Newbie libpcap question

From: Asra (asra_baig_at_rocketmail.com)
Date: 08/15/03 

Date: 14 Aug 2003 22:07:52 -0700

Hi,
I am using libpcap on Linux. The program is as listed in the tutorial
at:
http://www.cet.nau.edu/~mc8/Socket/Tutorials/section2.html
When I run a.out, it only prints our the first line of the expected
output, i.e. DEV: eth0
I tried pinging to www.google.com, changed the prmisc parameter from 0
to 1 but nothing seems to be working. Can somebody help?
For your convenience the code and expected output are copied below:

***************************************************
* file: testpcap1.c
* Date: Thu Mar 08 17:14:36 MST 2001
* Author: Martin Casado
* Location: LAX Airport (hehe)
*
* Simple single packet capture program
*****************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h> /* if this gives you an error try pcap/pcap.h */
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/if_ether.h> /* includes net/ethernet.h */

int main(int argc, char **argv)
{
    int i;
    char *dev;
    char errbuf[PCAP_ERRBUF_SIZE];
    pcap_t* descr;
    const u_char *packet;
    struct pcap_pkthdr hdr; /* pcap.h */
    struct ether_header *eptr; /* net/ethernet.h */

    u_char *ptr; /* printing out hardware header info */

    /* grab a device to peak into... */
    dev = pcap_lookupdev(errbuf);

    if(dev == NULL)
    {
        printf("%s\n",errbuf);
        exit(1);
    }

    printf("DEV: %s\n",dev);

    /* open the device for sniffing.

       pcap_t *pcap_open_live(char *device,int snaplen, int prmisc,int
to_ms,
       char *ebuf)

       snaplen - maximum size of packets to capture in bytes
       promisc - set card in promiscuous mode?
       to_ms - time to wait for packets in miliseconds before read
       times out
       errbuf - if something happens, place error string here

       Note if you change "prmisc" param to anything other than zero,
you will
       get all packets your device sees, whether they are intendeed
for you or
       not!! Be sure you know the rules of the network you are running
on
       before you set your card in promiscuous mode!! */

    descr = pcap_open_live(dev,BUFSIZ,0,-1,errbuf);

    if(descr == NULL)
    {
        printf("pcap_open_live(): %s\n",errbuf);
        exit(1);
    }

    /*
       grab a packet from descr (yay!)
       u_char *pcap_next(pcap_t *p,struct pcap_pkthdr *h)
       so just pass in the descriptor we got from
       our call to pcap_open_live and an allocated
       struct pcap_pkthdr */

    packet = pcap_next(descr,&hdr);

    if(packet == NULL)
    {/* dinna work *sob* */
        printf("Didn't grab packet\n");
        exit(1);
    }

    /* struct pcap_pkthdr {
        struct timeval ts; time stamp
        bpf_u_int32 caplen; length of portion present
        bpf_u_int32; lebgth this packet (off wire)
        }
     */

    printf("Grabbed packet of length %d\n",hdr.len);
    printf("Recieved at ..... %s\n",ctime((const
time_t*)&hdr.ts.tv_sec));
    printf("Ethernet address length is %d\n",ETHER_HDR_LEN);

    /* lets start with the ether header... */
    eptr = (struct ether_header *) packet;

    /* Do a couple of checks to see what packet type we have..*/
    if (ntohs (eptr->ether_type) == ETHERTYPE_IP)
    {
        printf("Ethernet type hex:%x dec:%d is an IP packet\n",
                ntohs(eptr->ether_type),
                ntohs(eptr->ether_type));
    }else if (ntohs (eptr->ether_type) == ETHERTYPE_ARP)
    {
        printf("Ethernet type hex:%x dec:%d is an ARP packet\n",
                ntohs(eptr->ether_type),
                ntohs(eptr->ether_type));
    }else {
        printf("Ethernet type %x not IP", ntohs(eptr->ether_type));
        exit(1);
    }

    /* THANK YOU RICHARD STEVENS!!! RIP*/
    ptr = eptr->ether_dhost;
    i = ETHER_ADDR_LEN;
    printf(" Destination Address: ");
    do{
        printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
    }while(--i>0);
    printf("\n");

    ptr = eptr->ether_shost;
    i = ETHER_ADDR_LEN;
    printf(" Source Address: ");
    do{
        printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++);
    }while(--i>0);
    printf("\n");

    return 0;
}

Well, that wasn't too bad was it?! Lets give her a test run ..

[root@pepe libpcap]# ./a.out
DEV: eth0
Grabbed packet of length 76
Recieved at time..... Mon Mar 12 22:23:29 2001

Ethernet address length is 14
Ethernet type hex:800 dec:2048 is an IP packet
 Destination Address: 0:20:78:d1:e8:1
 Source Address: 0:a0:cc:56:c2:91
[root@pepe libpcap]#

Relevant Pages

  • Re: ARP question
    ... Libpcap IS an abstraction layer for packet capturing across multiple ... Libpcap is the tcpdump engine abstracted out into a library. ... processing ARP requests and replies needs much less sophistication, ... I have a small program here which I use to do ARP ...
    (comp.unix.programmer)
  • Re: socket programming again: possible to *sniff* udp packets before buffer is emptied?
    ... work that libpcap does was done in user space. ... 'Berkely Packet Filter', which can be used for this, in the kernel ... It would amount to making a complete, ...
    (comp.unix.programmer)
  • Re: Libnet/Pcap Performance
    ... I need to implement some sort of tcp/udp/ip header compression ... and I want to use the Libnet and libpcap libraries to do the actual ... packet sniffing and generation. ...
    (comp.programming)
  • Re: udp packet loss even with large socket buffer
    ... Since my program is coping with MSN, it's not easy to post a small example. ... >> I used ethereal(using libpcap) to monitor the network traffic. ... >> suffers from packet loss. ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
Quantcast