The use of the raw socket these days, with Python to write some demo program, recorded here.
First, let's look at a simple sniffer program:
Copy the Code code as follows:
#! /usr/bin/python
# code for Linux
Import socket
#s = Socket.socket (socket.af_inet, socket. SOCK_RAW, Socket. IPPROTO_UDP)
s = socket.socket (socket.af_inet, socket. SOCK_RAW, Socket. IPPROTO_TCP)
While True:
Print S.recvfrom (65535)
The data is received directly from the raw socket and the print operation is direct. This is a few lines of code, there is no good explanation, do not understand the Google under.
After getting the IP packet, the next task is to parse the IP header, before we begin by looking at how the RFC is defined (rfc791:http://www.ietf.org/rfc/rfc791.txt):
That corresponds to the graph:
From the RfC and the number of bits that can be seen in the IP header fields, we can parse the IP header according to these definitions and then process the data according to the corresponding policy.
Here is a python implementation of the parsing IP header code (hehe, is the code in the demo, only the first 20 bytes resolved):
Copy the Code code as follows:
def decodeipheader (packet):
Mapret = {}
mapret["version"] = (int (ord (packet[0)) & 0xF0) >>4
mapret["Headerlen"] = (int (ord (packet[0))) & 0x0F) <<2
mapret["servicetype"] = Hex (int (ord (packet[1)))
mapret["Totallen"] = (int (ord (packet[2)) <<8) + (int (ord (packet[3)))
mapret["identification"] = (int (ord (packet[4)) >>8) + (int (ord (packet[5)))
mapret["id"] = Int (ord (packet[6)) & 0xE0) >>5
mapret["Fragoff"] = Int (ord (packet[6)) & 0x1F) <<8 + int (ord (packet[7]))
Mapret["ttl"] = Int (ord (packet[8)))
mapret["protocol"] = Int (ord (packet[9]))
mapret["CheckSum"] = Int (ord (packet[10)) <<8) +int (Ord (packet[11]))
mapret["srcaddr"] = "%d.%d.%d.%d"% (int (ord (packet[12)), Int (ord (packet[13))), Int (ord (packet[14))), Int (ORD (packet [15])))
mapret["dstaddr"] = "%d.%d.%d.%d"% (int (ord (packet[16)), Int (ord (packet[17))), Int (ord (packet[18))), Int (ORD (packet [19])))
Return Mapret
Calling code:
Copy the Code code as follows:
Proto = Socket.getprotobyname (' TCP ') # only TCP
Sock = Socket.socket (socket.af_inet, socket. Sock_raw, Proto)
While True:
Packet = Sock.recvfrom (65535) [0]
If Len (packet) = = 0:
Sck.close ()
Else
#print Str (packet)
mapiptmp = Decodeipheader (packet)
For k,v in Mapiptmp.items ():
Print K, "\t:\t", V
Print ""