1 libpcap libpcap Packet Sniffing for Security Alisa Neeman 2 Introduction Introduction  libpcap is an open source C library for putting your NIC in promiscuous mode. Today I’ll go over a few C gotchas and how to use the libpcap API  Any C programmers?  Planning to go to grad school? 3 Agenda Agenda  Installing libpcap  C stuff  Basic libpcap program – Grab a device to sniff – Filters/Event Loops – Packet structure 4 Getting the library Getting the library Linux: http://sourceforge.net/projects/libpcap/ VC++: Winpcaphttp://winpcap.polito.it/install/ default.htm Cygwin: Wpcap (haven’t tried this) http://www.rootlabs.com/windump/ 5 Install on Linux Install on Linux  gunzip libpcap-0.7.1.tar.gz  tar -xvf libpcap-0.7.1.tar  cd libpcap-0.7.1  ./configure  make 6 Install for Windows VC++ Install for Windows VC++  Get both Developer's pack download and Windows 95/98/ME/NT/2000/XP install package.  Run install and reboot (this installs the .dll and inserts a link in your registry).  You need to insert a copy of pcap.h into C:\Program Files\Microsoft Visual Studio\VC98\Include (There is a copy of pcap.h in the Winpcap developer's pack in wpdpack/Include. In fact you can copy over all the .h files ) 7 VC++, cont’d VC++, cont’d  You also need to add the lib files.  Copy everything from wpdpack/Lib to C:\Program Files\Microsoft Visual Studio\VC98\Lib  go to Project -> Settings -> click on the Link tab, and type in wpcap.lib and wsock32.lib in addition to the lib files that are already there. 8 Avoiding C Gotchas Avoiding C Gotchas  Always declare variables at the beginning of a block (no Java/C++ messiness!!)  Nothing ‘new’: Always free what you malloc malloc( sizeof ( thingYouWantToAllocate ));  Always check the return value (no Exceptions!) if (thing_didnt_work()) { fprintf(stderr, "ERROR: thing didn't work\n"); exit(-1); } /* if (thing_didnt_work) */ 9 C cont’d C cont’d  Output is formatted. char person[ ] = “baby”; printf(“give me %d, %s\n”, 5, person); %d: int %x: hex %s: string %f: double 10 Get to the point! Get to the point!  Pass by reference explicitly - Pass-by-reference prototype int doSomething( Thing *); Choice 1: Thing * t; doSomething( t ); Choice 2: Thing t; doSomething( &t ); • Arrays are always in reference mode: char * is like char[0] [...]... Under the covers this is an array of contiguous bytes struct pcap_pkthdr { struct timeval ts; //time stamp bpf_u_int32 caplen; // length of //portion present bpf_u_int32; //packet length } 11 Overview of libpcap Open live What to include and how to compile  Going Live  Main Event Loop  Reading from a packet  Filters  ether ARP TCP UDP IP ICMP 12 What to include and how to compile gcc sniff.c -lpcap . 1 libpcap libpcap Packet Sniffing for Security Alisa Neeman 2 Introduction Introduction  libpcap is an open source C library. how to use the libpcap API  Any C programmers?  Planning to go to grad school? 3 Agenda Agenda  Installing libpcap  C stuff  Basic libpcap program – Grab