Libpcap Library and Programming
James Won-Ki Hong
POSTECH
Department of Computer Science and Engineering
POSTECH, Korea jwkhong@postech.ac.kr
CSED702Y: Software Defined Networking 1/17
Outline
Introduction
Basic Concept of Packet Capturing
Programming with Libpcap
Libpcap based Software
Installation of Libpcap
POSTECH CSED702Y: Software Defined Networking 2/17
Introduction
Libpcap: Portable Packet Capturing Library
Operating system independent
Provide general-purpose APIs
Simple and powerful user-level library
Compatible with Unix like system
Many of commercial IDS systems utilize Libpcap to analyze packet data
Representative Programs Rely on Libpcap
TCPDump, SAINT and etc.
Other Packet Capturing Tools
SOCK_PACKET, LSF, SNOOP, SINT and etc.
Operating system dependent
POSTECH CSED702Y: Software Defined Networking 3/17
Basic Concept of Packet Capturing
Packet Capturing
Packet capturing (sniffing) does not affects to data transfer
The packet captured by libpcap is called raw packet and demultiplexing is required to analyze the packet
POSTECH CSED702Y: Software Defined Networking 4/17
Libpcap File Format
File Extension
Normally has “.pcap” file extension
File Format
General libpcap file format
• Contains some global information followed by zero or more records for each packet
Global
Header
Packet
Header
Packet Data
Packet
Header
Packet Data
Packet
Header
Packet Data
• A captured packet in a capture file does not necessarily contain all the data
• A captured file might contain at most first N bytes of each packet
Global Header
…
POSTECH CSED702Y: Software Defined Networking 5/17
Device & Network Related APIs (1/2)
Device & Network Lookup for Single Device
char *pcap_lookupdev(char *errbuf)
• Return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet()
• Return NULL indicates an error
• Reference: lookupdev.c
int pcap_lookupnet( const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)
• Determine the network number and mask associated with the network device
• Return
-1 indicates an error
• Reference: lookupnet.c
POSTECH CSED702Y: Software Defined Networking 6/17
Device & Network Related APIs (2/2)
Device & Network Lookup for Multiple Devices
int pcap_findalldevs(pcap_if_t **alldevsp, char
*errbuf)
• Constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live()
• alldevsp: list of network devides
• Returns
0 on success and -1 on failure.
• The list of devices must be freed with pcap_freealldevs()
Structure of pcap_if_t
• next: if not NULL, a pointer to the next element in the list
• name: a pointer to a string giving a name for the device to pass to pcap_open_live()
• description: if not NULL, a pointer to a string giving a human-read- able description of the device
• addresses: a pointer to the first element of a list of addresses
• flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback interface
POSTECH CSED702Y: Software Defined Networking 7/17
Example of Device Loopup
Output:
DEV: eth0
NET: 192.168.xx.x
MASK:
255.255.xxx.xxx
POSTECH CSED702Y: Software Defined Networking 8/17
Initializing Packet Capturing APIs
Preparation of Packet Capturing
File descriptor == Packet capture descriptor
Packet capture descriptor: pcap_t *
pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf)
• Parameters
• device: the device in which the packets are captured from
• snaplen: maximum number of bytes to capture
• promisc: true, set the interface into promiscuous mode ; false, only bring packets intended for you
• to_ms: read timeout in milliseconds; zero , cause a read to wait forever to allow enough packets to arrive
• Return
• A packet capture descriptor to look at packets on the network
• Return NULL indicates an error
pcap_t *pcap_open_offline(const char *fname, char
*errbuf)
• open a “savefile” for reading
• fname: the name of the file to open
• return a pcap_t * on success and NULL on failure
POSTECH CSED702Y: Software Defined Networking 9/17
TCP, IP, Ethernet Structures (1/4)
The path of TCP, IP and Ethernet Header
Ethernet header: /usr/include/linux/if_ether.h
IP and TCP headers: /usr/include/netinet
Packet Format
Ethernet Frame
Ethernet
Header
14 bytes
46 ~ 1500 bytes
IP Header TCP Header
Application
Data
Ethernet
Trailer
20 bytes 20 bytes
POSTECH
ICMP header : 8 byte
UDP header : 8 byte
ARP header : 28 byte
CSED702Y: Software Defined Networking 10/17
TCP, IP, Ethernet Structures (2/4)
Ethernet Header
Ethernet Header
Preamble
S
F
D
8 bytes
DST.
Address
SRC.
Address
Type
6 bytes 6 bytes 2 bytes
Payload n bytes
Frame
Check (CRC)
4 bytes
POSTECH CSED702Y: Software Defined Networking 11/17
TCP, IP, Ethernet Structures (3/4)
IP Header
32
64
96
128
160
Bit
Offset
0
0 ~ 3 4 ~ 11 8 ~ 15 16 ~ 23 24 ~ 31
Version
Header
Length
Identifier
TOS Total Packet Length
Flags Fragment Offset
Time to Live (TTL)
Protocol
ID
IP Header Options
Header Checksum
Source IP Address
Destination IP Address
Padding
POSTECH CSED702Y: Software Defined Networking 12/17
TCP, IP, Ethernet Structures (4/4)
TCP Header
32 bits source port # dest port # sequence number acknowledgement number head len not used
U A P R S F checksum rcvr window size ptr urgent data
Options (variable length)
POSTECH CSED702Y: Software Defined Networking 13/17
Packet Read Related APIs
Read Packet in Loop Manner
const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)
• Read the next packet
• Return
NULL indicates an error
• pcap_next.c
• timestamp.c
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
• Processes packets from a live capture or “savefile‘” until cnt packets are processed
• A value of -1 or 0 for cnt is equivalent to infinity
• callback specifies a routine to be called
POSTECH CSED702Y: Software Defined Networking 14/17
Filtering Related APIs
Filter
int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask)
• Compile the str into a filter program
• str: filter string
• optimize: 1, optimization on the resulting code is performed
• netmask: specify network on which packets are being captured
• Returns 0 on success and -1 on failure
int pcap_setfilter(pcap_t *p, struct bpf_program *fp)
• Specify a filter program (after compiling filter)
• Return
-1 indicates an error
• pcap_filter.c
Sample Source
http://dpnm.postech.ac.kr/cs702/2015/src/test.c
http://dpnm.postech.ac.kr/cs702/2015/src/readfile.c
POSTECH CSED702Y: Software Defined Networking 15/17
How to Compile Libpcap Program?
Two Parameters
Library path (e.g., -lpcap)
Compilation flags (-I/usr/include.pcap)
Automate the Compilation
Shell Scripting
• Create a compile.sh in executable mode, put follows and execute compile.sh gcc -o test test.c –lpcap -I/usr/include.pcap
Makefile
• Create a Makefile, put follows and run make through CLI
CC=gcc
LIBS=-lpcap
CFLAGS=-I/usr/include.pcap
OBJ=test.o
TARGET = test all: $(TARGET)
$(TARGET): $(TARGET).c
$(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS) clean:
$(RM) $(TARGET)
POSTECH CSED702Y: Software Defined Networking 16/17
Libpcap based Software
Libpcap based Software
ntop - network top
• A network traffic probe that shows the network usage
• Sort network traffic according to many protocols
• http://www.ntop.org/overview.html
snort
• Intrusion prevention and detection system
• Sniff every packet and differentiate general and intrusion by against rules
• http://www.snort.org/
ethereal
• Network protocol analyzer
• http://www.ethereal.com/
Wireshark
• A free and open-source packet analyzer
• Originally named Ethereal, after renamed as wireshark in May 2006, due to trade mark issues
• http://www.wireshark.org/
POSTECH CSED702Y: Software Defined Networking 17/17
Q&A
POSTECH CSED702Y: Software Defined Networking 18/17
