how to capture ARP packets (among others) ?

Hi,

I am writing a simple application using the bsd socket api. I have 2
issues on which I could get no clarity even after obscene amounts of
googling. Here they are:

1. I capture TCP/IP,UDP/IP & ICMP/IP packets by making a RAW socket and
specifying the protocol as IPPROTO_TCP , IPPROTO_UDP & IPPROTO_ICMP
respectively.
In a similar way, how can I capture ARP packets? Do I have to make a
different type of socket for this?
btw...exactly which layer of the OSI model are we working on in case of
the above-mentioned sockets. I did find something to do with specifying
ETH_P_ARP as the protocol and PF_PACKET as the 1st parameter in
socket()...but I could harly understand it.

2. Is there a cleaner way in which I can make just 1 socket and capture
packets of all types on it and then open up the headers to recognize
what type of a packet it actually was?

Any help will be greatly appreciated.


Thanks in advance,
Siddharth Jain

"Siddharth Jain" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com:

> Hi,
>
> I am writing a simple application using the bsd socket api. I have 2
> issues on which I could get no clarity even after obscene amounts of
> googling. Here they are:
>
> 1. I capture TCP/IP,UDP/IP & ICMP/IP packets by making a RAW socket and
> specifying the protocol as IPPROTO_TCP , IPPROTO_UDP & IPPROTO_ICMP
> respectively.
> In a similar way, how can I capture ARP packets? Do I have to make a
> different type of socket for this?
> btw...exactly which layer of the OSI model are we working on in case of
> the above-mentioned sockets. I did find something to do with specifying
> ETH_P_ARP as the protocol and PF_PACKET as the 1st parameter in
> socket()...but I could harly understand it.
>
> 2. Is there a cleaner way in which I can make just 1 socket and capture
> packets of all types on it and then open up the headers to recognize
> what type of a packet it actually was?
>
> Any help will be greatly appreciated.
>

I don't know the answer to your question but it is obviously possible as
ethereal captures and displays ARP protocol packets.

Klazmon.



>
> Thanks in advance,
> Siddharth Jain
>
>

Exactly. It should be possible. But I tried to use PF_PACKET as the 1st
argument and htons(ETH_P_ALL) in the 3rd argument of socket().
But it doesnt seem to work.

Also, can someone tell me if putting my network card in promiscous mode
will give me any extra packets as compared to earlier (I am on a
switched network).
I tried to do this but found that all the TCP/IP, UDP/IP packets I
could capture were all meant for my IP. So, effectively, putting into
promiscous mode didnt really help. Does this have anything to do with
my network being switched.

"Siddharth Jain" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com:

> Exactly. It should be possible. But I tried to use PF_PACKET as the 1st
> argument and htons(ETH_P_ALL) in the 3rd argument of socket().
> But it doesnt seem to work.
>
> Also, can someone tell me if putting my network card in promiscous mode
> will give me any extra packets as compared to earlier (I am on a
> switched network).
> I tried to do this but found that all the TCP/IP, UDP/IP packets I
> could capture were all meant for my IP. So, effectively, putting into
> promiscous mode didnt really help. Does this have anything to do with
> my network being switched.
>

You could cheat. Download the ethereal source and have a look to see how
they do it ;-).

Klazmon.

http://people.su.se/~lha/arpping/arpping.c

Have fun!

-Tony
Having fun with FPGA HW + ppc + Linux

Actually, I want to do this without using the libpcap library, for some
strange reason.

It has to be possible to make a socket just above OSI layer 2 which can
capture ALL packets. After that I want my own program to figure out
what type of a packet this is.
libpcap does make life simple but I really want to get down to the
lowest level and see how things work.

Any idea how to do that.

Thanks in advance
Siddharth Jain

I could do that. But, AFAIK ethereal uses libpcap to capture packets.
I want to get down to the lowest level and make my own socket to
capture all packets.

how can I do that?

"Siddharth Jain" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com:

> Actually, I want to do this without using the libpcap library, for some
> strange reason.
>
> It has to be possible to make a socket just above OSI layer 2 which can
> capture ALL packets. After that I want my own program to figure out
> what type of a packet this is.
> libpcap does make life simple but I really want to get down to the
> lowest level and see how things work.
>
> Any idea how to do that.
>

Again look at the source. The libpcap source is available.

Klazmon.



> Thanks in advance
> Siddharth Jain
>

Siddharth Jain wrote:

> . Is there a cleaner way in which I can make just 1 socket and capture
> packets of all types on it

You could try using an ether net. ;-)

> I could do that. But, AFAIK ethereal uses libpcap to capture packets.
Last time I looked (admittedly some time ago) it used its own library.
> I want to get down to the lowest level and make my own socket to
> capture all packets.
> how can I do that?
Why don't you want to look at the source?