winpcap/libpcap vs. raw sockets

2
votes

I started a project that needs using network level packets such as IP/ICMP/UDP/TCP packets.

There is two main approach to handle it: Raw sockets and Winpcap/libpcap.

I know pcap installs a driver on OS and allows programmer to capture and send packets. On the other hand there is raw sockets which have some limitations in Windows 7 or above.

The project needs sending some IP/ICMP/UDP/TCP packets to a router and analyzes the responses, such as IP-Identifier, TTL, ... . Also I want it works in Linux and Windows.

Can you list a comparison about these two approach?

2
javac++pcaplibpcapraw-sockets
Not enough for a answer but raw sockets are not available on non-server versions of windows after XP SP2 (under certain conditions) not just Windows 7. - Scott Chamberlain
In fact I do not know if the pcap driver can send data, I thought it only can capture. Using a Server OS for Windows may be a requirement to be able to Tx packets. This is because malware has abused this for so long they disabled it for everyone but servers (as a end user should never need to forge raw packets) - Scott Chamberlain

2 Answers

1
votes

If you want the code to be portable, then you can't use the raw socket API (which is rather different on Linux and Windows). Winpcap is generally compatible with libpcap, and the pcap API is generally reasonable, considering what it's doing.

0
votes

in your situation, RAW sockets will work but you have to do something like sock_raw_tcp = socket(AF_INET , SOCK_RAW , IPPROTO_TCP); sock_raw_udp = socket(AF_INET , SOCK_RAW , IPPROTO_UDP); sock_raw_icmp = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);

You dont have an option like IP_PROTO_IP. Now, with RAW sockets, you will get only IP headers + transport level headers but not ethernet headers. So, if you are only interested in application layer data and want to use IP header for Ipaddress & TTL and transport header for port numbers etc, then its OK. Keep in mind that for TCP you might have to do check sums and reassembly also. Some checksums will also be required for UDP.

However, winpcap solves many management issues for you since it uses a device driver to connect your NIC's data link layer OR layer 2. Here you will also get an ethernet frame and wont have to open different types of RAW sockets. You still will have to apply the application related logic of dealing with packets as you would do on the network layer (Layer 3).