c - Mac OS X 上奇怪的 RAW 套接字

Question

当我在我的 Mac OS X 上运行一个用 C 编码的简单数据包嗅探器时，我根本没有输出，这是一件奇怪的事情！有人可以帮助我了解发生了什么。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(void) {
   int i, recv_length, sockfd;

   u_char buffer[9000];

   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
        printf("Socket failed!!\n");

        return -1;
   }

   for(i=0; i < 3; i++) {
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got some bytes : %d\n", recv_length);
   }

   return 0;
}

我编译它并在我的盒子上运行它，但什么也没发生：

MacOsxBox:Desktop evariste$sudo ./simpleSniffer

谢谢你的帮助。

Answer 1

这不适用于 *BSD（包括 OSX/Darwin）。有关详细信息，请参阅此处的调查：

b. FreeBSD
**********

FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw
sockets. Such packets need to be read directly at the datalink layer by using
libraries like libpcap or the bpf API. It also *never* passes any fragmented 
datagram. Each datagram has to be completeley reassembled before it is passed
to a raw socket.
FreeBSD passes to a raw socket:
    a) every IP datagram with a protocol field that is not registered in
    the kernel
    b) all IGMP packets after kernel finishes processing them
    c) all ICMP packets (except echo request, timestamp request and address
    mask request) after kernel finishes processes them

故事的寓意：libpcap用于此。它会让你的生活更轻松。（如果您使用 MacPorts，请执行此操作sudo port install libpcap。）

Answer 2

我运行它并得到：

# ./a.out
Got some bytes : 176
Got some bytes : 168
Got some bytes : 168
# 

我猜这将是一件非常奇怪的事情，就像您无权打开套接字并且 stderr 被奇怪地重定向。

我建议使用老式的狼陷阱调试：

   printf("I got ti 1\n");
   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
        printf("Socket failed!!\n");

        return -1;
   }
   printf("I got to 2\n");
   for(i=0; i < 3; i++) {
      printf("About to read socket.\n");
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got some bytes : %d\n", recv_length);
   }
   printf("Past the for loop.\n");

...看看它说了什么。