GithubHelp home page GithubHelp logo

packet-sniffer's Introduction

packet-sniffer

A sniffer program written in C, that lets you Capture and Filter packets in promiscuous mode over a specified interface. The program uses libpcap library to provide support to sniff and filter packets using BPF filters. In addition, the program provides support to read a precaptured pcap dump and also filter payloads based on a specified string.

To run:

Ensure you have libpcap library installed
sudo apt-get install libpcap-dev

git clone https://github.com/bhaveshgoyal/packet-sniffer.git
cd packet-sniffer/
make
chmod +x ./sniffer
./sniffer -i [interface] -r [input file] -s [payload search string] [filter expression]

[filter expression] is a BPF filter that specifies which packets will be dumped. If no filter is given, all packets seen on the interface (or contained in the trace) are dumped. For each packet, the program prints a record containing the timestamp, source and destination MAC address, EtherType, packet length, source and destination IP address and port, protocol type and the raw content of the packet payload.

Supported Protocols: Layer 2: ARP

Layer 3: IP, ICMP, IGMP

Layer 4: TCP, UDP

A Brief Note on implementation:

The program makes use of builtin function getopt to parse the optional command line arguments given as input by the user.

The arguments are stored and validated using the return values provided by calls to pcap library. This allows the program to invalidate any objectionable user input.

If the user does not specify any interface, the program opens a session on the default device using pcap_lookupdev. After a couple of checks for the interface to be valid and known to be supported Ethernet headers, the program starts capturing packets indefinitely until interrupted and registers a callback to packet_handler module for every packet received.

The packet handler dissects the packet for its type and uses header offsets defined in lib/defs.h to typecast the IP/ARP packets to be processed further.

For each of the IP packet types (TCP / UDP / ICMP / IGMP), the position of corresponsing protocol header is determined and then the packet is in turn typecasted into its appropriate struct model.

Note: The program makes use of <netinet/icmp.h> header to parse icmp dump. User must have netinet library installed on the host program.

The Program after printing some primitive packet information about source and destination handles control to the payload printing modules, which check if the user has additionally specified -s option to search payload string, and prints the packet information if found. Thanks to tcpdump.org for raw payload formatting snippet!

Sample Program Output:

bagl ❯❯❯ ./sniffer

Sniffing on device: en0 
2017-10-10 17:46:17.347462 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 64 [IP Masked]:51476 > 172.20.226.141:443 TCP 

2017-10-10 17:46:17.642157 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 64 [IP Masked]:51479 > 17.248.187.16:443 TCP 

2017-10-10 17:46:17.648809 b8:af:67:63:a3:28 > [Address Masked] type 0x800 len 60 17.248.187.16:443 > [IP Masked]:51479 TCP 

2017-10-10 17:46:17.648892 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 52 [IP Masked]:51479 > 17.248.187.16:443 TCP 

2017-10-10 17:46:17.649408 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 569 [IP Masked]:51479 > 17.248.187.16:443 TCP 
00000   16 03 01 02 00 01 00 01  fc 03 03 82 fa 51 d9 e9    .............Q..
00016   da e7 b0 c4 0c 67 2a a9  0d 52 68 fe 7c 0d c7 78    .....g*..Rh.|..x
00032   4d 1b fb 0b d6 2c b1 43  b2 fe a9 20 56 d7 0f 5e    M....,.C... V..^
00048   04 b8 7e a3 22 4a 40 9c  4f 5c 01 ce 94 b3 ec 5a    ..~."[email protected]\.....Z
00064   86 90 4b c0 19 1b 93 5d  41 55 37 89 00 28 c0 2c    ..K....]AU7..(.,
00080   c0 2b c0 24 c0 23 c0 0a  c0 09 cc a9 c0 30 c0 2f    .+.$.#.......0./
00096   c0 28 c0 27 c0 14 c0 13  cc a8 00 9d 00 9c 00 3d    .(.'...........=
00112   00 3c 00 35 00 2f 01 00  01 8b ff 01 00 01 00 00    .<.5./..........
00128   00 00 17 00 15 00 00 12  67 61 74 65 77 61 79 2e    ........gateway.
00144   69 63 6c 6f 75 64 2e 63  6f 6d 00 17 00 00 00 0d    icloud.com......
00160   00 14 00 12 04 03 08 04  04 01 05 03 08 05 05 01    ................
00176   08 06 06 01 02 01 00 05  00 05 01 00 00 00 00 33    ...............3
00192   74 00 00 00 12 00 00 00  10 00 30 00 2e 02 68 32    t.........0...h2
00208   05 68 32 2d 31 36 05 68  32 2d 31 35 05 68 32 2d    .h2-16.h2-15.h2-
00224   31 34 08 73 70 64 79 2f  33 2e 31 06 73 70 64 79    14.spdy/3.1.spdy
00240   2f 33 08 68 74 74 70 2f  31 2e 31 00 0b 00 02 01    /3.http/1.1.....
00256   00 00 0a 00 08 00 06 00  1d 00 17 00 18 00 15 00    ................
00272   f4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00288   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00304   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00320   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00336   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00352   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00368   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00384   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00400   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00416   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00432   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00448   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00464   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00480   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00496   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00512   00 00 00 00 00                                      .....

2017-10-10 17:46:17.655070 b8:af:67:63:a3:28 > [Address Masked] type 0x800 len 52 17.248.187.16:443 > [IP Masked]:51479 TCP 

2017-10-10 17:46:17.655075 b8:af:67:63:a3:28 > [Address Masked] type 0x800 len 194 17.248.187.16:443 > [IP Masked]:51479 TCP 
00000   16 03 03 00 5e 02 00 00  5a 03 03 6f 22 64 e8 56    ....^...Z..o"d.V
00016   91 49 d0 81 fa a0 09 93  13 66 25 69 0d 5f a4 35    .I.......f%i._.5
00032   1b ce 22 31 05 09 61 43  1c 01 af 20 56 d7 0f 5e    .."1..aC... V..^
00048   04 b8 7e a3 22 4a 40 9c  4f 5c 01 ce 94 b3 ec 5a    ..~."[email protected]\.....Z
00064   86 90 4b c0 19 1b 93 5d  41 55 37 89 cc a8 00 00    ..K....]AU7.....
00080   12 ff 01 00 01 00 00 05  00 00 00 10 00 05 00 03    ................
00096   02 68 32 14 03 03 00 01  01 16 03 03 00 20 fe 77    .h2.......... .w
00112   cd d6 19 c5 6e 4e d2 1e  08 d2 b1 a9 15 ce 79 e7    ....nN........y.
00128   49 2d aa f4 e3 c7 1c b6  d4 31 ec 66 38 a7          I-.......1.f8.

bagl ❯❯❯ ./sniffer -s google

2017-10-10 17:59:43.151581 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 54 [IP Masked]:59507 > 130.245.255.4:53 UDP
00000   59 e3 01 00 00 01 00 00  00 00 00 00 02 31 33 0e    Y............13.
00016   63 6c 69 65 6e 74 2d 63  68 61 6e 6e 65 6c 06 67    client-channel.g
00032   6f 6f 67 6c 65 03 63 6f  6d 00 00 01 00 01          oogle.com.....

2017-10-10 17:59:43.177442 b8:af:67:63:a3:28 > [Address Masked] type 0x800 len 70 130.245.255.4:53 > [IP Masked]:59507 UDP
00000   59 e3 81 80 00 01 00 01  00 00 00 00 02 31 33 0e    Y............13.
00016   63 6c 69 65 6e 74 2d 63  68 61 6e 6e 65 6c 06 67    client-channel.g
00032   6f 6f 67 6c 65 03 63 6f  6d 00 00 01 00 01 c0 0c    oogle.com.......
00048   00 01 00 01 00 00 01 2c  00 04 d1 55 e8 bd          .......,...U..

2017-10-10 17:59:43.201263 [Address Masked] > b8:af:67:63:a3:28 type 0x800 len 299 [IP Masked]:51619 > 209.85.232.189:443 TCP
00000   16 03 01 00 f2 01 00 00  ee 03 03 43 6f 4e 05 81    ...........CoN..
00016   3a 8e f2 de 75 f1 3d fc  41 6d 04 92 d6 f9 11 be    :...u.=.Am......
00032   c0 c1 29 af 06 aa b2 94  ab 64 d9 00 00 28 c0 2c    ..)......d...(.,
00048   c0 2b c0 24 c0 23 c0 0a  c0 09 cc a9 c0 30 c0 2f    .+.$.#.......0./
00064   c0 28 c0 27 c0 14 c0 13  cc a8 00 9d 00 9c 00 3d    .(.'...........=
00080   00 3c 00 35 00 2f 01 00  00 9d ff 01 00 01 00 00    .<.5./..........
00096   00 00 21 00 1f 00 00 1c  31 33 2e 63 6c 69 65 6e    ..!.....13.clien
00112   74 2d 63 68 61 6e 6e 65  6c 2e 67 6f 6f 67 6c 65    t-channel.google
00128   2e 63 6f 6d 00 17 00 00  00 0d 00 14 00 12 04 03    .com............
00144   08 04 04 01 05 03 08 05  05 01 08 06 06 01 02 01    ................
00160   00 05 00 05 01 00 00 00  00 33 74 00 00 00 12 00    .........3t.....
00176   00 00 10 00 30 00 2e 02  68 32 05 68 32 2d 31 36    ....0...h2.h2-16
00192   05 68 32 2d 31 35 05 68  32 2d 31 34 08 73 70 64    .h2-15.h2-14.spd
00208   79 2f 33 2e 31 06 73 70  64 79 2f 33 08 68 74 74    y/3.1.spdy/3.htt
00224   70 2f 31 2e 31 00 0b 00  02 01 00 00 0a 00 08 00    p/1.1...........
00240   06 00 1d 00 17 00 18                                .......

bagl ❯❯❯ ./sniffer "dst google.com && icmp"

Sniffing on device: en0
2017-10-10 18:02:04.239115 IP [IP Masked] > 172.217.6.206: ICMP echo request ,id 7013, seq 0
00000   59 dd 43 5c 00 03 a5 da  08 09 0a 0b 0c 0d 0e 0f    Y.C\............
00016   10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f    ................
00032   20 21 22 23 24 25 26 27  28 29 2a 2b 2c 2d 2e 2f     !"#$%&'()*+,-./
00048   30 31 32 33 34 35 36 37                             01234567

2017-10-10 18:02:05.243102 IP [IP Masked] > 172.217.6.206: ICMP echo request ,id 7013, seq 1
00000   59 dd 43 5d 00 03 b5 41  08 09 0a 0b 0c 0d 0e 0f    Y.C]...A........
00016   10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f    ................
00032   20 21 22 23 24 25 26 27  28 29 2a 2b 2c 2d 2e 2f     !"#$%&'()*+,-./
00048   30 31 32 33 34 35 36 37                             01234567

2017-10-10 18:02:06.243557 IP [IP Masked] > 172.217.6.206: ICMP echo request ,id 7013, seq 2
00000   59 dd 43 5e 00 03 b7 0d  08 09 0a 0b 0c 0d 0e 0f    Y.C^............
00016   10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f    ................
00032   20 21 22 23 24 25 26 27  28 29 2a 2b 2c 2d 2e 2f     !"#$%&'()*+,-./
00048   30 31 32 33 34 35 36 37                             01234567

packet-sniffer's People

Contributors

bhaveshgoyal avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.