1

Obviously we can easily sniff a network with a socket like: 

socket.socket(socket.PF_PACKET,socket.SOCK_RAW,socket.htons(0x0003) 
socket.recv(65535)

I would like to identify the link layer address type while importing only socket and struct, but link layer doesn't show up in the sockets, for obvious reasons. Do I need to write a shared library that addresses lower layer?

RFC 1122/1123 address link layer type and link layer address.

Update:

I know I can read it as a pcap and get the link layer information (i.e. dpkt has a function called pcap.datalink() which will return a link layer type, not the link layer address) but I am still uncertain how to go about reading it from a raw port (i.e. eth0), in python, for windows and/or linux.

NationWidePants
  • 447
  • 8
  • 33

1 Answers1

2

I think you can't do that with a library that only works in network/transport layers. I would do it using scapy, it should work in all systems python does.

from scapy.all import *
pkts = sniff(count = 1, ifcae = "eth1")
pkt = pkts[0]
layers = {
scapy.layers.l2.Ether:"Link layer is Ethernet"
#put other layers here, I can't test it in my PC
}
if type(pkt) == scapy.layers.l2.Ether:
    print "Link layer of eth1 is Ethernet"
Cristiano Araujo
  • 1,632
  • 2
  • 21
  • 32
  • 1
    Would this also do the other link layer types and tell me which it is without looking in the ethernet header, as the link layer would. (i.e. identify token ring or loopback instead of ethernet) in cases where the underlying structure is different than the link layer. (if the ethertype is ip but the link layer describes token ring) Most cases this shouldn't matter due to the hardware ordering, but I'm looking into cases where it might. – NationWidePants Sep 04 '15 at 12:24
  • 1
    This will work in all protocols scapy supports, but I think in some cases there is a limitation, since scapy cannot "see" L1, just L2. For L1 I think you need to ask for the os. – Cristiano Araujo Sep 08 '15 at 20:49