Mac OS X上的奇怪RAW套接字

当我在Mac OS X上运行一个用C编码的简单数据包嗅探器时,我根本没有输出,这是一个奇怪的事情! 有人可以帮我理解发生了什么。

#include  #include  #include  #include  #include  #include  int main(void) { int i, recv_length, sockfd; u_char buffer[9000]; if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) { printf("Socket failed!!\n"); return -1; } for(i=0; i < 3; i++) { recv_length = recv(sockfd, buffer, 8000, 0); printf("Got some bytes : %d\n", recv_length); } return 0; } 

我编译它并在我的盒子上运行它没有任何进展:

 MacOsxBox:Desktop evariste$sudo ./simpleSniffer 

谢谢你的帮助。

这不适用于* BSD(包括OSX / Darwin)。 有关详细信息,请参阅此处的调查:

 b. FreeBSD ********** FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw sockets. Such packets need to be read directly at the datalink layer by using libraries like libpcap or the bpf API. It also *never* passes any fragmented datagram. Each datagram has to be completeley reassembled before it is passed to a raw socket. FreeBSD passes to a raw socket: a) every IP datagram with a protocol field that is not registered in the kernel b) all IGMP packets after kernel finishes processing them c) all ICMP packets (except echo request, timestamp request and address mask request) after kernel finishes processes them 

故事的道德:为此使用libpcap 。 它会让你的生活更轻松。 (如果您使用MacPorts,请执行sudo port install libpcap 。)

我跑了然后得到:

 # ./a.out Got some bytes : 176 Got some bytes : 168 Got some bytes : 168 # 

我猜它会变成奇怪的东西,比如你没有打开套接字的权限,stderr被奇怪地重定向。

我建议好老式的狼陷阱调试:

  printf("I got ti 1\n"); if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) { printf("Socket failed!!\n"); return -1; } printf("I got to 2\n"); for(i=0; i < 3; i++) { printf("About to read socket.\n"); recv_length = recv(sockfd, buffer, 8000, 0); printf("Got some bytes : %d\n", recv_length); } printf("Past the for loop.\n"); 

......看看它说的是什么。