(1) First, to check it, I use pcap_findalldevs to capture all devices (see (2) below). I find wlan0 is fine. If I use connect to “all traffic” (according to the man page)
< p>
if (!( pcap_handle = pcap_open_live(NULL, 4096, 1, 0, errbuf)) )
I captured what I sent (plus more content, See (3)).
When I try to connect to it using
if (!( pcap_handle = pcap_open_live("wlan0", 4096, 1, 0, errbuf )) )
To me this seems to be the right way, not’all’, I capture a lot of general traffic, but I am not sending anything. Ideas?
(2) I first use pcap_findalldevs to find all devices. Since the pcap_if_t structure may have several elements, I will print out all these elements to see the following:
Devices found:
1. eth0-None:
family: 17, address: 2.0.0.0
2. wlan0-None:
family: 17, address: 3.0.0.0
family: AF_INET, address: 192.168.0.159
family: 10, address: 0.0.0.0
3. usbmon1-USB bus number 1:
4. usbmon2-USB bus number 2:
5. usbmon3-USB bus number 3:
6. usbmon4-USB bus number 4:
7. usbmon5-USB bus number 5:
8. any-Pseudo-device that captures on all interfaces:
9. lo-None:
family: 17, address: 1.0.0.0
family: AF_INET, address: 127.0. 0.1
family: 10, address: 0.0.0.0
I am very new to this. Some devices provide AF_INET (= IPv4), IPv6 (10) and packet (17) capture. When I connect to “wlan0”, how can I make sure that I connect to the “address” of some device? Is this related to the problem?
(3) When using raw sockets, I really only capture what I send to the server. When I use libcap, I also capture from the bytes printed must be Internet headers Content. I’m very new to this. If someone can elaborate on what I am capturing here, I did not capture on the raw socket, it would be appreciated. Those UDP or ICMP packets, by definition, I The IPPPROTO_TCP socket cannot be captured, which is why I don’t see those using raw sockets?
Thank you very much.
Edit: I use the gcc/gdb combination to work under Ubuntu 10.04 on Toshiba netbooks.
>The address list obtained from pcap_findalldevs() is not the address list you can capture on that interface, it is just the system for A list of network addresses provided by this interface. You cannot choose which addresses to capture-it can capture all addresses. You capture interfaces, not addresses.
> Libpcap is different from raw sockets; it provides you with the low level The header is lower than the data sent or received and the data. For Ethernet devices, you will see the Ethernet header; for Wi-Fi devices, what you see depends on the operating system you are using and the standard you choose. Header (On Linux, what you are using is, unless you are capturing in “monitor mode”, you may see the Ethernet header, in which case you will see the Wi-Fi header or some “Radio” header, such as radiotap header, then Wi-Fi header); for “any” devices, you will see “Linux cooked header”; etc. After calling pcap_open_live(), you need to call pcap_datalink () to find out the header type of the interface; please refer to the list of link-layer types _Value comparison).
Background: I am self-taught packet sniffing. I run a very simple server in one shell, run telnet from another shell, and try different Method to sniff the traffic. When I use the raw socket (IPPROTO_TCP), I will capture what I send. I only capture what I send, not the Internet. The behavior of libcap confuses me as follows:
(1) First, to check it, I use pcap_findalldevs to capture all devices (see (2) below). I find wlan0 is fine. If I use connect to “all traffic” (according to the man page )
if (!( pcap_handle = pcap_open_live(NULL, 4096, 1, 0, errbuf)) )
I captured what I sent ( Add more content, please refer to (3)).
When I try to use to connect to it
< /p>
if (!( pcap_handle = pcap_open_live("wlan0", 4096, 1, 0, errbuf)) )
To me this seems to be the right way, not’all ‘, I captured a lot of general traffic, but I didn’t send anything. Ideas?
(2) I first use pcap_findalldevs to find all devices. Since the pcap_if_t structure may have several elements, I will print out all these elements to see the following:
Devices found:
1. eth0-None:
family: 17, address: 2.0.0.0
2. wlan0-None:
family: 17, address: 3.0.0.0
family: AF_INET, address: 192.168.0.159
family: 10, address: 0.0.0.0
3. usbmon1-USB bus number 1:
4. usbmon2-USB bus number 2:
5. usbmon3-USB bus number 3:
6. usbmon4-USB bus number 4:
7. usbmon5-USB bus number 5:
8. any-Pseudo-device that captures on all interfaces:
9. lo-None:
family: 17, address: 1.0.0.0
family: AF_INET, address: 127.0. 0.1
family: 10, address: 0.0.0.0
I am very new to this. Some devices provide AF_INET (= IPv4), IPv6 (10) and packet (17) capture. When I connect to “wlan0”, how can I make sure that I connect to the “address” of some device? Is this related to the problem?
(3) When using raw sockets, I really only capture what I send to the server. When I use libcap, I also capture from the bytes printed must be Internet headers Content. I’m very new to this. If someone can elaborate on what I am capturing here, I did not capture on the raw socket, it would be appreciated. Those UDP or ICMP packets, by definition, I The IPPPROTO_TCP socket cannot be captured, which is why I don’t see those using raw sockets?
Thank you very much.
Edit: I use the gcc/gdb combination to work under Ubuntu 10.04 of Toshiba netbook.
< p>> It’s a bit surprising that when capturing on wlan0, if they are actually sent through your Wi-Fi device, you can’t see the sent packets. Did you send them to Wi-Fi Other computers on the network? For example, if you send them to other processes on your computer, they will be displayed on lo instead of wlan0 (if you send them to other computers on the Wi-Fi network, not other processes) your Machines, they will not appear on-no, all traffic will not eventually pass through the loopback interface).
>The address list obtained from pcap_findalldevs() is not the address list you can capture on that interface, it is just the system for A list of network addresses provided by this interface. You cannot choose which address to capture-it can capture all addresses. You are capturing an interface, not an address.
> Libpcap is different from a raw socket; it provides you with the low level The header is lower than the data sent or received and the data. For Ethernet devices, you will see the Ethernet header; for Wi-Fi devices, what you see depends on the operating system you are using and the standard you choose. Header (On Linux, what you are using is, unless you are capturing in “monitor mode”, you might see the Ethernet header, in which case you will see the Wi-Fi header or some “Radio” header, such as radiotap header, then Wi-Fi header); for “any” devices, you will see “Linux cooked header”; etc. After calling pcap_open_live(), you need to call pcap_datalink () to find out the header type of the interface; please refer to the list of link-layer types _Value to compare).