Introduction
IP is the network layer protocol on which the current internet runs on. Each computer which connects to the internet, uses a globally unique address called in IP address. This address is actually a 32-bit number, but is most commonly represented by four numbers separated by dots. (e.g.- 127.0.0.1). This protocol was developed at the start of the internet and it has been in use, unchanged since the early 1980's. At the time of design, it was thought that 32-bits, which give a maximum number of addresses of 232 (about 4000 million), would be sufficient. But with the boom of the internet in the past few years, this has been proven wrong, and the world is now being starved of new IP addresses. It is estimated that by the end of about 2005, the world would run out of IP addresses in its current form (Sounds so much like the millennium bug doesn't it?). This version of IP is version 4, hence the name IPv4. The internet task force has recognized this problem and has come up with a proposal for a new version of the IP protocol. IP version 6 or IPv6. This protocol, apart from other advantages, gives 128-bits to represent an address. This gives a maximum of 2128. This should hopefully last a lot longer than the current version. Major vendors of computer equipment and software, already have experimental support for IPv6. Such vendors include Sun Microsystems, Cisco systems, Redhat software, etc... Modern operating systems like Linux and Solaris (and in fact most major UNIX versions) have support for IPv6. It will probably take some time for Microsoft to catch up with Windows IPv6 support, so Windows users, don't get too excited.
A packet sniffer is a program which monitors network traffic which passes through your computer. A packet sniffer which runs on your PC connected to the internet using a modem, can tell you your current IP address as well as the IP addresses of the web servers whose sites you are visiting. Also, if you want, you can watch all the un-encrypted data that travels from your computer, onto the internet. This includes passwords and other sensitive data that is not secured by encryption. Put a packet sniffer on a router on the internet, and you can watch all the network traffic that passes through that router. This includes absolutely anyone whose data happens to pass through that router.
The program which I have posted, is not meant to be used for any malicious intent, but to show the internet community how easy, and how small such a program can be. It took me a very short time to gather the necessary information to write the program. Another purpose of the program is to introduce the sockets API for developing IPv4 and IPv6 applications and the use of the PF_PACKET type of socket, for which there is very little documentation on the internet.
The Program...
This program has been written on a Redhat Linux 6.0 system running on an AMD K6-2. It does not use the SOCK_PACKET method which is restricted to Linux, but uses the PF_PACKET method which is the newer way to get direct access to the datalink layer. This feature is new to the Linux 2.2 kernel and (as far as I know) is not available in Linux 2.0. (Sorry Redhat 5.x users). I have only been able to test this on my computer which runs the kernel 2.2.5 which has been built to include IPv6 support, so if you want to run this, you must compile your kernel to include IPv6. I have not had the luxury to test this on any other OS like Solaris (even though I have the software, but can't seem to get it to recognize my serial mouse). So if someone out there can test it on any other OS like Solaris or HP-UX etc.. and give me some feedback, I would be grateful.
Release 0.3 ( Released 25/10/99)
The latest release of the software has been re-written in C++, utilizing the object oriented features of the language. In terms of functionality, this release shows less information than the previous as this only show the packet version and the packet size. This is only a minor technicality, as more information can easily be shown with minimum modification.The advantage of the new release is that the whole program has been re-designed to be much more modular than before. Therefore more features can be incorporated, without breaking the program structure. Also, it facilitates component re-use.
I'm also working on documentation for the program which would let other developers have a feel of the design strategy. This is more important now, as the program is object oriented, and could be more difficult to understand by looking at the code. If someone could let me know of any good UML tools for Linux, I would be very grateful.
Building the software...
First change to the directory where you want it installed. Then type,
tar xvzf sniffer.tar.gz
change to the directory called sniff using
cd sniff
then type,
make
This will compile the source code and create as program called sniff. this is the executable, and you can run it by typing its name.
To test the program you can ping yourself (ping 127.0.0.1) to see if the program picks it up. If it works you can connect to the internal and surf the web and watch the program pick up all the packets which pass through.
Also, to run this program you have to have an effective UID of 0 or root. This is to stop normal users from looking at other peoples private packets. This is not a restriction which I introduced, but because only such a user can create PF_PACKET sockets.
Future releases will include detection at a higher level (Transport layer or Application layer), and will also have a graphical user interface. This is some way along the line, but will post the newer versions, when they are available.
Get it!
You can download the source code file from here
You can contact me on yohanfer@hotmail.com
Please feel free to let me know how I can improve my site.
Other related sites