A simple ICMP/TCP/UDP packet sniffer that was written for and tested on Linux.
047cbc79c160dd2b932a853e25639043/* katsniff.c - simple ICMP|TCP|UDP packet sniffer
*
* By Kris Katterjohn 2006
*
* This is based on some *old* code of mine. I just picked it up to refresh
* myself on pcap.
*
* It was written for and tested on Linux, but it should work on other OSs with
* (or possibly without) a little modification. It also wouldn't be too hard to
* add support for other interface types and protocols.
*
* Some of the code is kinda harsh.
*
* # cc katsniff.c -okatsniff -lpcap
*
*/
#define _BSD_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdarg.h>
#include <signal.h>
#include <setjmp.h>
#include <time.h>
#include <pcap.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/ether.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
static int resolve = 1;
static pcap_t *handle;
static jmp_buf jump;
static void die(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fprintf(stderr, "\n");
exit(1);
}
static void printUsage(void)
{
printf("Usage: katsniff [-i <interface>] [-d]\n\n");
printf(" -d Don't resolve hostnames\n");
printf(" -i <iface> Listen on <iface> instead of eth0\n\n");
exit(1);
}
static void caughtsig(int sig)
{
struct pcap_stat stats;
pcap_stats(handle, &stats);
printf("\n%d packets received by filter", stats.ps_recv);
printf("\n%d packets dropped by kernel\n", stats.ps_drop);
longjmp(jump, 1);
}
static char *lookuphost(struct in_addr *addr)
{
struct hostent *host = NULL;
if (resolve)
host = gethostbyaddr((char *) addr, sizeof *addr, AF_INET);
return strdup(host ? host->h_name : inet_ntoa(*addr));
}
static void printIcmp(struct ip *ip, struct icmp *icmp)
{
char *strs[] = {
"ECHO REPLY", NULL, NULL, "DESTINATION UNREACHABLE",
"SOURCE QUENCH", "REDIRECT", NULL, NULL, "ECHO REQUEST",
NULL, NULL, "TTL EXCEEDED", "PARAMETER PROBLEM",
"TIMESTAMP REQUEST", "TIMESTAMP REPLY", "INFO REQUEST",
"INFO REPLY", "ADDRESS MASK REQUEST", "ADDRESS MASK REPLY"
};
icmp->icmp_cksum = ntohs(icmp->icmp_cksum);
icmp->icmp_id = ntohs(icmp->icmp_id);
icmp->icmp_seq = ntohs(icmp->icmp_seq);
printf("%s -> ", lookuphost(&ip->ip_src));
printf("%s icmp ", lookuphost(&ip->ip_dst));
if (icmp->icmp_type < (sizeof strs / sizeof *strs) && strs[icmp->icmp_type])
printf("%s ", strs[icmp->icmp_type]);
else
printf("%d ", icmp->icmp_type);
printf("chksum %d ", icmp->icmp_cksum);
if (icmp->icmp_id)
printf("id %d ", icmp->icmp_id);
if (icmp->icmp_seq)
printf("seq %d ", icmp->icmp_seq);
}
static void printTcp(struct ip *ip, struct tcphdr *tcp)
{
char *tcpflags[8] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR" };
int i, usedfl = 0;
tcp->th_sport = ntohs(tcp->th_sport);
tcp->th_dport = ntohs(tcp->th_dport);
tcp->th_seq = ntohl(tcp->th_seq);
tcp->th_ack = ntohl(tcp->th_ack);
tcp->th_win = ntohs(tcp->th_win);
tcp->th_sum = ntohs(tcp->th_sum);
printf("%s:%d -> ", lookuphost(&ip->ip_src), tcp->th_sport);
printf("%s:%d tcp ", lookuphost(&ip->ip_dst), tcp->th_dport);
for (i = 0; i < 8; i++)
if (tcp->th_flags & 1 << i) {
if (usedfl++)
putchar('/');
printf(tcpflags[i]);
}
putchar(' ');
if (tcp->th_flags & TH_SYN)
printf("seq %u ", tcp->th_seq);
if (tcp->th_flags & TH_ACK)
printf("ack %u ", tcp->th_ack);
if (tcp->th_win)
printf("win %d ", tcp->th_win);
printf("chksum %d", tcp->th_sum);
}
static void printUdp(struct ip *ip, struct udphdr *udp)
{
udp->uh_sport = ntohs(udp->uh_sport);
udp->uh_dport = ntohs(udp->uh_dport);
udp->uh_ulen = ntohs(udp->uh_ulen);
udp->uh_sum = ntohs(udp->uh_sum);
printf("%s:%d -> ", lookuphost(&ip->ip_src), udp->uh_sport);
printf("%s:%d udp ", lookuphost(&ip->ip_dst), udp->uh_dport);
printf("len %d chksum %d", udp->uh_ulen, udp->uh_sum);
}
static void printTime(time_t secs)
{
char timebuf[22];
strftime(timebuf, 22, "%m/%d/%Y %H:%M:%S: ", localtime(&secs));
printf("%s", timebuf);
}
static void callback(unsigned char *args, const struct pcap_pkthdr *hdr,
const unsigned char *pkt)
{
struct ip *ip = (struct ip *) (pkt + sizeof(struct ether_header));
char *nexthdr = (char *) ip + sizeof *ip;
printTime(hdr->ts.tv_sec);
if (ip->ip_p == IPPROTO_ICMP)
printIcmp(ip, (struct icmp *) nexthdr);
else if (ip->ip_p == IPPROTO_TCP)
printTcp(ip, (struct tcphdr *) nexthdr);
else if (ip->ip_p == IPPROTO_UDP)
printUdp(ip, (struct udphdr *) nexthdr);
putchar('\n');
fflush(0);
}
int main(int argc, char **argv)
{
int c;
char *dev = "eth0";
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program filter;
bpf_u_int32 mask, net;
printf("katsniff by Kris Katterjohn\n\n");
if (geteuid())
die("You need root privileges!");
while ((c = getopt(argc, argv, "di:")) != -1) {
switch (c) {
case 'd':
resolve = 0;
break;
case 'i':
dev = optarg;
break;
default:
printUsage();
break;
}
}
if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1)
die(errbuf);
if (!(handle = pcap_open_live(dev, BUFSIZ, 1, 0, errbuf)))
die(errbuf);
if (pcap_datalink(handle) != DLT_EN10MB)
die("Only supports ethernet");
if (pcap_compile(handle, &filter, "icmp or tcp or udp", 1, net) == -1)
die(pcap_geterr(handle));
if (pcap_setfilter(handle, &filter) == -1)
die(pcap_geterr(handle));
signal(SIGHUP, caughtsig);
signal(SIGINT, caughtsig);
signal(SIGQUIT, caughtsig);
signal(SIGTERM, caughtsig);
if (!setjmp(jump))
pcap_loop(handle, -1, callback, 0);
pcap_close(handle);
return 0;
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!