer
and directly access the IP layer
4. SOCK_PACKET : this is linux specific, it is similuar to
SOCK_RAW except it accesses the DATA LINK Layer
For our needs we will use the SOCK_RAW type. You must have root acces to open a
raw socket. The last parameter is the protocol,the protocol value specifies what type of
traffic the socket should receive , for normal sockets this value is usally set to "0"
because the socket can figure out if for instance the "type" of SOCK_DGRAM is
specified then the protocol should be UDP.In our case we just want to look at tcp
traffic so we will specify IPPROTO_TCP.
line 15 :
while (1)
The while (1) puts the program into an infinite loop this is necessary so that after the
first packet is processed we will loop around and grab the next.
Line 18:
bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0,
(struct sockaddr *)&from, &fromlen);
Now here is where we are actually reading data from the open socket "sock".The from
struct is also filled in but notice that we are casting "from" from a "sockaddr_in" struct
to a "sockaddr" struct. We do this because the recvfrom() requires a sockaddr type but
to access the separate fields we will continue to use the sockaddr_in structure. The
length of the "from" struct must also be present and passed by address. The recvfrom()
call will return the number of bytes on success and a -1 on error and fill the global var
errno.
This is what we call "blocking-I/O" the recvfrom() will wait here forever until a
datagram on the open socket is ready to be processed. This is opposed to
Non-blocking I/O which is like running a process in the background and move on to
other tasks.
Line 20:
printf("Source address ::: %s\n",inet_ntoa(from.sin_addr));
This printf uses the special function inet_ntoa() to take the value of "from.sin_addr"
which is stored in Network-byte order and outputs a value in a readable ip form such
as 192.168.1.XXX.
Line 21:
ip = (struct ip *)buffer;
This is where we will overlay a predefined structure that will help us to individually
identify the fields in the packet that we pick up from the open socket.
Line 22:
printf("IP header length ::: %d\n",ip->ip_length);
The thing to notice on this line is the "ip->ip_length" this will access a pointer in
memory to the ip header length the important thing to remember is that the length
will be represented in 4-byte words this will be more important later when trying to
access items past the ip header such as the tcp header or the data portion of the packet.
Line 23:
printf("Protocol ::: %d\n",ip->ip_protocol);
This gives access to the type of protocol such as 6 for tcp or 17 for udp.
Line 24:
tcp = (struct tcp *)(buffer + (4*ip->ip_length));
Remember earlier it was mentioned that the ip header length is stored in 4 byte words,
this is where that bit of information becomes important. Here we are trying to get access
to the tcp header fields, to do this we must overlay a structure that has the fields
predefined just as we did with ip. There is one key difference here the ip header fields
were easy to access due to the fact that the beginning of the buffer was also the beginning
of the ip header as so :
|----------------- buffer ----------------|
_________________________________________
| ip header | |
|____________________|____________________|
^
*ip
^
*buffer
So to get access to the ip header we just set a pointer casted as an ip structure to the
beginning of the buffer like "ip = (struct ip *)buffer;". To get access to the tcp header
is a little more difficult due to the fact that we must set a pointer and cast it as a tcp
structure at the beginning of the tcp header which follows the ip header in the buffer
as so :
|----------------- buffer ---------------|
________________________________________
| ip header | tcp header | |
|___________|____________|_______________|
^
*tcp
This is why we use 4*ip->ip_length to find the start of the tcp header.
Line 25-26:
printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port);
printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port));
We can now access the source and dest ports which are located in the tcp header via
the structure as defined above.
This will conclude our first very simple tcp sniffer. This was a very basic application
that should help define how to access packets passing on the network and how to use
sockets to access the packets. Hopefully this will be the first of many papers to come,
which each proceeding paper we will add a new or more complex feature to the sniffer. I
should also mention that there a number of great resources on the net that should aid you
in further research in this area :
1. Beej's Guide to Network Programming
This is an awesome paper that really helps clear up any misconceptions about network programming.
[http://www.ecst.csuchico.edu/~beej/guide/net]
2. TCP/IP Illustrated Vol 1,2,3
W.Richard Stevens
To use the above program, cut out the above code and strip off all
of the line numbers. Save the edited file as sniff.c. Next cut
out the header file headers.h (below) and save it to a file headers.h
in the same directory. Now just compile: gcc -o sniff sniff.c
You should now have the executable "sniff", to run it type
#./sniff
/*************************headers.h**************************/
/*structure of an ip header */
struct ip {
unsigned int ip_length:4; /*little-endian*/
unsigned int ip_version:4;
unsigned char ip_tos;
unsigned short ip_total_length;
unsigned short ip_id;
unsigned short ip_flags;
unsigned char ip_ttl;
unsigned char ip_protocol;
unsigned short ip_cksum;
unsigned int ip_source;
unsigned int ip_dest;
};
/* Structure of a TCP header */
struct tcp {
unsigned short tcp_source_port;
unsigned short tcp_dest_port;
unsigned int tcp_seqno;
unsigned int tcp_ackno;
unsigned int tcp_res1:4, /*little-endian*/
tcp_hlen:4,
tcp_fin:1,
tcp_syn:1,
tcp_rst:1,
tcp_psh:1,
tcp_ack:1,
tcp_urg:1,
tcp_res2:2;
unsigned short tcp_winsize;
unsigned short tcp_cksum;
unsigned short tcp_urgent;
};
/*********************EOF***********************************/
About
Contact
Services
Hosting
Mission
Ethics
FAQ
CD Archive
Unix (A-N)
Unix (O-Z)
Windows 95/98
Windows NT
Novell
Home Brew
Take Out
Text Files
Online Books
Auditing Tools
CGI Attacks
Detection Tools
Log Tools
Log Cleaners
IMAPD Exploits
IMAPD Scanners
FTP Exploits
General Unix Tools
Network Sniffers
Operating Systems
Password Crackers
Rootkits
Security Analysis Tools
Sendmail Exploits
TCP Tools
Trojans
UDP Tools
Word Lists
Attack (A-M)
Attack (N-Z)
Defence
Other
Advanced
AOL Programs
BIOS Crackers
Cheat Engines
Encryption
Hex Editors
Java Attack
Keystroke Loggers
Mail Programs
Misc Programs
MSN Programs
Multiple Attack
Needed Files
Nukers
Ping and ICMP
Port Scanners
Trojans
Wardialers
Windows Password Crackers
Wingate
Anti Spam
File Wipers
IP Spoofers
Trojan Cleaners
Anarchy
Credit Card
Cell Phone Programs
Cell Phone Text Files
Pager Programs
Virii
Auditing Tools
Intrusion Detection
Administrative Tools
Password Crackers
Scanners
Code Hackers
Dark Fool
Grenadier
Lord Somer
Rhino9
SIN
Stormer
Wiltered Fire
Hacking
Cracking
Phreaking
Newbie
PC Optimization
ICQ Server List
Privacy Quotient
United States Congress Email Addresses
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -