Getting wrong ip and port number from libpcap captured packet

Question

My Ubuntu virtual machine's IP address is 192.168.1.110. Everything else looks fine. I don't know what is wrong with the code. Maybe I'm using a wrong package header structure? Below is my code and output. Again my host IP should be 192.168.1.110 and port for now is definitely wrong.

sudo ./sniffall 0
84.72.137.105:38055  192.168.1.105:56652
192.168.1.105:56652  174.141.213.124:28073
84.72.137.105:38055  192.168.1.105:56652
192.168.1.105:56652  174.141.213.124:28073
84.72.137.105:38055  192.168.1.105:56652


#include <pcap.h>
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ether.h>
#include <sys/socket.h>
#include <netinet/tcp.h>

void getPacket(u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet){
    struct ip *ip;
    struct tcphdr *tcp;
    ip = (struct ip*)(packet+sizeof(struct ether_header));
    tcp = (struct tcphdr*)(packet+sizeof(struct ether_header)+sizeof(struct ip));

    char* src = inet_ntoa(ip->ip_src);

    printf("%s:%d ",src,tcp->source);
    char* dst = inet_ntoa(ip->ip_dst);
    printf(" %s:%d\n", dst, tcp->dest);

}

int main(int argc, char *argv[]){
    char errbuf[PCAP_ERRBUF_SIZE], *device;
    device = argv[1];
    pcap_t *handle;
    handle = pcap_open_live(device, BUFSIZ, 1, 1000, errbuf);
    if(!handle){
        device = pcap_lookupdev(errbuf);
        handle = pcap_open_live(device, BUFSIZ, 1, 1000, errbuf);
        if(!handle){
                printf("Couldn't open device %s: %s\n", device, errbuf);
        }
    }

    pcap_loop(handle, 5, getPacket, NULL);
    return 0;
}

Answer 1

Pcap is going to show some other traffic other than your system's if you're in promiscuous mode. Why you're seeing specific packets that aren't being sent or received from your system is going to be dependent a bit on your network configuration. Some ethernet switches will occasionally leak packets destined to other systems if they're unsure where they should go, etc.

You also need to need to convert between byte orders. In most common cases now, "network byte order" is not the same as your machine's byte order. To print out the port number, you need to do something like:

printf("%s:%d ",src,ntohs(tcp->source));

Also, you may want to try struct iphdr instead of struct ip . I've seen instances before where there were multiple definitions of a struct named ip in headers, but iphdr was always right for me.

Remember that you can always run tcpdump in another window to see what packets are actually coming in, it's possible that you're receiving more traffic than you are expecting.

Answer 2

First, after calling pcap_open_live() , call pcap_datalink() on handle and, if it doesn't return DLT_EN10MB , either exit or rewrite your program so that it can handle the value it returns. See the tcpdump.org link-layer header types page for a description of the supported values from pcap_datalink() .

Second, do NOT assume that the packet is an IPv4 packet unless you have either installed a filter of "ip" or have checked the packet type (eg, the type field in an Ethernet header) to make sure the packet is an IPv4 packet.

Third, do NOT assume that the header of an IPv4 packet is exactly sizeof(struct ip) bytes long. I assume sizeof(struct ip) will be 20, which is the minimum length of an IPv4 header, but the header may include options - check the "header length" field of the IPv4 header (which is in units of 4-byte words, so a value of 5 means "20 bytes") and use that as the length of the header (make sure it's at least 5 - if it's less than 5, the packet is not valid - and then multiply by 4 to get the length of the header).

Fourth, do NOT assume that the packet is a TCP packet unless you have either installed a filter of "ip and tcp" or just "tcp" (with the latter, you'll still have to check yourself to see whether it's an IPv4 packet) or have checked the "protocol" field of the IPv4 header to make sure it has a value of 6 (for TCP).