From owner-freebsd-net Mon Jan 6 18:41:35 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2DEE37B401 for ; Mon, 6 Jan 2003 18:41:33 -0800 (PST) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B91743EB2 for ; Mon, 6 Jan 2003 18:41:33 -0800 (PST) (envelope-from vlm@netli.com) Received: (qmail 5439 invoked by uid 84); 7 Jan 2003 02:41:18 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.119913 secs); 07 Jan 2003 02:41:18 -0000 Received: from unknown (HELO netli.com) (172.17.1.38) by mx01-pal-lan.netli.lan with SMTP; 7 Jan 2003 02:41:18 -0000 Message-ID: <3E1A3E92.6030607@netli.com> Date: Mon, 06 Jan 2003 18:42:26 -0800 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021117 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Abdul Basit Cc: net@freebsd.org Subject: Re: raw socket/icmp-echo References: <20030105052449.K49935-100000@wireless.cs.twsu.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Abdul Basit wrote: > Hello, > > I was trying to learn raw sockets, I wrote a simple program > to get all icmp packets and display .. > > -- program > > int > main(void) > { > int sockfd; > int ip_len; > char *buf; > int n; > struct icmp *icmp; > struct ip *ip; > > buf = (char*) malloc(sizeof(struct ip)+sizeof(struct icmp)); > > sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); > Please make a habit to check the return values. To answer your question: (W. Richard Stevens) The semantics of BSD raw sockets are: - TCP and UDP: no one other than the kernel gets these. - ICMP: a copy of each ICMP gets passed to each matching raw socket, except for a few that the kernel generates the reply for: ICMP echo request, timestamp request, and mask request. - IGMP: all of these get passed to all matching raw sockets. - all other protocols that the kernel doesn't deal with (OSPF, etc.): these all get passed to all matching raw sockets. Also read http://www.whitefang.com/rin/rawfaq.html > > Also, if anyone know any good tutorial on bpf , let me know the url (some > simple example for capturing will be good .. i read bpf manpage, it seems > little obscure to me). Consider using libpcap - this is the portable library that uses bpf, raw socket, packet socket or whatever packets source is available for the particular platform. Pcap tutorial available here: http://reactor-core.org/security/libpcap-tutorial.html After you become familiar with libpcap, the bpf manual page will not seem obscure at all. Also, look at the trafd or ipcad daemons in the ports collection (/usr/ports/net). -- Lev Walkin vlm@netli.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message