Ethereal-dev: Re: [ethereal-dev] Need some advice and help getting started with real time pack
On Sat, Apr 01, 2000 at 01:08:11AM -0600, Nathan Good wrote:
> Linux box (Caldera 2.3 Open Linux)
>
> What I want to do:
> look at all UDP packets coming across wire in real time ( To be run all the
> time)
> If packet data contains such and such, capture this data to a C struct or
> something, and pass it to my client program for processing.
Caldera 2.3 is based on Linux kernel 2.2, so you have a few
options available to you.
- You could try to use pcap, (man 3 pcap). pcap is a good way to go
if you want your code to remain portable across different platforms.
In my opinion, the Linux support in libpcap (at http://www.tcpdump.org)
is currently in a state of flux, so relying on pcap may not be the way to go.
- Since you are using Linux 2.2, you could try to use raw sockets of type
PF_PACKET. There is a program called iptraf
(http://cebu.mozcom.com/riker/iptraf/) which uses PF_PACKET quite extensively,
so you could grab the source for that and see what they are doing.
You could also read the man page for PF_PACKET (man 4 packet, man 7 packet).
iptraf works fairly well, so I think this is a good way to go.
- For your own personal knowledge, you may wish to read about Netfilter,
which is the new grand architecture for doing packet capture in
the Linux 2.3/2.4 series of kernels. I wrote a paper for it
at: http://www.gis.net/~craigr/netfilter_paper.pdf, and you can see
the Netfilter home page at: http://netfilter.kernelnotes.org
Also, in your application, you did not mention if you want to block
certain UDP packets from traversing the protocol stack, based on
the contents of the packet. This can affect how you do things, since this
is a firewall type of activity. Raw sockets allow you to look at
things before they enter the protocol stack, but they don't let you
block things from entering the protocol stack.
--
Craig Rodrigues
http://www.gis.net/~craigr
rodrigc@xxxxxxxxxxxx
