View - but not intercept - all IPv4 traffic to Linux computer

1
votes

Is there a way to view all the IPv4 packets sent to a Linux computer?

I know I can capture the packets at the ethernet level using libpcap. This can work, but I don't really want to defragment the IPv4 packets. Does libpcap provide this functionality and I'm just missing it?

One thing that kinda works is using a tun device. I can capture all the IPv4 traffic by routing all traffic to the tun device via something like ip route add default via $TUN_IP dev $TUNID. This also stops outbound traffic though, which is not what I want.

I just want to see the IPv4 packets, not intercept them. (Or, even better, optionally intercept them.)

Edit: I'm specifically looking for a programmatic interface to do this. E.g. something I can use from within a C program.

2
clinuxsocketsnetworkinglibpcap
Do you have to do this in your own program? Wireshark can perform IP reassembly.Barmar
You can use iptables for this. See: stackoverflow.com/questions/23697282/…harmic
"This can work, but I don't really want to defragment the IPv4 packets." - libpcap/tcpdump do not defragment the traffic. They even explicitly capture/print the fragment offsets and the DF bit. See IP Fragmentation in tcpdump man page.viraptor
I don't want to defragment them myself. I want the reassembled packets presented one after another. See edit: Looking for a programmatic interfaceWilliam
I hope you do know that there is (usually) a massive amount of other IP4 traffic that is NOT routed to your computer but which is on the same set of wiresuser3629249

2 Answers

1
votes

Yes, you can see all the packets that arrive at your network interface. There are several options to access or view them. Here a small list of possible solutions, where the first one is the easiest and the last one the hardest to utilize:

Wireshark

I'd say this is pretty much the standard when it comes to protocol analyzers with a GUI (uses libpcap). It has tons of options, a nice GUI, great filtering capabilities and reassembles IP datagrams. It uses libpcap and can also show the raw ethernet frame data. For example it allows you to see layer 2 packets like ARP. Furthermore you can capture the complete data arriving at your network interface in a file that can later be analyzed (also in Wireshark).

tcpdump

Very powerful, similar features like Wireshark but a command line utility, which also uses libpcap. Can also capture/dump the complete interface traffic to a file. You can view the dumped data in Wireshark since the format is compatible.

ngrep

This is known as the "network grep" and is similar to tcpdump but supports regular expressions (regex) to filter the payload data. It allows to save captured data in the file format supported by Wireshark and tcpdump (also uses libpcap).

libnids

Quotation from the official git repository:

"Libnids is a library that provides a functionality of one of NIDS (Network Intrusion Detection System) components, namely E-component. It means that libnids code watches all local network traffic [...] and provides convenient information on them to analyzing modules of NIDS. Libnids performs:

  • assembly of TCP segments into TCP streams
  • IP defragmentation
  • TCP port scan detection"

libpcap

Of course you can also write your own programs by using the library directly. Needless to say, this requires more efforts.

Raw or Packet Sockets

In case you want to do all the dirty work yourself, this is the low level option, which of course also allows you to do everything you want. The tools listed above use them as a common basis. Raw sockets operate on OSI layer 3 and packet sockets on layer 2.

Note: This is not meant to be a complete list of available tools or options. I'm sure there are much more but these are the most common ones I can think of.

0
votes

Technically you have to make a copy of the received packet via libpcap. To be more specific, what you can do is to get packets with libpcap, that way the packets will be kind of blocked, so you need to re send them to the destination. Lets say that you want to make a Fire-Wall or something, what you should do is to have a layer that can work like getting the package and then send it to the destination, in between you can make a copy of what you got for further processes. In order to make the intercept option, you need to create some predefined rules, i.e. the ones that violates the rules will not be send again to their destination.

But that needs a lot of efforts and I don't think you want to waist your life on it.

Wire-shark as mentioned by @Barmar can do the job already.

If you need some kind of command line interface option I would say that "tcpdump" is one of the best monitoring tools. for example for capturing all ipv4 HTTP packets to and from port 80 the command will be:

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

for more information and options see tcpdump

Please be specific if you need to write a program for it, then we can help about how to do it.