Author : Thamer Al-Harbash
Page : 1 Next >>
Last Modified on: Thu Nov 11 18:18:19 PST 1999
The master copy of this FAQ is currently kept at
http://www.whitefang.com/rin/
The webpage also contains material that supplements this FAQ, along
with a very spiffy html version.
If you wish to mirror it officially, please contact me for details.
Copyright
I, Thamer Al-Herbish reserve a collective copyright on this FAQ.
Individual contributions made to this FAQ are the intellectual
property of the contributor.
I am responsible for the validity of all information found in this
FAQ.
This FAQ may contain errors, or inaccurate material. Use it at your
own risk. Although an effort is made to keep all the material
presented here accurate, the contributors and maintainer of this FAQ
will not be held responsible for any damage -- direct or indirect --
which may result from inaccuracies.
You may redistribute this document as long as you keep it in its
current form, without any modifications. Please keep it updated if
you decide to place it on a publicly accessible server.
Introduction
The following FAQ attempts to answer questions regarding raw IP or low level IP networking, including raw sockets, and network
monitoring APIs such as BPF and DLPI.
Additions and Contributions
If you find anything you can add, have some corrections for me or
would like a question answered, please send email to:
Thamer Al-Herbish <shadows@whitefang.com>
Please remember to include whether or not you want your email address
reproduced on the FAQ (if you're contributing). Also remember that
you may want to post your question to Usenet, instead of sending it to me. If you get a response which is not found on this FAQ, and you feel is relevant, mail me both copies and I'll attempt to include it.
Also a word on raw socket bugs. I get approximately a couple of
emails a month about them, and sometimes I just can't verify if the bug exists on a said system. Before mailing in the report, double check with my example source code. If it looks like it's a definite bug, then mail it in.
Special thanks to John W. Temples <john@whitefang.com> for his
constant healthy criticism and editing of the FAQ.
Credit is given to the contributor as his/her contribution appears in
the FAQ, along with a list of all contributors at the end of this
document.
A final note, a Raw IP Networking mailing list is up. You can join by
sending an empty message to rawip-subscribe@whitefang.com
Caveat
This FAQ covers only information relevant to the UNIX environment.
Table of Contents
1) General Questions:
1.1) What tools/sniffers can I use to monitor my network?
1.2) What packet capturing facilities are available?
1.3) Is there a portable API I can use to capture packets?
1.4) How does a packet capturing facility work?
1.5) How do I limit packet loss when sniffing a network?
1.6) What is packet capturing usually used for?
1.7) Will I have to replace any packets captured off the network?
1.8) Is there a portable API to send raw packets into a network?
1.9) Are there any high level language APIs (Not C) for raw IP
access?
2) RAW socket questions:
2.1) What is a RAW socket?
2.2) How do I use a raw socket?
2.2.1) How do I send a TCP/IP packet through a raw socket?
2.2.2) How do I build a TCP/IP packet?
2.2.3) How can I listen for packets with a raw socket?
2.3) What bugs should I look out for when using a raw socket?
2.3.1) IP header length/offset host/network byte order
(feature/bug?)
2.3.2) Unwanted packet processing on some systems.
2.4) What are raw sockets commonly used for?
3) libpcap (A Portable Packet Capturing Library)
3.1) Why should I use libpcap, instead of using the native API on
my operating system for packet capturing?
3.2) Does libpcap have any disadvantages which I should be aware
of?
3.3) Where can I find example libpcap source code?
4) List of contributors
1) General Questions:
1.1) What tools/sniffers can I use to monitor my network?
Depending on your operating system, the following is an
incomplete list of available tools:
tcpdump: Found out-of-the-box on most BSD variants, and
also available separately from
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z along with
libpcap (see below) and various other tools. This
tool, in particular, has been ported to multiple
platforms thanks to libpcap.
ipgrab Compatible with many systems. ipgrab displays
link level, transport level, and network level
information on packets captured verbosely.
http://www.xnet.com/~cathmike/MSB/Software/
Ethereal (GUI) A network packet analyzer (uses GTK+).
Supports many systems. Available at:
http://ethereal.zing.org/
tcptrace:
http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html
Not an actual sniffer, but can read from the logs
produced by many other well known sniffers to
produce output in different formats and in
Page : 1 Next >>