Packet sniffer gone wrong

Posted on 2007-04-09
Medium Priority
Last Modified: 2012-05-05
Im having some problems with this packet sniffer i wrote. It
will capture all packets fine but i also need it to send these
captured packets forwarded on to a client machine. this part of the
program is not working so well. Any help appreciated as i am at my
wits end.
Here is the code:

#include <stdio.h>
#include <sys/socket.h>
#include <resolv.h>
#include <arpa/inet.h>
#include <errno.h>
#include <sys/types.h>
#include <linux/if_ether.h>
#include < string.h>

int go = -1;
int x; /*global var for passing no of bytes recieved by sniffer*/

struct ipheader { /*Ip header structure*/

unsigned char headl:4, version:4;
unsigned char tos;
unsigned short int len;
unsigned short int id_seq;
unsigned short int offset;
unsigned char ttl;
unsigned char proto;
unsigned short int chksum;
unsigned int source;
unsigned int dest;


struct tcpheader {

unsigned short int srcport;
unsigned short int destport;
unsigned int seqnum;
unsigned int acknum;
unsigned char x2:4, offset:4;
unsigned char flags;
unsigned short int windowsize;
unsigned short int chksum;
unsigned short int urgentptr;


struct udpheader {
unsigned short int srcport;
unsigned short int destport;
unsigned short int len;
unsigned short int chksum;


int udpForward(char *buffer)
    int t;

    char data2[(x+1064)];

    struct ipheader *ip=(void*)buffer;
    int store = ip->id_seq;

    printf("\n%i\n", store);

    if (store!= go){    /*this guy checks to see if this packet was
forwarded already*/
    go = store;

    strcpy(data2, buffer); /*copies whole packet into data2*/
    printf("copy successful \n");
    /*Client initiated*/

    int ipsoc = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);

    /*Now for the standard stuff*/
    struct sockaddr_in raddrin;
    raddrin.sin_family = AF_INET;
    raddrin.sin_port = htons(3333);
    raddrin.sin_addr.s_addr = inet_addr("");/*Ip address
of data analysis client*/

/* ssize_t sendto(int socket, const void *message, size_t length,
       int flags, const struct sockaddr *dest_addr, socklen_t

    t = sendto(ipsoc, data2, sizeof(data2), 0, (struct sockaddr
*)&raddrin, x);
    printf("t= %i\n", t);
    if (t > -1)
        printf("great success\n"); /*new packet sent*/


        perror( "t" );
    printf("already sent\n");
    go = -1;}


void sniffnetwork()
int n, bytes_read,i;
char data[1024];
n = socket(AF_INET, SOCK_PACKET, htons(ETH_P_IP));

if ( n < 0 )
printf("Snooper socket error");

    bytes_read = recvfrom(n, data, sizeof(data), 0, 0, 0);
    if ( bytes_read > 0 ){
        x = bytes_read;
        printf("captured data:\n");
        /*for (i=0; i<=bytes_read; i++){
            printf("%X", data[i]);



while ( bytes_read > 0 );


int main()

return 0;


I think UDP is appropriate for forwarding on the packets as every
single one is not essential nor is the order.
Question by:howardshamsham
1 Comment
LVL 46

Accepted Solution

Kent Olsen earned 1500 total points
ID: 18877723
Hi Howard,

Looking at the code it's hard to tell exactly where/how you intend to implement this so I'll make a couple of broad statements.  That might help to clear things up.  :)

-  A packet sniffer does not normally work at the application level.  Too many issues to name.
-  The sniffer is connectionless.  It needs to see all of the packets/
-  The sniffer doesn't care about protocol.  It should see the TCP and UDP packets.
-  UDP packets are usually "local".  The are not forwarded by the router.
-  Once the sniffer has examined a packet, it must be forwarded.  If the sniffer is working near the lower levels of the IP stack it simply places it on a queue for proper disposition.  If the sniffer is working near the higher (application) level it must pass the packet to be forwarded OR to the desired service on the local machine.  This is something that you should avoid.


Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question