Raw Socket SOCK_RAW

In fact, our common network programming is the sending and receiving of messages in the application layer, which is the flow socket (SOCK_STREAM) and packet socket (SOCK_DGRAM) that most programmers come into contact with. And these packets are provided by the system of the protocol stack implementation, users need only to fill in the application Shong text can be completed by the system to fill the bottom of the message header and send. In some cases, however, it is necessary to perform a lower level of operation, such as modifying the header, bypassing the system stack, and so on. This time you need to use other ways to implement.

an original socket

The original socket (SOCK_RAW) is a socket different from the Sock_stream and Sock_dgram, which is implemented in the core of the system. However, what the original socket can do. First of all, the common socket can not handle ICMP, IGMP and other network messages, and Sock_raw, and secondly, Sock_raw can also handle special IPV4 messages, in addition, the original socket, you can use the IP_HDRINCL socket option to construct IP headers by the user. Generally speaking, Sock_raw can handle the ordinary network message, can also process some special protocol message and operation IP layer and above data.

Since Sock_raw has more than one feature, it differs from ordinary sockets on some processing processes.

· If you set the IP_HDRINCL option, Sock_raw can manipulate IP header data (that is, the user needs to populate the IP header and above payload); otherwise sock_raw cannot manipulate IP header data

· Ports have no meaning for Sock_raw

· If you use the BIND function to bind to IP, the source IP address is populated with this IP if IP_HDRINCL is not set, and the source IP address is set to the primary IP address of the outgoing interface if you do not call bind

· If you use the Connect function to set the destination IP, you can send a message using the Send or write function without using the SendTo function

· Kernel processing process:

· Incoming TCP, UDP groupings are not passed to any Sock_raw

· ICMP, IGMP packet pass to Sock_raw

· Kernel Unrecognized IP message passed to Sock_raw

· Sock_raw whether to receive messages:

· protocol specifies that the type needs to be matched or not passed to the Sock_raw

· If a source IP is bound using the BIND function, the message destination IP must match the bound IP, otherwise it is not passed to the Sock_raw

· If a destination IP is bound using the Connect function, the message source IP must match the specified IP, otherwise it is not passed to the Sock_raw

To sum up, the original socket processing is only the IP layer and above data, such as the implementation of SYN flood attack, processing ping messages. When you need to manipulate lower-level data, there are other ways to do it. two link layer processing message

If you need to process messages from the link layer, you need to take a more low-level socket. Let's take a look at the prototype of the socket function first:

#include <sys/socket.h>

int socket (int domain, int type, int protocol);

In this function, domain represents the protocol cluster, type represents the socket type, and protocol represents the protocol type being processed. A variety of low-level sockets are available under Linux. Here is a brief introduction to each. 1 pf_inet Protocol cluster

The original socket can be constructed by pf_inet, as follows:

int FD = socket (pf_inet, Sock_raw, ipproto_tcp);

As mentioned earlier, it works on the IP layer and above protocols (of course, it is possible to manipulate IP layer data after using the IP_HDRINCL option), but this socket cannot receive messages sent locally. With sock_packet type sockets, you can manipulate the link layer data:

int FD = socket (pf_inet, Sock_packet, ipproto_tcp);

However, it is said that there are some flaws in this approach, and there is no guarantee that the subsequent version of the system must support this approach, so it is not recommended to use the 2 Pf_packet protocol cluster

The Pf_packet protocol cluster is a programming interface for replacing Sock_packet. As a protocol cluster, it can correspond to two different types of sockets: Sock_raw and Sock_dgram. When using Sock_raw, the user operates the link layer data, but if the latter is used, the system processes the link layer protocol header. This socket supports four kinds of protocols (ETH_P_IP, Eth_p_arp, Eth_p_rarp, Eth_p_all) (unacknowledged)

int FD = socket (Pf_packet, Sock_raw, ipproto_tcp);

int FD = socket (Pf_packet, SOCK_DGRAM, ipproto_tcp); 3 NetLink Protocol cluster

This approach is the recommended interface between user mode and kernel IP network configuration

To sum up, there are only three ways to actually implement the link layer data:

int FD = socket (pf_inet, Sock_packet, ipproto_tcp);

int FD = socket (Pf_packet, Sock_raw, ipproto_tcp);

int FD = socket (Pf_packet, SOCK_DGRAM, ipproto_tcp);