Packet Sniffer Code in C using sockets | Linux

1 de 7

HOME

APPS

CODING

DISTROS

http://www.binarytides.com/packet-sniffer-code-c-linux/

GENERAL

LINUX

REVIEWS

SECURITY

SERVER

SUPER TIPS

PacketSnifferCodeinCusingsockets|Linux
C

By Silver Moon

On Apr 26, 2009

41 Comments

Like

11

Tweet

Packet sniffers
SEARCH

Packet sniffers are programs that intercept the network traffic flowing in and out of a system through network interfaces. So
if you are browsing the internet then traffic is flowing and a packet sniffer would be able to catch it in the form of packets and
display them for whatever reasons required.
Packet sniffers are used for various needs like analysing protocols,
monitoring network, and assessing the security of a network.
Wireshark for example is the most popular packet sniffer out there
and is available for all platforms. Its gui based and very easy to use.
In this post we are going to talk about how to code and make our
own packet sniffer in C and on the linux platform. By Linux it means
that the code sample shown here would work only on linux and not
windows.
Packet sniffers can be coded by either using sockets api provided by
the kernel, or by using some packet capture library like libpcap. In this
tutorial we shall be covering the first method, that is by using sockets.

Basic Sniffer using sockets

Connect with us

To code a very simply sniffer in C the steps would be

1. Create a raw socket.
2. Put it in a recvfrom loop and receive data on it.
A raw socket when put in recvfrom loop receives all incoming packets. This is because it is not bound to a particular address
or port.
1
2
3
4
5

sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);

while(1)
{
data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
}

Thats all. The buffer will hold the data sniffed or picked up. The sniffing part is actually complete over here. The next task is
to actually read the captured packet, analyse it and present it to the user in a readable format.

Other interesting stuff

Programming raw udp sockets in C on
Linux

10 examples of Linux ss command to

monitor network connections

The following code shows an example of such a sniffer. Note that it sniffs only incoming packets.
5 commands to check memory usage
on Linux

Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

#include<stdio.h> //For standard things

#include<stdlib.h>
//malloc
#include<string.h>
//memset
#include<netinet/ip_icmp.h>
//Provides declarations
#include<netinet/udp.h>
//Provides declarations for
#include<netinet/tcp.h>
//Provides declarations for
#include<netinet/ip.h>
//Provides declarations for
#include<sys/socket.h>
#include<arpa/inet.h>
void
void
void
void
void
void

Netcat tutorial command examples

on linux

for icmp header

udp header
tcp header
ip header

ProcessPacket(unsigned char* , int);

print_ip_header(unsigned char* , int);
print_tcp_packet(unsigned char* , int);
print_udp_packet(unsigned char * , int);
print_icmp_packet(unsigned char* , int);
PrintData (unsigned char* , int);

int sock_raw;
FILE *logfile;
int tcp=0,udp=0,icmp=0,others=0,igmp=0,total=0,i,j;
struct sockaddr_in source,dest;

Open http port ( 80 ) in iptables on

CentOS

Code a simple socket client class in

c++

Binarytides
Like

8,766 people like Binarytides.

int main()
{
int saddr_size , data_size;
struct sockaddr saddr;
struct in_addr in;
unsigned char *buffer = (unsigned char *)malloc(65536); //Its Big!
logfile=fopen("log.txt","w");

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

2 de 7

32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

http://www.binarytides.com/packet-sniffer-code-c-linux/

if(logfile==NULL) printf("Unable to create file.");

printf("Starting...\n");
//Create a raw socket that shall sniff
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
if(sock_raw < 0)
{
printf("Socket Error\n");
return 1;
}
while(1)
{
saddr_size = sizeof saddr;
//Receive a packet
data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
if(data_size <0 )
{
printf("Recvfrom error , failed to get packets\n");
return 1;
}
//Now process the packet
ProcessPacket(buffer , data_size);
}
close(sock_raw);
printf("Finished");
return 0;

Aviso de Segurana: A pgina

no pode ser exibida

}
void ProcessPacket(unsigned char* buffer, int size)
{
//Get the IP Header part of this packet
struct iphdr *iph = (struct iphdr*)buffer;
++total;
switch (iph->protocol) //Check the Protocol and do accordingly...
{
case 1: //ICMP Protocol
++icmp;
//PrintIcmpPacket(Buffer,Size);
break;
case 2: //IGMP Protocol
++igmp;
break;
case 6: //TCP Protocol
++tcp;
print_tcp_packet(buffer , size);
break;
case 17: //UDP Protocol
++udp;
print_udp_packet(buffer , size);
break;
default: //Some Other Protocol like ARP etc.
++others;
break;
}
printf("TCP : %d

UDP : %d

ICMP : %d

IGMP : %d

Others : %d

Total : %d\r"

}
void print_ip_header(unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)Buffer;
iphdrlen =iph->ihl*4;
memset(&source, 0, sizeof(source));
source.sin_addr.s_addr = iph->saddr;
memset(&dest, 0, sizeof(dest));
dest.sin_addr.s_addr = iph->daddr;
fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
|-IP Version
: %d\n",(unsigned int)iph->version);
fprintf(logfile,"
|-IP Header Length : %d DWORDS or %d Bytes\n",(unsigned int
fprintf(logfile,"
|-Type
Of
Service
: %d\n",(unsigned int)iph->tos);
fprintf(logfile,"
|-IP Total Length
: %d Bytes(Size of Packet)\n",ntohs(iph->tot_len));
fprintf(logfile,"
|-Identification
: %d\n",ntohs(iph->id));
fprintf(logfile,"
//fprintf(logfile,"
|-Reserved ZERO Field
: %d\n",(unsigned int)iphdr->ip_reserved_zero);
//fprintf(logfile,"
|-Dont Fragment Field
: %d\n",(unsigned int)iphdr->ip_dont_fragment);
//fprintf(logfile,"
|-More Fragment Field
: %d\n",(unsigned int)iphdr->ip_more_fragment);
|-TTL
: %d\n",(unsigned int)iph->ttl);
fprintf(logfile,"
|-Protocol : %d\n",(unsigned int)iph->protocol);
fprintf(logfile,"
|-Checksum : %d\n",ntohs(iph->check));
fprintf(logfile,"
|-Source IP
: %s\n",inet_ntoa(source.sin_addr));
fprintf(logfile,"
|-Destination IP
: %s\n",inet_ntoa(dest.sin_addr));
fprintf(logfile,"
}
void print_tcp_packet(unsigned char* Buffer, int Size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)Buffer;
iphdrlen = iph->ihl*4;
struct tcphdr *tcph=(struct tcphdr*)(Buffer + iphdrlen);
fprintf(logfile,"\n\n***********************TCP Packet*************************\n"
print_ip_header(Buffer,Size);
fprintf(logfile,"\n");
fprintf(logfile,"TCP Header\n");
|-Source Port
: %u\n",ntohs(tcph->source));
fprintf(logfile,"
|-Destination Port : %u\n",ntohs(tcph->dest));
fprintf(logfile,"
|-Sequence Number
: %u\n",ntohl(tcph->seq));
fprintf(logfile,"
|-Acknowledge Number : %u\n",ntohl(tcph->ack_seq));
fprintf(logfile,"
|-Header Length
: %d DWORDS or %d BYTES\n" ,(unsigned
fprintf(logfile,"
//fprintf(logfile,"
|-CWR Flag : %d\n",(unsigned int)tcph->cwr);

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

3 de 7

143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

http://www.binarytides.com/packet-sniffer-code-c-linux/

//fprintf(logfile,"
|-ECN Flag : %d\n",(unsigned int)tcph->ece);
|-Urgent Flag
: %d\n",(unsigned int)tcph->urg);
fprintf(logfile,"
|-Acknowledgement Flag : %d\n",(unsigned int)tcph->ack);
fprintf(logfile,"
|-Push Flag
: %d\n",(unsigned int)tcph->psh);
fprintf(logfile,"
|-Reset Flag
: %d\n",(unsigned int)tcph->rst);
fprintf(logfile,"
|-Synchronise Flag
: %d\n",(unsigned int)tcph->syn);
fprintf(logfile,"
|-Finish Flag
: %d\n",(unsigned int)tcph->fin);
fprintf(logfile,"
|-Window
: %d\n",ntohs(tcph->window));
fprintf(logfile,"
|-Checksum
: %d\n",ntohs(tcph->check));
fprintf(logfile,"
|-Urgent Pointer : %d\n",tcph->urg_ptr);
fprintf(logfile,"
fprintf(logfile,"\n");
DATA Dump
");
fprintf(logfile,"
fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
PrintData(Buffer,iphdrlen);
fprintf(logfile,"TCP Header\n");
PrintData(Buffer+iphdrlen,tcph->doff*4);
fprintf(logfile,"Data Payload\n");
PrintData(Buffer + iphdrlen + tcph->doff*4 , (Size - tcph->doff*4-iph->ihl*4) );
fprintf(logfile,"\n###########################################################"
}
void print_udp_packet(unsigned char *Buffer , int Size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)Buffer;
iphdrlen = iph->ihl*4;
struct udphdr *udph = (struct udphdr*)(Buffer + iphdrlen);
fprintf(logfile,"\n\n***********************UDP Packet*************************\n"
print_ip_header(Buffer,Size);
fprintf(logfile,"\nUDP Header\n");
|-Source Port
fprintf(logfile,"
|-Destination Port
fprintf(logfile,"
|-UDP Length
fprintf(logfile,"
|-UDP Checksum
fprintf(logfile,"

:
:
:
:

%d\n"
%d\n"
%d\n"
%d\n"

,
,
,
,

ntohs(udph->source));
ntohs(udph->dest));
ntohs(udph->len));
ntohs(udph->check));

fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
PrintData(Buffer , iphdrlen);
fprintf(logfile,"UDP Header\n");
PrintData(Buffer+iphdrlen , sizeof udph);
fprintf(logfile,"Data Payload\n");
PrintData(Buffer + iphdrlen + sizeof udph ,( Size - sizeof udph - iph->ihl * 4 ));
fprintf(logfile,"\n###########################################################"
}
void print_icmp_packet(unsigned char* Buffer , int Size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)Buffer;
iphdrlen = iph->ihl*4;
struct icmphdr *icmph = (struct icmphdr *)(Buffer + iphdrlen);
fprintf(logfile,"\n\n***********************ICMP Packet*************************\n"
print_ip_header(Buffer , Size);
fprintf(logfile,"\n");
fprintf(logfile,"ICMP Header\n");
|-Type : %d",(unsigned int)(icmph->type));
fprintf(logfile,"
if((unsigned int)(icmph->type) == 11)
fprintf(logfile," (TTL Expired)\n");
else if((unsigned int)(icmph->type) == ICMP_ECHOREPLY)
fprintf(logfile," (ICMP Echo Reply)\n");
|-Code : %d\n",(unsigned int)(icmph->code));
fprintf(logfile,"
|-Checksum : %d\n",ntohs(icmph->checksum));
fprintf(logfile,"
//fprintf(logfile,"
|-ID
: %d\n",ntohs(icmph->id));
//fprintf(logfile,"
|-Sequence : %d\n",ntohs(icmph->sequence));
fprintf(logfile,"\n");
fprintf(logfile,"IP Header\n");
PrintData(Buffer,iphdrlen);
fprintf(logfile,"UDP Header\n");
PrintData(Buffer + iphdrlen , sizeof icmph);
fprintf(logfile,"Data Payload\n");
PrintData(Buffer + iphdrlen + sizeof icmph , (Size - sizeof icmph - iph->ihl * 4));
fprintf(logfile,"\n###########################################################"
}
void PrintData (unsigned char* data , int Size)
{
for(i=0 ; i < Size ; i++)
{
//if one line of hex printing is complete...
if( i!=0 && i%16==0)
{
");
fprintf(logfile,"
for(j=i-16 ; j<i ; j++)
{
if(data[j]>=32 && data[j]<=128)
fprintf(logfile,"%c",(unsigned char)data[j]); //if its a number or alphabet

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

4 de 7

254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277

http://www.binarytides.com/packet-sniffer-code-c-linux/

else fprintf(logfile,"."); //otherwise print a dot

}
fprintf(logfile,"\n");
}
");
if(i%16==0) fprintf(logfile,"
fprintf(logfile," %02X",(unsigned int)data[i]);
if( i==Size-1) //print the last spaces
{
for(j=0;j<15-i%16;j++) fprintf(logfile,"

"); //extra spaces

");

fprintf(logfile,"

for(j=i-i%16 ; j<=i ; j++)

{
if(data[j]>=32 && data[j]<=128) fprintf(logfile,"%c",(unsigned char
else fprintf(logfile,".");
}
fprintf(logfile,"\n");
}
}
}

Compile and Run

$ gcc sniffer.c && sudo ./a.out
The program must be run as root user or superuser privileges. e.g. sudo ./a.out in ubuntu
The program creates raw sockets which require root access.
The output in the log file is something like this :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

***********************TCP Packet*************************
IP Header
|-IP Version
: 4
|-IP Header Length : 5 DWORDS or 20 Bytes
|-Type Of Service
: 32
|-IP Total Length
: 137 Bytes(Size of Packet)
|-Identification
: 35640
|-TTL
: 51
|-Protocol : 6
|-Checksum : 54397
|-Source IP
: 174.143.119.91
|-Destination IP
: 192.168.1.6
TCP Header
|-Source Port
: 6667
|-Destination Port : 38265
|-Sequence Number
: 1237278529
|-Acknowledge Number : 65363511
|-Header Length
: 5 DWORDS or 20 BYTES
|-Urgent Flag
: 0
|-Acknowledgement Flag : 1
|-Push Flag
: 1
|-Reset Flag
: 0
|-Synchronise Flag
: 0
|-Finish Flag
: 0
|-Window
: 9648
|-Checksum
: 46727
|-Urgent Pointer : 0
DATA Dump
IP Header
45 20 00
C0 A8 01
TCP Header
1A 0B 95
B6 87 00
Data Payload
3A 6B 61
66 66 69
2D 30 30
20 23 23
63 74 6C
75 6D 62
0A

89 8B 38 40 00 33 06 D4 7D AE 8F 77 5B
06

E ...8@.3..}..w[
....

79 49 BF 5F 41 03 E5 5E 37 50 18 25 B0
00

...yI._A..^7P.%.
....

74
6C
30
63
79
65

:kate`!~kate@una
ffiliated/kate/x
-0000001 PRIVMSG
##c :i need exa
ctly the right n
umber of socks!.
.

65
69
30
20
20
72

60
61
30
3A
74
20

21
74
30
69
68
6F

7E
65
31
20
65
66

6B
64
20
6E
20
20

61
2F
50
65
72
73

74
6B
52
65
69
6F

65
61
49
64
67
63

40
74
56
20
68
6B

75
65
4D
65
74
73

6E
2F
53
78
20
21

61
78
47
61
6E
0D

###########################################################
***********************TCP Packet*************************
IP Header
|-IP Version
: 4
|-IP Header Length : 5 DWORDS or 20 Bytes
|-Type Of Service
: 32
|-IP Total Length
: 186 Bytes(Size of Packet)
|-Identification
: 56556
|-TTL
: 48
|-Protocol : 6
|-Checksum : 22899
|-Source IP
: 74.125.71.147
|-Destination IP
: 192.168.1.6
TCP Header
|-Source Port
:
|-Destination Port :
|-Sequence Number
|-Acknowledge Number
|-Header Length

80
49374
: 3136045905
: 2488580377
: 5 DWORDS or 20 BYTES

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

5 de 7

69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

|-Urgent Flag
:
|-Acknowledgement Flag :
|-Push Flag
:
|-Reset Flag
:
|-Synchronise Flag
:
|-Finish Flag
:
|-Window
: 44765
|-Checksum
: 15078
|-Urgent Pointer : 0

http://www.binarytides.com/packet-sniffer-code-c-linux/

0
1
1
0
0
0

DATA Dump
IP Header
45 20 00
C0 A8 01
TCP Header
00 50 C0
3A E6 00
Data Payload
48 54 54
20 4D 6F
74 65 6E
73 3A 20
3A 20 54
31 31 20
0A 53 65
2D 58 53
20 31 3B
0D 0A

BA DC EC 00 00 30 06 59 73 4A 7D 47 93
06

E ......0.YsJ}G.
....

DE BA EC 43 51 94 54 B9 19 50 18 AE DD
00

.P....CQ.T..P...
:...

50
64
74
6E
68
31
72
53
20

HTTP/1.1 304 Not

Modified..X-Con
tent-Type-Option
s: nosniff..Date
: Thu, 01 Dec 20
11 13:16:40 GMT.
.Server: sffe..X
-XSS-Protection:
1; mode=block..
..

2F
69
2D
6F
75
33
76
2D
6D

31
66
54
73
2C
3A
65
50
6F

2E
69
79
6E
20
31
72
72
64

31
65
70
69
30
36
3A
6F
65

20
64
65
66
31
3A
20
74
3D

33
0D
2D
66
20
34
73
65
62

30
0A
4F
0D
44
30
66
63
6C

34
58
70
0A
65
20
66
74
6F

20
2D
74
44
63
47
65
69
63

4E
43
69
61
20
4D
0D
6F
6B

6F
6F
6F
74
32
54
0A
6E
0D

74
6E
6E
65
30
0D
58
3A
0A

###########################################################

Note
1. The above sniffer picks up only TCP packets, because of the declaration :
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
For UDP and ICMP the declaration has to be :
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_ICMP);
You might be tempted to think of doing :
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);
but this will not work , since IPPROTO_IP is a dummy protocol not a real one.
2. This sniffer picks up only incoming packets.
3. It provides the application with IP frames, which means that ethernet headers are not available.
4. It is not very accurate since it misses out some packets even in the incoming ones.
5. libpcap can also be used to write sniffers. Code example here.
In Part 2 we shall see how the above mentioned drawbacks can be overcome.
Updated on 13 Apr 2012

Last Updated On : 20th May 2013

linux

packet sniffer

Subscribe to get updates delivered to your inbox

Subscribe

Related Posts
C Packet Sniffer Code with libpcap and linux sockets
Packet Sniffer Code in C using Linux Sockets (BSD) Part 2
Code a network packet sniffer in python for Linux
Code a packet sniffer in python with pcapy extension
Tcp syn portscan code in C with Linux sockets

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at admin@binarytides.com. Or find him
on Google+

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

6 de 7

http://www.binarytides.com/packet-sniffer-code-c-linux/

41 Comments

Kutlan Turan

how can decode this collected packets? have you got any suggession? mean for example got packets of
sp or text sended how can decode this?

aysh

Hi moon..I used ur coding for my project ...the coding was gud..the nly problem s aftr compiling I got nly
starting..nd nthng was displayed in log.txt..its empty ..wt shld I do to get the right output...pls help me

Sovietmade

Gr8 post,man,thanks a lot!!!

Anand

I tried to use the raw sockets to capture the packets from wlan0 and p2p0 (wireless interfaces) but I faced
following issue:
1) The packet was of following format
<eth>--<llc>--<snap>--<ip>.......
In the capture we used read option to get the packet being sent out and received at the wlan0 interface.
2) The issues happens when sending the packet out, the ethernet frame is not completely shown in the dump
printed by using the read.
The first 8 bytes of the ethernet header (same as LLC+SNAP header size) are missing from the capture.
I also checked same packet at wireshark and it was properly captured.
3) On RX side the packet is properly received as per the dump.
Please let me know in which direction I can proceed to check the same.

Mayank

Please provide a link for wireless sniffer in Linux for capturing 802.11 packets

kostya

great code!
can you explain me some thing? I'm just beginner in socket programming.
You use construction as socket(AF_INET , SOCK_RAW , IPPROTO_TMP). i don't understand it. we get
defferent packets (as UDP, TCP) which is above ip-level. Why you don't use parameter IPPROTO_IP?

Silver Moon

Mod

you have to use either IPPROTO_TCP , IPPROTO_UDP or IPPROTO_ICMP

you cannot use IPPROTO_IP since its a dummy protocol (value is 0)
if you need to capture all types of packets then use the more generic sniffer as explained here :
http://www.binarytides.com/blo...

M.Usman

Hi
I want to make a simple packet analyzer which only display the incoming packet header information but i want
to do this with Linux signals any help will be appreciated.
Thanks

Silver Moon

Mod

what kind of signals. how exactly do you want to do it.

M.USMAN

I'm a linux signals newbie so I apologize for lame questions :-)

I just want to khow is that is there any signals which dispatches when data(network packet)
arrives on raw sockets so i read a packet header information....

Silver Moon

Mod

I don't think there are any such network signals in linux.

M.USMAN

HI,
i did make a sniffer with the help of signals, i am thinking way wrong about signals and

23/2/2015 17:58

Packet Sniffer Code in C using sockets | Linux

7 de 7

http://www.binarytides.com/packet-sniffer-code-c-linux/

About us

Contact us

Faq

Advertise

Privacy Policy

Copyright 2015 BinaryTides

23/2/2015 17:58