thanks a lot for that bit of info but i would have another question in my mind which is what stevens says that : The following rules sapply to the raw socket input i.e. which all packets does the kernel pass to the raw socket : 1. received tcp packets and udp packet are never passed to the raw socket. if a process need to read ip datagrams containing tcp/udp packet then it must read them at the datalink layer i.e. PF_PACKET/ SOCK_PACKET sockets. so what do you comment on this. please tell me if i am wrong at any place.. thanks malhacker casey as i said that --- Casey Carter <Casey@Carter.net> wrote: > You want a simple raw socket, with no protocol set, > i.e., > > int sock = socket(PF_INET, SOCK_RAW, 0); > > This will get all IP packets, after reassembly. > > Mal Hacker wrote: > > > > hello friends, > > > > now as i am mailing u so the basic reason is that > i > > have a problem and maybe anybody of u can suggest > me > > some good solution.... the main motive of mine is > to > > design a network sniffer...currently on a linux > > platform and complete userlevel > implementation....with > > the basic motive of making it platform independent > ... > > but for now I can go with linux only. now what i > > have gone thru is tcpdump/libpcap/linux socket > filter/ > > and have also read something about ipchains and > some > > related stuff..so here is my basic problem... a) > is > > there any system call (or a set of them) available > > which gives me ip packets from network interface, > by > > that i mean : all ip packets with ethernet header > > removed but reassembled (i.e. in anycase either > for > > tcp or udp i should not get fragmented packets). > b) > > secondly is there a way to do the same thing via > > libpcap 'coz libpcap probably does'nt support ip > > reassembly (as i know). and due to the same reason > > tcpdump fails for fragmented packets. c) does > > LSF(linux > > dsocket filter) has a similar option ? All this > with > > the fact that i don't want to modify the existing > > kernel code so as to make some modifications on > the > > raw socket BSD interface to provide such a option. > > Also, you may say that ipchains or some other > stuff > > may support this, them if possible please guide me > to > > it coz i have not read about them. Other than > libpcap > > (user level filtering on linux) and of course LSF > is > > there any other filtering method which can be > employed > > to do the above task..... Also, the basic reason > for > > this is that i want to do some sort of in-kernel > > filtering so that all the packets which i am > reading > > thru the interface are somewhat filtered on the > basis > > of some very basic criterieas...i.e. upto some ip > > address and port number filtering.. thanks ...i > may > > not be too clear in what i am asking for..but > > maybe..someone may be able to help... > > thanks in advance > > mal > > > > PS: I think I had sent this mail to this grp > before > > also but I think that was lost somewhere on the > way as > > it did'nt even got into my mailbox ...sorry if it > a > > repeat post.... > > > > ===== > > > > Image by FlamingText.com > > > > __________________________________________________ > > Do You Yahoo!? > > Get personalized email addresses from Yahoo! Mail > - only $35 > > a year! http://personal.mail.yahoo.com/ > > - > > : send the line > "unsubscribe linux-net" in > > the body of a message to majordomo@vger.kernel.org > > -- > Casey Carter > Casey@Carter.net > ccarter@uiuc.edu > AIM: cartec69 ===== Image by FlamingText.com __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
