Hi, I’m c-bata. This is my first story of Medium.

In this story, I describe how to write cross-platform packet capture from scratch. The source code of my packet capture is available on Github. Currently it supports ARP, ICMP, IP, IPv6, TCP and UDP protocols.

How supports the both of Linux and macOS

The packet capture tool receives and analyzes all packets flowing through the network. The way how Promiscuous mode allows a network device to intercept and read each network packets regardless of the target address. Most of NICs (Network Interface Cards) are support it.

There are differences between each systems because it needs to control NIC which is hardware layer. libpcap created by the author of tcpdump absorbs differences in UNIX systems(ex: Linux, BSD and macOS). It has also been ported to Windows, and it called WinPcap. But xpcap supports Linux and macOS without having to depends on libpcap for my study purpose.

RAW Socket

When reading ethernet frames on Linux, we need to use RAW Socket.

After that, you reading ethernet frames via `recv(2)` when socket descriptor is ready.

If using `select(2)` to watch socket descriptor, the source code is below:

struct timeval timeout;

fd_set mask;

int width, len, ready;

while (g_gotsig == 0) {

FD_ZERO(&mask);

FD_SET(soc, &mask);

width = doc + 1; timeout.tv_sec = 8;

timeout.tv_usec = 0;

ready = select(width, &mask, NULL, NULL, &timeout);

if (ready == -1) {

perror("select");

break;

} else if (ready == 0) {

fprintf(stderr, "select timeout");

break;

} if (FD_ISSET(sniffer->fd, &mask)){

if ((len = recv(soc, buffer, >buf_len, 0)) == -1){

perror("recv:");

return -1;

}

}

}

There are many materials and texts which describes how to capture packets in Linux environment using RAW Socket. But BPF(Berkeley Packet Filters) which is the only way to read ethernet frames on BSD environment is not.

Berkeley Packet Filters

We need to use BPF(Berkeley Packet Filter) at BSD systems including macOS.

BPF provides virtual machine to filter packets in kernel space. And BPF devices are used to read data.

BPF devices are exists in `/dev/` directory. You need to find available BPF devices by checking sequentially from bpf0 to bpfxxx.

$ ls /dev/bpf?

/dev/bpf0 /dev/bpf1 /dev/bpf2 /dev/bpf3 /dev/bpf4 /dev/bpf5 /dev/bpf6 /dev/bpf7 /dev/bpf8 /dev/bpf9

Although it exists up to about bpf255 in my macbook, google/gopacke seems to check until bpf99. Maybe it’s enough in almost situations because of the number of NIC (See google/gopacket bsdbpf package).

After found free bpf device, following operations are required to read ethernet frames.

After that you need to use `read(2)` because this is a device file, not a socket descriptor. Returned value of `read(2)` is not Ethernet frame binaries. Ethernet frame is wrapped by a BPF packet.

When parsing the header of BPF, since the data length is on, we will repeat the parsing by finding the position of the next BPF packet by using it.

typedef struct {

int fd;

char device[11];

unsigned int buf_len;

char *buffer;

unsigned int last_read_len;

unsigned int read_bytes_consumed;

} Sniffer; int

parse_bpf_packets(Sniffer *sniffer, CapturedInfo *info)

{

if (sniffer->read_bytes_consumed + sizeof(sniffer->buffer)

>= sniffer->last_read_len) {

return 0;

} info->bpf_hdr = (struct bpf_hdr*)((long)sniffer->buffer +

(long)sniffer->read_bytes_consumed);

info->data = sniffer->buffer + \

(long)sniffer->read_bytes_consumed + \

info->bpf_hdr->bh_hdrlen;

sniffer->read_bytes_consumed += BPF_WORDALIGN(

info->bpf_hdr->bh_hdrlen + info->bpf_hdr->bh_caplen);

return info->bpf_hdr->bh_datalen;

}

After that it’s ok you just parsing ethernet frames and extract `ARP`, `ICMP`, `IP`, `IPv6`, `TCP` and `UDP` protocols.

References

Implementations I referred are below: