Network programming in Linux

What is it?

Packet capture is the action of collecting data as it travels through a computer network. Sniffing consists of grabbing network datagrams through the Ethernet card of a computer connected to that network. There are multiple reasons why one wants to collect information with tools such as protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.

Packet injection consists of customizing and transmitting datagrams through the network to specific targets. Again, reasons for such injections include routing analysis, security audits and malicious attacks.

In this tutorial, we use open-source libraries to build packet capture and injection applications in C++ on Linux :

• libpcap consists of an application programming interface (API) for capturing network traffic. It provides the packet-capture and filtering engines of many open source and commercial network tools, including tcpdump. libpcap also supports saving captured packets to a file, and reading files containing saved packets; applications can be written to capture network traffic and analyze it, or to read a saved capture and analyze it using the same analysis code.
• libnet is a high-level API for constructing and injecting network traffic. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more.

Who is it for?

This tutorial is intended for experienced C++ programmers who whish to develop packet capture and/or injection applications on Linux. It assumes the reader has basic understanding of network protocols at lower TCP/IP layers (Ethernet, ARP, ICMP, IP, TCP, UDP, etc.) as well a basic understanding of the works of simple network applications such as ping and traceroute. Packet header formats and protocols are detailed when appropriate.

What you need?

To test the presented source code, you should have a functional C++ compiler (for example gcc) as well as the libpcap and libnet libraries installed in a Linux distribution. The libraries are pretty straightforward to install.

All source code presented in this tutorial is fully portable to most Linux distributions.

Some terminology

Throughout this tutorial we designate captured chunks of bytes as datagrams. A sequence of bytes travelling through a network is named differently depending on which TCP/IP layer it travels:

• A sequence of bytes transiting on the data link layer is usually called a frame (e.g. an Ethernet frame).
• A sequence of bytes transiting on the network layer is usually called a packet (e.g. an IP packet).
• A sequence of bytes transiting on the transport layer is usually called a segment (e.g. a TCP segment).

To improve readability, this tutorial commonly uses the term « datagram » to designate frames, packets, segments and other application layer protocol data chunks. The more precise terms (frame, packet or segment) are used when appropriate.

Source code availability

All source code presented in this tutorial may be downloaded freely.You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.

The source code is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details.

All source code is copyright 2014 Marco Lavoie unless otherwise stated. Please include references to this tutorial if you use any of its source code in your personal or commercial productions.

References

• Wikipedia (www.wikipedia.com): Provides detailed descriptions of the protocols implemented herein.
• The Sniffer's Guide to Raw Traffic (yuba.stanford.edu/~casado/pcap/section1.html): A thorough introduction to programming with libpcap.
• Repo Linux - Libnet 1.1 tutorial (https://repolinux.wordpress.com/2011/09/18/libnet-1-1-tutorial/): A good tutorial on programming with libnet and libpcap.