About the function "recvfrom" and NIC

Issues related to configuring your network
Post Reply
jadewang
Posts: 4
Joined: 2012/03/26 14:06:08

About the function "recvfrom" and NIC

Post by jadewang » 2012/03/26 14:17:52

In a sniffer program i use the function "recvfrom" to catch the packet.But the NIC will be down when the program runing to this sentence as I run it in gdb mode.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

About the function "recvfrom" and NIC

Post by pschaff » 2012/03/26 14:43:54

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

Hard to guess what may be wrong with no more information than you have provided. Is this code you are developing yourself? Have you looked at the numerous options for network monitoring and packet sniffing packages in available repos? Any reason not to use one of those?

jadewang
Posts: 4
Joined: 2012/03/26 14:06:08

Re: About the function "recvfrom" and NIC

Post by jadewang » 2012/03/27 07:52:32

I'm a freshman in Linux and now using CentOS to learn network programming .The sniff is a common program that I can find it in many websites .I just want to run the program in my computer(in VMware). The code is as follows.
[code]#include <errno.h>
#include <linux/if_ether.h>
#include <net/if.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <time.h>
int main(){
int sock,n; char buffer[2048]; unsigned char *iphead, *ethhead; struct ifreq ethreq;
if((sock=socket(PF_PACKET,SOCK_RAW,htons(ETH_P_IP)))==-1){ perror("socket"); exit(1); }
ethreq.ifr_flags|=IFF_PROMISC;
strncpy(ethreq.ifr_name,"eth0",IFNAMSIZ);
if (ioctl(sock,SIOCSIFFLAGS,&ethreq)==-1){ perror("ioctl"); close(sock); exit(1); }
while(1){
n=recvfrom(sock,buffer,2048,0,NULL,NULL);
if(n<42){
printf("recvfrom() error\n");exit(0);}
ethhead = buffer;
printf("Source MAC address: %x:%x:%x:%x:%x:%x\n",ethhead[0],ethhead[1],ethhead[2],ethhead[3],ethhead[4],ethhead[5]);
printf("Destination MAC address: %x:%x:%x:%x:%x:%x\n",ethhead[6],ethhead[7],ethhead[8],ethhead[9],ethhead[10],ethhead[11]);
iphead = buffer+14;
if (*iphead==0x45) {
printf("Source host %d.%d.%d.%d\n",iphead[12],iphead[13],iphead[14],iphead[15]);
printf("Dest host %d.%d.%d.%d\n",iphead[16],iphead[17],iphead[18],iphead[19]);
printf("Source,Dest ports %d,%d\n",(iphead[20]<<8)+iphead[21],(iphead[22]<<8)+iphead[23]);
printf("Layer-4 protocol %d\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n",iphead[9]);
} } }[/code]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: About the function "recvfrom" and NIC

Post by pschaff » 2012/03/27 11:56:52

OK - now we know why you are doing this. Please explain what you mean by "the NIC will be down when the program runing to this sentence as I run it in gdb mode."

It would still be best to start with a program known to work on EL6.

OT: Proper formatting sure makes code easier to follow:
[code]
#include <errno.h>
#include <linux/if_ether.h>
#include <net/if.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <time.h>

int main(){

int sock,n; char buffer[2048]; unsigned char *iphead, *ethhead; struct ifreq ethreq;

if((sock=socket(PF_PACKET,SOCK_RAW,htons(ETH_P_IP)))==-1){
perror("socket"); exit(1);
}

ethreq.ifr_flags|=IFF_PROMISC;
strncpy(ethreq.ifr_name,"eth0",IFNAMSIZ);

if (ioctl(sock,SIOCSIFFLAGS,ðreq)==-1){
perror("ioctl"); close(sock); exit(1);
}

while(1){
n=recvfrom(sock,buffer,2048,0,NULL,NULL);
if(n<42){
printf("recvfrom() error\n");exit(0);
}

ethhead = buffer;
printf("Source MAC address: %x:%x:%x:%x:%x:%x\n",ethhead[0],ethhead[1],ethhead[2],ethhead[3],ethhead[4],ethhead[5]);
printf("Destination MAC address: %x:%x:%x:%x:%x:%x\n",ethhead[6],ethhead[7],ethhead[8],ethhead[9],ethhead[10],ethhead[11]);
iphead = buffer+14;

if (*iphead==0x45) {
printf("Source host %d.%d.%d.%d\n",iphead[12],iphead[13],iphead[14],iphead[15]);
printf("Dest host %d.%d.%d.%d\n",iphead[16],iphead[17],iphead[18],iphead[19]);
printf("Source,Dest ports %d,%d\n",(iphead[20]<<8)+iphead[21],(iphead[22]<<8)+iphead[23]);
printf("Layer-4 protocol %d\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n",iphead[9]);
}
}
}
[/code]

jadewang
Posts: 4
Joined: 2012/03/26 14:06:08

Re: About the function "recvfrom" and NIC

Post by jadewang » 2012/03/27 13:52:05

(⊙o⊙)…
I mean the NIC(Network Interface Card) is turned off after running this program .I have to use the command

[code]ifconfig eth1 up[/code]

to turn on the NIC so I can catch packets.I debug the program using gdb and I find that after this sentence

[code]n=recvfrom(sock,buffer,2048,0,NULL,NULL);[/code]

the NIC is off.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: About the function "recvfrom" and NIC

Post by pschaff » 2012/03/27 14:39:55

OK - thats clear, but I have no idea why. Perhaps someone who knows something about this can now help.

Meanwhile - some other examples you might study:
[code]# yum --noplugins --showduplicates --enablerepo \* --disablerepo c6-media,\*debug\*,\*-source search sniffer
...
============================= N/S Matched: sniffer =============================
perl-Sniffer-HTTP-0.19-1.el6.rf.noarch : Multi-connection sniffer driver
ettercap-0.7.3-2.el6.rf.x86_64 : Multipurpose sniffer/interceptor/logger for
: switched LAN
ettercap-0.7.4-3.el6.x86_64 : Network traffic sniffer/analyser, NCURSES
: interface version
ettercap-common-0.7.4-3.el6.x86_64 : Common files for Ettercap, Network traffic
: sniffer/analyser
ettercap-gtk-0.7.4-3.el6.x86_64 : Network traffic sniffer/analyser, gtk
: interface version
httpry-0.1.5-4.el6.x86_64 : A specialized packet sniffer designed for displaying
: and logging HTTP traffic
httpry-0.1.7-1.el6.x86_64 : A specialized packet sniffer designed for displaying
: and logging HTTP traffic
kismet-3.0.1-201007r1.1.el6.rf.x86_64 : 802.11 (wireless) network sniffer and
: network dissector
kismet-3.0.1-201101r1.1.el6.rf.x86_64 : 802.11 (wireless) network sniffer and
: network dissector
netsniff-ng-0.5.5.0-2.el6.x86_64 : A high performance network sniffer for packet
: inspection
php-pear-PHP-CodeSniffer-1.3.1-2.el6.remi.noarch : PHP coding standards
: enforcement tool
php-pear-PHP-CodeSniffer-1.3.3-1.el6.noarch : PHP coding standards enforcement
: tool
php-pear-PHP-CodeSniffer-1.3.3-1.el6.remi.noarch : PHP coding standards
: enforcement tool
slsnif-0.4.4-1.el6.rf.x86_64 : Serial line Sniffer
tcpick-0.2.1-1.2.el6.rf.x86_64 : TCP stream sniffer and connection tracker
tcpick-0.2.1-17.el6.x86_64 : A tcp stream sniffer, tracker and capturer
tcptrack-1.4.0-1.el6.rf.x86_64 : Packet sniffer which displays TCP information
: like the 'top' command

Name and summary matches only, use "search all" for everything.

# yum --noplugins --showduplicates --enablerepo \* --disablerepo c6-media,\*debug\*,\*-source info \
perl-Sniffer-HTTP ettercap httpry kismet netsniff-ng tcpick tcptrack
Available Packages
Name : ettercap
Arch : x86_64
Version : 0.7.3
Release : 2.el6.rf
Size : 731 k
Repo : rpmforge
Summary : Multipurpose sniffer/interceptor/logger for switched LAN
URL : http://ettercap.sourceforge.net/
License : GPL
Description : Ettercap is a multipurpose sniffer/interceptor/logger for switched
: LAN. It supports active and passive dissection of many protocols
: (even ciphered ones) and includes many feature for network and
: host analysis.

Name : ettercap
Arch : x86_64
Version : 0.7.4
Release : 3.el6
Size : 174 k
Repo : epel
Summary : Network traffic sniffer/analyser, NCURSES interface version
URL : http://ettercap.sourceforge.net
License : GPLv2+
Description : Ettercap is a suite for man in the middle attacks on LAN. It
: features sniffing of live connections, content filtering on the
: fly and many other interesting tricks. It supports active and
: passive dissection of many protocols (even ciphered ones) and
: includes many feature for network and host analysis.
:
: This package contains the NCURSES version.

Name : httpry
Arch : x86_64
Version : 0.1.5
Release : 4.el6
Size : 30 k
Repo : epel
Summary : A specialized packet sniffer designed for displaying and logging
: HTTP traffic
URL : http://dumpsterventures.com/jason/httpry/
License : GPLv2 and BSD
Description : httpry is a specialized packet sniffer designed for displaying and
: logging HTTP traffic. It is not intended to perform analysis
: itself, but to capture, parse, and log the traffic for later
: analysis. It can be run in real-time displaying the traffic as it
: is parsed, or as a daemon process that logs to an output file. It
: is written to be as lightweight and flexible as possible, so that
: it can be easily adaptable to different applications.

Name : httpry
Arch : x86_64
Version : 0.1.7
Release : 1.el6
Size : 34 k
Repo : epel-testing
Summary : A specialized packet sniffer designed for displaying and logging
: HTTP traffic
URL : http://dumpsterventures.com/jason/httpry/
License : GPLv2 and BSD
Description : httpry is a specialized packet sniffer designed for displaying and
: logging HTTP traffic. It is not intended to perform analysis
: itself, but to capture, parse, and log the traffic for later
: analysis. It can be run in real-time displaying the traffic as it
: is parsed, or as a daemon process that logs to an output file. It
: is written to be as lightweight and flexible as possible, so that
: it can be easily adaptable to different applications.

Name : kismet
Arch : x86_64
Version : 3.0.1
Release : 201007r1.1.el6.rf
Size : 7.7 M
Repo : rpmforge
Summary : 802.11 (wireless) network sniffer and network dissector
URL : http://www.kismetwireless.net/
License : GPL
Description : Kismet is an 802.11 (wireless) network sniffer and network
: dissector. It is capable of sniffing using most wireless cards,
: automatic network IP block detection via UDP, ARP, and DHCP
: packets, Cisco equipment lists via Cisco Discovery Protocol, weak
: cryptographic packet logging, and Ethereal and tcpdump compatible
: packet dump files.

Name : kismet
Arch : x86_64
Version : 3.0.1
Release : 201101r1.1.el6.rf
Size : 7.7 M
Repo : rpmforge
Summary : 802.11 (wireless) network sniffer and network dissector
URL : http://www.kismetwireless.net/
License : GPL
Description : Kismet is an 802.11 (wireless) network sniffer and network
: dissector. It is capable of sniffing using most wireless cards,
: automatic network IP block detection via UDP, ARP, and DHCP
: packets, Cisco equipment lists via Cisco Discovery Protocol, weak
: cryptographic packet logging, and Ethereal and tcpdump compatible
: packet dump files.

Name : netsniff-ng
Arch : x86_64
Version : 0.5.5.0
Release : 2.el6
Size : 209 k
Repo : epel
Summary : A high performance network sniffer for packet inspection
URL : http://netsniff-ng.org/
License : GPLv2+
Description : netsniff-ng is a high performance linux network sniffer for packet
: inspection. Basically, it is similar to tcpdump, but it doesn't
: need one syscall per packet. Instead, it uses an memory mapped
: area within kernelspace for accessing packets without copying them
: to userspace (zero-copy mechanism).
:
: This tool is useful for debugging your network, measuring
: performance throughput or creating network statistics of incoming
: packets on central network nodes like routers or firewalls.

Name : perl-Sniffer-HTTP
Arch : noarch
Version : 0.19
Release : 1.el6.rf
Size : 31 k
Repo : rpmforge
Summary : Multi-connection sniffer driver
URL : http://search.cpan.org/dist/Sniffer-HTTP/
License : Artistic/GPL
Description : A multi-connection sniffer driver.

Name : tcpick
Arch : x86_64
Version : 0.2.1
Release : 1.2.el6.rf
Size : 44 k
Repo : rpmforge
Summary : TCP stream sniffer and connection tracker
URL : http://tcpick.sourceforge.net/
License : GPL
Description : tcpick is a textmode sniffer that can track tcp streams and saves
: the data captured in files or displays them in the terminal.
: Useful for picking files in a passive way.
:
: It can store all connections in different files, or it can display
: all the stream on the terminal. It is useful to keep track of what
: users of a network are doing, and is usable with textmode tools
: like grep, sed, awk.

Name : tcpick
Arch : x86_64
Version : 0.2.1
Release : 17.el6
Size : 48 k
Repo : epel
Summary : A tcp stream sniffer, tracker and capturer
URL : http://tcpick.sourceforge.net/
License : GPLv2+
Description : tcpick is a textmode sniffer that can track tcp streams and saves
: the data captured in files or displays them in the terminal.
: Useful for picking files in a passive way.
:
: It can store all connections in different files, or it can display
: all the stream on the terminal. It is useful to keep track of what
: users of a network are doing, and is usable with textmode tools
: like grep, sed and awk. It can handle eth and ppp interfaces.

Name : tcptrack
Arch : x86_64
Version : 1.4.0
Release : 1.el6.rf
Size : 46 k
Repo : rpmforge
Summary : Packet sniffer which displays TCP information like the 'top'
: command
URL : http://www.rhythm.cx/~steve/devel/tcptrack/
License : GPL
Description : tcptrack is a sniffer which displays information about TCP
: connections it sees on a network interface. It passively watches
: for connections on the network interface, keeps track of their
: state and displays a list of connections in a manner similar to
: the unix 'top' command. It displays source and destination
: addresses and ports, connection state, idle time, and bandwidth
: usage.[/code]
Source RPMS should be available for all of the above. See [url=http://wiki.centos.org/HowTos/RebuildSRPM]How to Rebuild a Source RPM[/url] for more information about dealing with them.

jadewang
Posts: 4
Joined: 2012/03/26 14:06:08

Re: About the function "recvfrom" and NIC

Post by jadewang » 2012/03/28 02:23:46

Thank you for your kindness. Besides I run this program in Ubuntu and the NIC is not off. :-D

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: About the function "recvfrom" and NIC

Post by pschaff » 2012/03/28 13:33:02

You are welcome. I'm not sure what the differences may be but Ubuntu is almost certainly using a different kernel, and thus different drivers or driver versions. This brings up the point that we don't know much about your system. If more help is needed then please [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28723&forum=54]provide more information[/url] by running "./getinfo.sh" and showing us the output file.

Post Reply