Mac OS X上的奇怪RAW套接字

Question

當我在Mac OS X上運行一個用C編碼的簡單數據包嗅探器時，我根本沒有輸出，這是一個奇怪的事情！ 有人可以幫我理解發生了什么。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void) {
   int i, recv_length, sockfd;

   u_char buffer[9000];

   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
        printf("Socket failed!!\n");

        return -1;
   }

   for(i=0; i < 3; i++) {
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got some bytes : %d\n", recv_length);
   }

   return 0;
}

我編譯它並在我的盒子上運行它沒有任何進展：

MacOsxBox:Desktop evariste$sudo ./simpleSniffer

謝謝你的幫助。

Answer 1

這不適用於* BSD（包括OSX / Darwin）。 有關詳細信息，請參閱此處的調查：

b. FreeBSD
**********

FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw
sockets. Such packets need to be read directly at the datalink layer by using
libraries like libpcap or the bpf API. It also *never* passes any fragmented 
datagram. Each datagram has to be completeley reassembled before it is passed
to a raw socket.
FreeBSD passes to a raw socket:
    a) every IP datagram with a protocol field that is not registered in
    the kernel
    b) all IGMP packets after kernel finishes processing them
    c) all ICMP packets (except echo request, timestamp request and address
    mask request) after kernel finishes processes them

故事的道德：使用libpcap為此。 它會讓你的生活更輕松。 （如果您使用MacPorts，請執行sudo port install libpcap 。）

Answer 2

我跑了然后得到：

# ./a.out
Got some bytes : 176
Got some bytes : 168
Got some bytes : 168
# 

我猜它會變得非常奇怪，就像你沒有權限打開套接字而stderr被奇怪地重定向。

我建議好老式的狼陷阱調試：

   printf("I got ti 1\n");
   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
        printf("Socket failed!!\n");

        return -1;
   }
   printf("I got to 2\n");
   for(i=0; i < 3; i++) {
      printf("About to read socket.\n");
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got some bytes : %d\n", recv_length);
   }
   printf("Past the for loop.\n");

......看看它說的是什么。