Topic : Raw IP Networking FAQ
Author : Thamer Al-Harbash
Page : 1 Next >>
Go to page :

Raw IP Networking FAQ


Version 1.3

  Last Modified on: Thu Nov 11 18:18:19 PST 1999

  The master copy of this FAQ is currently kept at

  The webpage also contains material that supplements this FAQ, along
  with a very spiffy html version.

  If you wish to mirror it officially, please contact me for details.


I, Thamer Al-Herbish reserve a collective copyright on this FAQ.
Individual contributions made to this FAQ are the intellectual
property of the contributor.

I am responsible for the validity of all information found in this

This FAQ may contain errors, or inaccurate material. Use it at your
own risk. Although an effort is made to keep all the material
presented here accurate, the contributors and maintainer of this FAQ
will not be held responsible for any damage -- direct or indirect --
which may result from inaccuracies.

You may redistribute this document as long as you keep it in its
current form, without any modifications. Please keep it updated if
you decide to place it on a publicly accessible server.


The following FAQ attempts to answer questions regarding raw IP or low level IP networking, including raw sockets, and network
monitoring APIs such as BPF and DLPI.

Additions and Contributions

If you find anything you can add, have some corrections for me or
would like a question answered, please send email to:

Thamer Al-Herbish <>

Please remember to include whether or not you want your email address
reproduced on the FAQ (if you're contributing). Also remember that
you may want to post your question to Usenet, instead of sending it to me. If you get a response which is not found on this FAQ, and you feel is relevant, mail me both copies and I'll attempt to include it.

Also a word on raw socket bugs. I get approximately a couple of
emails a month about them, and sometimes I just can't verify if the bug exists on a said system. Before mailing in the report, double check with my example source code. If it looks like it's a definite bug, then mail it in.

Special thanks to John W. Temples <> for his
constant healthy criticism and editing of the FAQ.

Credit is given to the contributor as his/her contribution appears in
the FAQ, along with a list of all contributors at the end of this

A final note, a Raw IP Networking mailing list is up. You can join by
sending an empty message to


This FAQ covers only information relevant to the UNIX environment.

Table of Contents

  1) General Questions:

    1.1) What tools/sniffers can I use to monitor my network?
    1.2) What packet capturing facilities are available?
    1.3) Is there a portable API I can use to capture packets?
    1.4) How does a packet capturing facility work?
    1.5) How do I limit packet loss when sniffing a network?
    1.6) What is packet capturing usually used for?
    1.7) Will I have to replace any packets captured off the network?
    1.8) Is there a portable API to send raw packets into a network?
    1.9) Are there any high level language APIs (Not C) for raw IP

  2) RAW socket questions:

    2.1) What is a RAW socket?
    2.2) How do I use a raw socket?

      2.2.1) How do I send a TCP/IP packet through a raw socket?
      2.2.2) How do I build a TCP/IP packet?
      2.2.3) How can I listen for packets with a raw socket?

    2.3) What bugs should I look out for when using a raw socket?

      2.3.1) IP header length/offset host/network byte order
      2.3.2) Unwanted packet processing on some systems.
    2.4) What are raw sockets commonly used for?

  3) libpcap (A Portable Packet Capturing Library)

    3.1) Why should I use libpcap, instead of using the native API on
    my operating system for packet capturing?
    3.2) Does libpcap have any disadvantages which I should be aware
    3.3) Where can I find example libpcap source code?

  4) List of contributors

    1) General Questions:

        1.1) What tools/sniffers can I use to monitor my network?

        Depending on your operating system, the following is an
        incomplete list of available tools:

        tcpdump:     Found out-of-the-box on most BSD variants, and    
                     also available separately from                    
            along with    
                     libpcap (see below) and various other tools. This
                     tool, in particular, has been ported to multiple  
                     platforms thanks to libpcap.                      

        ipgrab       Compatible with many systems. ipgrab displays    
                     link level, transport level, and network level    
                     information on packets captured verbosely.        

        Ethereal     (GUI) A network packet analyzer (uses GTK+).      
                     Supports many systems. Available at:              

                     Not an actual sniffer, but can read from the logs
                     produced by many other well known sniffers to    
                     produce output in different formats and in        

Page : 1 Next >>