Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Jan 2003 18:42:26 -0800
From:      Lev Walkin <vlm@netli.com>
To:        Abdul Basit <basit@basit.cc>
Cc:        net@freebsd.org
Subject:   Re: raw socket/icmp-echo
Message-ID:  <3E1A3E92.6030607@netli.com>
References:  <20030105052449.K49935-100000@wireless.cs.twsu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Abdul Basit wrote:
> Hello,
> 
>  I was trying to learn raw sockets, I wrote a simple program
> to get all icmp packets and display ..
> 
> -- program
> 
> int
> main(void)
> {
>         int             sockfd;
>         int             ip_len;
>         char            *buf;
>         int             n;
>         struct icmp    *icmp;
>         struct ip      *ip;
> 
>         buf = (char*) malloc(sizeof(struct ip)+sizeof(struct icmp));
> 
>         sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
> 

Please make a habit to check the return values.

To answer your question:
(W. Richard Stevens)

The semantics of BSD raw sockets are:
- TCP and UDP: no one other than the kernel gets these.
- ICMP: a copy of each ICMP gets passed to each matching raw socket, 
except for a few that the kernel generates the reply for: ICMP echo 
request, timestamp request, and mask request.
- IGMP: all of these get passed to all matching raw sockets.
- all other protocols that the kernel doesn't deal with (OSPF, etc.): 
these all get passed to all matching raw sockets.

Also read
http://www.whitefang.com/rin/rawfaq.html

> 
> Also, if anyone know any good tutorial on bpf , let me know the url (some
> simple example for capturing will be good .. i read bpf manpage, it seems
> little obscure to me).

Consider using libpcap - this is the portable library that uses
bpf, raw socket, packet socket or whatever packets source is available
for the particular platform.

Pcap tutorial available here: 
http://reactor-core.org/security/libpcap-tutorial.html

After you become familiar with libpcap, the bpf manual page will not
seem obscure at all.

Also, look at the trafd or ipcad daemons in the ports collection
(/usr/ports/net).


-- 
Lev Walkin
vlm@netli.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E1A3E92.6030607>