Strange RAW Socket on Mac OS X

funnyCoder picture funnyCoder · Jul 29, 2011 · Viewed 7.8k times · Source

When i run a simple packet sniffer coded in C on my Mac OS X, i got no output at all, this is a strange thing! can someone help me to understand what going on.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void) {
   int i, recv_length, sockfd;

   u_char buffer[9000];

   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
        printf("Socket failed!!\n");

        return -1;
   }

   for(i=0; i < 3; i++) {
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got some bytes : %d\n", recv_length);
   }

   return 0;
}

I compile it and run it on my box and nothing is going:

MacOsxBox:Desktop evariste$sudo ./simpleSniffer

Thanks for your help.

Answer

mpontillo picture mpontillo · Jul 30, 2011

This will not work on *BSD (including OSX/Darwin). See the investigation here for more details:

b. FreeBSD
**********

FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw
sockets. Such packets need to be read directly at the datalink layer by using
libraries like libpcap or the bpf API. It also *never* passes any fragmented 
datagram. Each datagram has to be completeley reassembled before it is passed
to a raw socket.
FreeBSD passes to a raw socket:
    a) every IP datagram with a protocol field that is not registered in
    the kernel
    b) all IGMP packets after kernel finishes processing them
    c) all ICMP packets (except echo request, timestamp request and address
    mask request) after kernel finishes processes them

Moral of the story: use libpcap for this. It will make your life much easier. (If you use MacPorts, do sudo port install libpcap.)