Search code examples
cpacket-sniffers

Same IP Addresses while capturing Packets under Linux (C Program)

I am receiving network packets by writing a code in c. So far I am receiving packets correctly but the only problem I'm facing is that I'm having same IP addresses for Ethernet, TCP and UDP. i'm not having any trouble while receiving via tcpdump.

Ethernet source of my system is: b0:10:41:fc:d7:2f
And IP address of my interface is: 192.168.10.145

These are received packets:

162 >>> Received packet with 66 bytes: Ethernet src: b0:10:41:fc:d7:2f dst: b0:10:41:fc:d7:2f type: 0x800 IP version: 4 ihl: 5 ttl: 64 protocol: 6 src: 192.168.10.145 dst 192.168.10.145 TCP src: 46888 dst: 80 seq: 3048209837 win: 4508 ACK 000000: b728 0050 b5af fdad 0e1d 21a1 8010 119c .(.P......!..... 0x0010: e258 0000 0101 080a 5a05 1f81 0595 4669

163 >>> Received packet with 66 bytes: Ethernet src: b0:10:41:fc:d7:2f dst: b0:10:41:fc:d7:2f type: 0x800 IP version: 4 ihl: 5 ttl: 64 protocol: 6 src: 192.168.10.145 dst 192.168.10.145 TCP src: 38836 dst: 443 seq: 1969857171 win: 341 ACK 000000: 97b4 01bb 7569 a293 0473 15bc 8010 0155 ....ui...s.....U 0x0010: 11f1 0000 0101 080a 4011 29b5 45f5 c4da

164 >>> Received packet with 1024 bytes: Ethernet src: 0:1a:a0:3f:d6:fc dst: 0:1a:a0:3f:d6:fc type: 0x800 IP version: 4 ihl: 5 ttl: 64 protocol: 6 src: 110.93.233.24 dst 110.93.233.24 TCP src: 80 dst: 46888 seq: 236790177 win: 595 ACK 000000: 0050 b728 0e1d 21a1 b5af fdad 8010 0253 .P.(..!........S 0x0010: 6e5f 0000 0101 080a 0595 46a1 5a05 199a n_........F.Z... 0x0020: f107 eb73 1b82 1492 c88f e84c 101a 9416 ...s.......L.... 0x0030: 9a27 900f 2020 1985 836f 79d5 8a26 15fa .'.. ...oy..&..

And this is my code:

layer2: {
struct ethhdr *eth = (struct ethhdr*) data;
printf("\tEthernet src: %s dst: %s type: %#04x\n",
    ether_ntoa((const struct ether_addr*) eth->h_source),
    ether_ntoa((const struct ether_addr*) eth->h_dest),
    ntohs(eth->h_proto)
);
protocol = ntohs(eth->h_proto);
next_hdr = (char *) (eth + 1);}

layer3: switch (protocol) {
    case ETH_P_IP: {
        /* Parse IP protocol */
        struct iphdr *ip = (struct iphdr*) next_hdr;
        char buf[32];
        printf("\tIP version: %u ihl: %u ttl: %u protocol: %u src: %s dst %s\n",    
            ip->version,
            ip->ihl,
            ip->ttl,
            ip->protocol,
            inet_ntop(AF_INET, &ip->saddr, buf, sizeof(buf)),
            inet_ntop(AF_INET, &ip->daddr, buf, sizeof(buf))
        );

What am I doing wrong ?

Solution

  • You're using the same buf to hold both IP addresses:

    inet_ntop(AF_INET, &ip->saddr, buf, sizeof(buf)),
inet_ntop(AF_INET, &ip->daddr, buf, sizeof(buf))

    Because you're using the same buffer, and both calls to inet_ntop() are done before the call to printf(), the last call to inet_ntop() will overwrite the results from the first call.