12-04-2011, 10:19 AM
[attachment=12063]
Introduction
libpcap is an open source C library for putting your NIC in promiscuous mode.
Today I’ll go over a few C gotchas and how to use the libpcap API
Any C programmers?
Planning to go to grad school?
Agenda
Installing libpcap
C stuff
Basic libpcap program
– Grab a device to sniff
– Filters/Event Loops
– Packet structure
– Getting the library
Linux:
http://sourceforgeprojects/libpcap/
VC++: Winpcaphttp://winpcap.polito.it/install/default.htm
Cygwin: Wpcap (haven’t tried this)
http://rootlabswindump/
Install on Linux
gunzip libpcap-0.7.1.tar.gz
tar -xvf libpcap-0.7.1.tar
cd libpcap-0.7.1
./configure
make
Install for Windows VC++
Get both Developer's pack download and
Windows 95/98/ME/NT/2000/XP install package.
Run install and reboot (this installs the .dll and inserts a page link in your registry).
You need to insert a copy of pcap.h into
C:\Program Files\Microsoft Visual
Studio\VC98\Include
(There is a copy of pcap.h in the Winpcap developer's pack in wpdpack/Include. In fact you can copy over all the .h files )
You also need to add the lib files.
Copy everything from wpdpack/Lib to
C:\Program Files\Microsoft Visual
Studio\VC98\Lib
go to Project -> Settings -> click on the Link tab, and type in wpcap.lib and wsock32.lib in addition to the lib files that are already there.
Avoiding C Gotchas
Always declare variables at the beginning of a block (no Java/C++ messiness!!)
Nothing ‘new’: Always free what you malloc
malloc( sizeof ( thingYouWantToAllocate ));
Always check the return value (no Exceptions!)
if (thing_didnt_work()) {
fprintf(stderr, "ERROR: thing didn't work\n");
exit(-1);
} /* if (thing_didnt_work) */
Output is formatted.
char person[ ] = “baby”;
printf(“give me %d, %s\n”, 5, person);
Get to the point!
Pass by reference explicitly
- Pass-by-reference prototype int doSomething( Thing *);
Finally…
C is NOT an object-oriented language
Most frequent data structure is a struct. Under the covers this is an array of contiguous bytes.
struct pcap_pkthdr {
struct timeval ts; //time stamp
bpf_u_int32 caplen; // length of //portion present
bpf_u_int32; //packet length
}
Overview of libpcap
What to include and how to compile
Going Live
Main Event Loop
Reading from a packet
Filters
What to include and how to compile
gcc sniff.c -lpcap –o sniff
You must be root or admin
Some headers I’ve used.
#include <pcap.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include<netinet/if_ether.h>