Help with sniffer

[en_7123]

HI this is the code I wrote for sniffer program that also parses the ethernet header.

Code:

#include <stdio.h>
#include <stdlib.h>
#include <pcap.h> 
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/if_ether.h>


void parse_ether(const struct pcap_pkthdr* pkthdr,const u_char*
        packet)

		{
			int i; 			
			int len=(*pkthdr).len;
			struct ethhdr *ethernet_header;
			unsigned char *p;
		

		if(len>sizeof(struct ethhdr))
		{			
	


	ethernet_header=(struct ethhdr *)(packet);

p=ethernet_header->h_dest;
printf("Destination MAC : ");
for(i=0;i<6;i++)
{
printf("%.2x ", *p);
p++;
}
p=ethernet_header->h_source;
printf("\n");
printf("Source MAC :       ");
for(i=0;i<6;i++)
{
printf("%.2x ", *p);
p++;
}
p=(void *)&ethernet_header->h_proto;
printf("\n");
printf("Protocol");
for(i=0;i<2;i++)
{
printf("%.2x ", *p);
p++;
}
}			
}

	void my_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char *packet)
		{
				int i;               
				u_char *ptr;     
				ptr=packet;
				i=(*pkthdr).len;
		
				

				printf("\nThe length of the Packet is %d",i);

				
					
	

		// Yay Display my packet in hex

	while(i--)
	{
		printf("%.2x ", *ptr);
		ptr++;
	}

	
	
	parse_ether(pkthdr,packet);
printf("NEXT PACKET \n\n\n");
printf("-----------------------------------------------------------------------------------------------")



			}



		int main()
			
				{


int cnt; 	//to hold number of packets you 									want to capture

						const u_char *packet;
						struct pcap_pkthdr hdr;
						u_char *ptr;
char errbuf[PCAP_ERRBUF_SIZE]; //to hold the error

						pcap_t *descr;

			char *dev; //to hold the name of the device

	printf("Enter the number of packets you wish to capture :\n");
						
						scanf("%d",&cnt);  
dev=pcap_lookupdev(errbuf);  //get the name of the device

			if(dev==NULL)	//	Didnt get any device
								
							{
							
					printf("device error%s",errbuf);
								exit(1);
									}
	
					
				
			//open the device for listening
				

				descr=pcap_open_live(dev,BUFSIZ,1,-1,errbuf);

			if(descr==NULL)    //check for an error
 	
				{
					printf("pcap_open_live %s",errbuf);
					exit(1);
						}
	
	//capture packets until cnt number of packets captured		

pcap_loop(descr,cnt,my_callback,NULL); //loop calls function my_callback

						
printf("Exit Now");	
		
						return 0;



							}

The problem is that I only seem to capture packets with destination MAC:ff ff ff ff ff ff .Which is broadcast or with destination MAC: of my machine.What could be wrong.Is it that I'm sittin behind a firewall or some other network theory but before all that Is there something wrong with the code.Thanks

[hoxsiew]

The indentation on that block of code (or lack thereof) makes it impossible to follow, but I believe the problem is that you're ethernet card needs to be set to promiscuous mode to even act on any packet not destined to it's MAC. Either that, or your machine is on a segment of the network isolated from all other machines (say, the only machine on a segment blocked by a smart switch).

It looks like you're using libpcap which I know nothing about, but there should be some API call to set promiscuous mode, otherwise libpcap wouldn't be very useful.

[en_7123]

The indentation on that block of code (or lack thereof) makes it impossible to follow, but I believe the problem is that you're ethernet card needs to be set to promiscuous mode to even act on any packet not destined to it's MAC. Either that, or your machine is on a segment of the network isolated from all other machines (say, the only machine on a segment blocked by a smart switch).

It looks like you're using libpcap which I know nothing about, but there should be some API call to set promiscuous mode, otherwise libpcap wouldn't be very useful.

Oops My bad for indentation but I put it together quickly.Second thing I have put my card in promiscuous mode I'm sure about that.And yah it can be possible about my box being isolated but I dont want to consider that possibility yet want to start with if something is wrong with the code above.Thanks anyways

[gtripathi]

You also need to check if you're using ethernet switch vs hub. Ethernet switch will direct only your traffic to you, you'll not see traffic destined for other machines.