0
votes

I have been given a project for a course at university (network engineering) which involves writing a packet sniffer that can capture and identify IPv4, IPv6, TCP, UDP, IP, ICMP etc. packets and display their contents.

Originally we were directed to use libpcap to do this, but we have just been informed by one of the university technicians that it is not possible to use libpcap with the current installation (Arch linux).

What other ways are there to create a packet sniffer in C that does not use libpcap?

I am not asking for the answer to this project, I am just asking for direction, where I should start?

3

3 Answers

5
votes

I would go and ask someone more senior what you're actually supposed to be doing. There seem to be two completely different tasks here - one is parsing and displaying network packets and the other is interfacing with the OS/hardware to capture the packets. If you're supposed to be learning about the former, then you probably shouldn't spend time on the latter.

3
votes

Originally we were directed to use libpcap to do this, but we have just been informed by one of the university technicians that it is not possible to use libpcap with the current installation (Arch linux).

First thing I would advise is get a straight answer from the course tutor. If the technician means libpcap is not available, fine, you ought to be able to compile it. If the technician means they've (Arch, or the university) removed promiscuous mode drivers from the Linux kernel, there isn't a whole lot you can do. Either way, check what you're hearing.

Should you still need to do this, what's wrong with reading the libpcap source for guidance? pcap_loop is the function you're looking for, which calls read_op from a pcap_t struct. grep -irn "read_op = " * reveals several possible readers at the low level in libpcap:

grep -irn "read_op = " *
pcap-bpf.c:2231:    p->read_op = pcap_read_bpf;
pcap-bt-linux.c:172:    handle->read_op = bt_read_linux;
pcap.c:243: p->read_op = (read_op_t)pcap_not_initialized;
pcap-can-linux.c:99:    handle->read_op = can_read_linux;
pcap-dag.c:795: handle->read_op = dag_read;
pcap-dlpi.c:759:    p->read_op = pcap_read_dlpi;
pcap-libdlpi.c:217: p->read_op = pcap_read_libdlpi;
pcap-linux.c:1198:  handle->read_op = pcap_read_linux;
pcap-linux.c:3167:  handle->read_op = pcap_read_linux_mmap;
pcap-netfilter-linux.c:338: handle->read_op = nflog_read_linux;
pcap-nit.c:315: p->read_op = pcap_read_nit;
pcap-pf.c:486:  p->read_op = pcap_read_pf;
pcap-septel.c:213:  handle->read_op = septel_read;
pcap-sita.c:941:    handle->read_op = pcap_read_acn;
pcap-snf.c:236: p->read_op = snf_read;
pcap-snit.c:394:    p->read_op = pcap_read_snit;
pcap-snoop.c:381:   p->read_op = pcap_read_snoop;
pcap-usb-linux.c:341:           handle->read_op = usb_read_linux_mmap;
pcap-usb-linux.c:355:       handle->read_op = usb_read_linux_bin;
pcap-usb-linux.c:390:       handle->read_op = usb_read_linux;
pcap-win32.c:687:       p->read_op = pcap_read_win32_dag;
pcap-win32.c:694:       p->read_op = pcap_read_win32_npf;
savefile.c:323: p->read_op = pcap_offline_read;

Which one your system uses probably depends on the result of configure, but any of those would act as great starting points for working out how it works. Don't be afraid to take apart big projects like this - somebody else said "google is your friend". Well I think grep is your friend.

-1
votes

Why don't you use WireShark? It has packages for ArchLinux and is really fun to work with. I've used it myself with favorable results.

https://wiki.archlinux.org/index.php/Wireshark