Sniffer with libpcap on Mac OS X in C

StackOverflow https://stackoverflow.com/questions/15039551

  •  11-03-2022
  •  | 
  •  

Question

I was trying to create my own sniffer (ONLY FOR FUN), and I work on a Mac. I'm using libpcap, which is a very good library for sniffing. So, I used this simple sniffer, which sniffs 5 packets: (It is written in C)

#include <pcap.h>
#include "hacking.h"

void pcap_fatal(const char *failed_in, const char *errbuf) {
     printf("Fatal Error in %s: %s\n", failed_in, errbuf);
     exit(1);
}

int main() {
    struct pcap_pkthdr header;
    const u_char *packet;
    char errbuf[PCAP_ERRBUF_SIZE];
    char *device;
    pcap_t *pcap_handle;
    int i;

device = pcap_lookupdev(errbuf);
if(device == NULL)
    pcap_fatal("pcap_lookupdev", errbuf);

printf("Sniffing on device %s\n", device);

pcap_handle = pcap_open_live(device, 4096, 1, 0, errbuf);
if(pcap_handle == NULL)
    pcap_fatal("pcap_open_live", errbuf);

for(i=0; i < 5; i++) {
    packet = pcap_next(pcap_handle, &header);
    printf("Got a %d byte packet\n", header.len);
    dump(packet, header.len);
}

pcap_close(pcap_handle);

}

If you're wondering, yes I took it from a book (Hacking: The Art of Exploitation) and modified a little bit. The problem is, if I run this on Linux, it works perfectly, no problems. But if I run this on a Mac, it doesn't work and it doesn't capture any packet.

Can someone of you help? Thanks in advance!

Was it helpful?

Solution

If you're getting a "Fatal Error in pcap_lookupdev" error message, then the problem is what Sascha said it was - you don't have permission to capture packets. If you're getting that message, try running the program with sudo, or try, for example, changing the ownership of the /dev/bpf* devices to you (which you will need to do with sudo). However, you're saying that "It sniffs on 'en0'", so presumably you're saying that because it's printing "Sniffing on device en0", in which case pcap_lookupdev() isn't failing.

If you're getting a "Fatal Error in pcap_open_live", that might also be a problem with permissions, but you almost certainly wouldn't get an error due to permissions there, as pcap_lookupdev() would already have failed.

If you're not getting a "Fatal Error in" error message, the problem is probably, as Petesh noted, that you specified 0 as the timeout. If 0 is specified as the timeout, pcap_loop(), pcap_dispatch(), pcap_next(), and pcap_next_ex() can wait indefinitely before providing packets to the application; on some platforms, such as Linux and Solaris, it won't wait indefinitely, but on other platforms, such as *BSD and OS X, it could wait indefinitely. Try a timeout of 1000, which is one second; that's what tcpdump does, for example.

OTHER TIPS

In addition to Petesh: For details, please check the manpage ("man pcap" in Terminal).

It states:

Under BSD (this includes Mac OS X):

          You must have read access to /dev/bpf* on systems that don't have a cloning
          BPF device, or to /dev/bpf on systems that do.  On BSDs with a devfs  (this
          includes  Mac OS X), this might involve more than just having somebody with
          super-user access setting the ownership or permissions on the BPF devices -
          it  might  involve  configuring  devfs  to set the ownership or permissions
          every time the system is booted, if the system even supports  that;  if  it
          doesn't  support  that,  you might have to find some other way to make that
          happen at boot time.

I tested code at 10.8.4 and worked with changing param to_ms (read timeout) to some non-zero value then started receiving packet.

Thanks for basic code. It saved my time.

Regards, Anand Choubey

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top