Tcpdump, Snort and similar tools are great; administrators
and programmers alike can leverage them for everything from basic packet header
reading down to bit for bit analysis of what, when, where on a
network. How do they work? If someone
wished to include packet reading functionality in their own software(s) what
might be the best method? In this text a first pass at setting up a simple
packet reading program using the
libpcap packet reading library.
A solid understanding of network packet structure and basic C programming
skills (up to pointers and data structures) is recommended for this text.
The PCAP Site
Before delving any further it is worth noting that the tcpdump/libpcap site has a variety of
documentation and differing examples that can be used if this text is found to
be unsuitable to a reader or one simply wishes to get going a little faster.
Indeed; the examples in the text below are derived from both examples
at the tcpdump site as well as some tcpdump code itself.
What is libpcap?
The libpcap library can be used to read, record, inject and in
general deal with network packets at a higher level than raw sockets.
Essentially libpcap can be used to easily collect up or
manipulate packets. Libpcap functions
also abstract a lot of the differences between Operating Systems'
network API making programs that leverage libpcap generally more portable
or perhaps saving the programmer the headache of writing their own network
API layer. This is not to say dealing with packets even with libpcap is
easy; just slightly easier.
Getting Libpcap
Installing libpcap itself may not always be enough; below is how it is installed
for a variety of systems - note one cheap way to make sure enough bits are
installed is to install Nmap:
- Debian/Ubuntu (and other Debian based distributions):
apt-get install libpcap-dev
- FreeBSD:
cd ~ports/net/libpcap && make
install
- NetBSD:
cd ~pkgsrc/net/libpcap && make
install
Key Data Structures and Definitions
Before jumping head first into utilizing libpcap an overview of the two major
data structures and some of the definitions is needed. Point one with
programming in libpcap is to understand that all the software does it gets
and (can) manipulate data - nothing more. Dealing with network packets
(not unlike kernel programming) is not some mystical voodoo realm; it is
data handling: nothing more nothing less. Since the pktutils: nread and nject programs (older versions of
them actually) are being used as a reference the structure names map to those
programs.
...... Please access the below link to view the full content. Original link: http://systhread.net/texts/20080...
| 