2

So I'm trying to build a packet sniffer in Python to deepen my understanding of networking. Thing is, it has turned out to be a tad bit more confusing than I initially anticipated. The problem is that all resources with thorough explanations cover the scenario of creating sockets for client/server data sending/receiving purposes.

At this point, I've successfully created some classes that handle packet header decoding for IPv4 and ICMP. Now, since my socket code only seemed to capture ICMP packets, I've been trying to configure it so that I can catch all traffic reaching my wifi interface, but I still almost exclusively see ICMP packets (with localhost as both source and destination).

So, I have some questions which I'd like to get answered. But first, my code:

import socket
import sys
from protocols.ipv4 import IPv4

PACKET_SIZE = 65535

sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)

sock.bind(("0.0.0.0", 0))

try:
    while True:
        # read in a packet
        raw_buffer = sock.recvfrom(PACKET_SIZE)[0]
        # create an IP packet object
        ip_header = IPv4(raw_buffer)
        # print the packet
        print(ip_header)
except KeyboardInterrupt:
    print("\nExiting...")
    sock.close()
    sys.exit(0)

This is how I've understood it:

  • First I'm creating a socket with socket.socket, where I specify address family, socket type and protocol. In my case, I'm selecting the AF_INET family which I don't really understand very well, but it seems to yield packets from the network layer. The socket type is set to SOCK_RAW meaning that I want the raw sockets as opposed to using SOCK_STREAM for TCP connections and SOCK_DGRAM for UDP. The last argument IPPROTO_IP just indicates that I want IP packets only.

  • Then, I'm binding the socket to 0.0.0.0 which supposedly means "any address" as described here.

What I don't understand:

  • Initially, I saw some examples of creating a sniffer socket which used the AF_PACKET address family. I soon found out that this address family is not available on macos (which I'm using). Why is that? What is an address family how does it relate to sockets? Is there an alternative way to catch packets from lower levels? In Wireshark I can see ethernet datagrams, so it seems possible.

  • As I've stated, I want to sniff all the traffic reaching my wifi interface. How does the socket know which interface I want it to operate on? Also I've learned that network interfaces can be put into different modes like monitor or promiscuous, how does that relate to sockets and my goal of catching packets?

  • Why am I almost only catching ICMP packets? What is the purpose of these packets with localhost both as destination and source?

I know there are lots of gaps in my current understanding of this. I'm not sure if I'll be able to get this to work, but I'm curious and I'd be grateful for any kind of answer or even just some good resources to check out.

Edit: My main question is where can I find out more about sockets in the context of packet sniffing?

shhmon
  • 55
  • 6
  • You're asking multiple questions here, which is currently a reason on Stack Overflow to close questions. The reason is that it easier to answer one question and it is likely that any answer we give will not actually give the information you want. Can you edit (button at the bottom) this question to be more focused? – Ross Jacobs Mar 10 '20 at 00:04
  • Also, is there a reason you're not using [scapy](https://scapy.net/)? It's designed for packet sniffing and crafting. – Ross Jacobs Mar 10 '20 at 00:10
  • I get that, just kind of hoped for some pentest guru to stumble upon this question and be my saviour. I've added one main question to the post. The reason I'm not using scapy is that it's besides the point, as I'm only doing this to deepen my knowledge of networking – shhmon Mar 10 '20 at 07:01
  • Python’s socket library is a wrapper around C’s socket library. I would look at that library’s documentation for more information about the syntax and what it actually does. You’ll learn more anyway if you can understand networking at a lower level. – Ross Jacobs Mar 10 '20 at 07:41
  • Thanks for the tip, I'll definitely check that out – shhmon Mar 10 '20 at 09:51

0 Answers0