Ethereal-dev: Re: [ethereal-dev] Need some advice and help getting started with real time pack

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Craig Rodrigues <rodrigc@xxxxxxxxxxxx>
Date: Sat, 1 Apr 2000 12:08:27 -0500
On Sat, Apr 01, 2000 at 01:08:11AM -0600, Nathan Good wrote:
> Linux box (Caldera 2.3 Open Linux)
> 
> What I want to do:
> look at all UDP packets coming across wire in real time ( To be run all the
> time)
> If packet data contains such and such, capture this data to a C struct or
> something, and pass it to my client program for processing.

Caldera 2.3 is based on Linux kernel 2.2, so you have a few
options available to you.

- You could try to use pcap, (man 3 pcap).  pcap is a good way to go
  if you want your code to remain portable across different platforms.
  In my opinion, the Linux support in libpcap (at http://www.tcpdump.org)
  is currently in a state of flux, so relying on pcap may not be the way to go.

- Since you are using Linux 2.2, you could try to use raw sockets of type
  PF_PACKET.  There is a program called iptraf 
  (http://cebu.mozcom.com/riker/iptraf/) which uses PF_PACKET quite extensively,
  so you could grab the source for that and see what they are doing.
  You could also read the man page for PF_PACKET (man 4 packet, man 7 packet).
  iptraf works fairly well, so I think this is a good way to go.

- For your own personal knowledge, you may wish to read about Netfilter,
  which is the new grand architecture for doing packet capture in
  the Linux 2.3/2.4 series of kernels.  I wrote a paper for it
  at: http://www.gis.net/~craigr/netfilter_paper.pdf, and you can see
  the Netfilter home page at: http://netfilter.kernelnotes.org

Also, in your application, you did not mention if you want to block
certain UDP packets from traversing the protocol stack, based on
the contents of the packet.  This can affect how you do things, since this
is a firewall type of activity.  Raw sockets allow you to look at
things before they enter the protocol stack, but they don't let you
block things from entering the protocol stack.
-- 
Craig Rodrigues        
http://www.gis.net/~craigr    
rodrigc@xxxxxxxxxxxx