                 Raw IP Networking FAQ 
                 --------------------- 

 1.3 

  ֱ : 1999 11 11 18:18:19 

   FAQ   http://www.whitefang.com/rin/  ִ.

      FAQ HTML Բ ִ.

   ̷ Ѵٸ   ϶.

  : 輺(kinux@kldp.org, http://kinux.sarang.net)
(: ù° ѱ   0.6̰ â(http://kldp.org/~kabin)Կ
 ۼǾ. ù°  ۱ âԿ ִ.)

۱ 
--------- 

, Thamer Al-Herbish  FAQ   Ϳ  ۱ Ѵ.
     ̴.

  FAQ    չ  å .

 FAQ  Ǵ Ȯ κ   , ̰Ϳ  뿡 
δ   Ѵ.    ￩ Ȯ ϰ
Ͽ, ڳ  FAQ ϴ  FAQ Ȯ  ߻ϴ
   åӵ  ʴ´.

   ʴ ǿ    ο,  
    Ʈ  ǵ ϶.

Ұ 
------------ 

Ʒ FAQ raw IP Ǵ raw, BPF DLPI  Ʈ ͸ API 
 IP Ʈŷ    亯  ִ.

߰ 
--------------------------- 

 κ̳ ߰ κ, Ǵ  亯   ߰ϸ 
 ֱ ٶ.

Thamer Al-Herbish <shadows@whitefang.com> 

 Ͽ   FAQ ڽ Email ϱ ϴ
׷  ˷ֱ ٶ.   FAQ ߰   
Usenet  Ͽ  Ǵ 亯 ش   ٽ ˷ָ װͶ
 FAQ  ϵ ϰڴ.

raw socket ׿  Ѵ޿ ѹ email Ȯϰ Ǵµ, ׷ ش ýۿ
װ Ѵٸ Ȯ  .      ҽڵ带 
üũֱ ٶ.  װ Ȯ ׶  ֱ ٶ.

John W. Temples <john@whitefang.com>     縦 ǥѴ.

 FAQ µ  ڵ  FAQ κп   ߰Ͽ  
ȴ.

, Raw IP Networking ϸ Ʈ ̴. rawip-subscribe@whitefang.com 
޽ μ   ִ.


------ 

 FAQ  н ȯ õ  ٷ.


----------------- 

  1) Ϲ : 

    1.1)  Ʈ ͸  ִ ̳ sniffer  ִ°? 
    1.2) Ŷ ĸ  ִ   ִ°? 
    1.3) Ŷ ĸϴµ   ִ portable API ִ°? 
    1.4) Ŷ ĸ   α׷  ϴ°? 
    1.5) Ʈ sniffingҶ Ŷ ս ּȭ ϴ ? 
    1.6) Ŷ ĸ   Ǵ°? 
    1.7) Ʈ ݸǾ ĸĵ Ŷ üҼ ִ°?
    1.8) Ʈ raw packet  portable API ִ°?
    1.9) raw IP ＼  C  ƴ   API  ִ°?

  2) RAW socket : 

    2.1) RAW socket̶ ΰ? 
    2.2)  raw socket ϴ°? 

      2.2.1) raw socket  TCP/IPŶ  ? 
      2.2.2) TCP/IP Ŷ  ? 
      2.2.3) raw socket  Ŷ Listenϴ ? 

    2.3) raw socket Ҷ ؾ ״  ִ°? 

      2.3.1) IP  /ɼ ȣƮ/Ʈ Ʈ 
      (feature/bug?) 
      2.3.2) Solaris 2.4/2.5 checksum weirdness  . 
      2.3.3) Solaris 2.x Irix 6.x  ߰ IP Ŷ ó 
    2.4) raw socket Ϲ   Ǵ°? 

  3) libpcap (Portable Packet Capturing Library) 

    3.1) Ŷ Ĺ縦  ü  API  libpcap ؾ ϴ°?
    3.2) ˾ƾ libpcap Ϳ  ִ°?
    3.3) libpcap ҽڵ  ã  ִ ? 

  4)   




    1) Ϲ : 
    --------------------- 

        1.1)  Ʈ ͸  ִ ̳ sniffer  ִ°? 

        ü      ִ.

        tcpdump:     κ BSD ȣȯ 迡 밡ϸ,                     
                     ftp://ftp.ee.lbl.gov/tcpdump.tar.Z  libpcap(Ʒ ) پ
			     ִ. Ư ̷  libpcapп  ÷ õǾ ִ.

        ipgrab:       ýۿ ȣȯȴ. ̰ ĸĵ Ŷ link, transport, network  
		     ش.
		     http://www.xnet.com/~cathmike/MSB/Software/

        Ethereal:    GTK+ ̿ GUI Ʈ Ŷ м̴.  ý ϰ,
		     http://ethereal.zing.org  Ҽ ִ.

        tcptrace:                                                      
                     http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html
                      sniffer ƴ, ˷  sniffer   αϷκ
                     Ϲ  ¹ Ǵ   . ̷  
                     Ѵ.
     
        tcpflow:
		     http://www.circlemud.org/~jelson/software/tcpflow/
		     tcpflow TCP 帧 κп ۵Ǵ Ÿ ĸϰ,  м̳
		     ϱ  Ÿ ϴ α׷̴.

        snoop:       Solaris, IRIX.                                    

        etherfind:   SunOS.                                            

        Packetman:   SunOS, DEC-MIPS, SGI, DEC-Alpha, ׸ Solaris.     
                     ftp://ftp.cs.curtin.edu.au:/pub/netman/    ִ.

        SniffIt:     Linux, SunOS, Solaris, FreeBSD, ׸ IRIX.         
                     http://reptile.rug.ac.be/~coder/sniffit/sniffit.html    ִ.
                                                                       
        nettl/ntfmt: HP/UX                                             

        


        1.2) Ŷ ĸ  ִ (facility)  ִ°? 

        ü   , پ  ִ.: 

        BPF:                Berkeley Packet Filter. Ϲ BSD ǰ ߰ߵȴ.

        DLPI:               Data Link Provider Interface. Solaris, HP-UX, SCO 
                            Openserver.                                       

        NIT:                Network Interface Tap. SunOS.                     

        SNOOP:              (???). IRIX.                                      

        SNIT:               STREAMS Network Interface Tap. (??)               

        SOCK_PACKET:        Linux.           

	LSF:		      . ̰ Linux 2.1.75 ̻󿡼 ϴ.
                                  
        drain:		    OS   Ŷ snoopϴµ ȴ. IRIX.


        1.3) Ŷ ĸϴµ   ִ portable API ִ°? 

        ִ. ftp://ftp.ee.lbl.gov/libpcap.tar.Z OS  Ŷ ĸ API ϴ
        single API Ѵ.  ⺻ API    ̺귯  ִ κ
        ߾  Ǵ 찡 ִٴ       ִ.  Libpcap 
        (backward) ȣȯ ġ 찡 ִٴ Ϳ ϶.

        1.4) Ŷ ĸ α׷ ϴ ?

        Ȯ 󼼻 ü  ٸ. ׷  α׷鿡
        Ϲ ϴ    ϰڴ.

         μ  ġ ų ȸ ۿ Ŷ   ִ ũ͸ 
        ִ ý ȣ . ׷ Ŀ Ŷ μ  Եȴ.

        ׷ ̰  ý̳ ε尡  ɷ ִ Ʈ 
        ۵ ʴ´.  μ Ʈ Ŷ Ÿ  ŭ 
         Ŷ о Ѵ. װ ۷ Ŷ ͸ ۵Ǵ ̴.

        Ŀ X Ʈ Ŷ ͱ ۸   ,  Ŷ 
        û  ϳ Ѵ.     Ѱ踦 Ѱ Ǹ(ڿ
        Ǿ ִ) Ŷ (drop) ۿ  ʰ ȴ.

        Ŷ ʹ μ ϴ Ŷ   ֵ Ѵ.
        Ϲ   Ŷ  ƾ  opcode   
        װκ  а װ ϴ ׷  ϴ ̴.
        ̵ opcode  ſ ܼ operation ϸ,  ͸ 
        Ѵ.

        BPF Ϳ ׸ ۵; ̰ ۰   μ ִ Ŷ
        ϱ   ٶϴ. װ  Ͱ Ŷ  Ű
         ÷  ۸Ǵ Ŷ  ̱⸦ ٶ.

        NIT,  does not do this; װ  μ  ۷
        ͷκ б⸦ Ҷ ۸  Ϳ ȴ.
	  

        ٸ Ŷ ĸ    ̿뵵 ſ  ̴.

        1.5) Ʈ sniffingҶ Ŷ  ϴ ? 

          Ŷ ǿ    ִٸ, ͸ 
        Ŷ о鿩  ϱ⸦   ִ. ̰ ͸
        ۸   쿡  ۵Ѵ. Ŷ ĸ  NIT 
        (broken)   ۵  ,  μ
          о  ̸, ׵ ٸ μ ؾ Ѵ. ⺻
         (user space) ߰ ۸ õ϶.

         Ű  ٸ , Ŀٶ ۸ ϴ ̴.
        SNOOP ϴ Irix man  SO_RCVBUF  
        Ѵ. BPF  BSD BIOCSBLEN ioctl ȣ Ͽ  ũ⸦
        ų  ִ. ֶ󸮽 bufmod pfmod Ͽ  ũ
        ͸    ִ.

           μ ε尡 ɷ incoming Ŷ ⿡   
          Ŀο    (drop) ̴.

        1.6) Ŷ ĸ簡  Ǵ°? 
        ---------------------------------------------- 

        (Question suggested by Michael T. Stolarchuk <mts@rare.net> 
        along with some suggestions for the answer.) 

            Ʈ ¾ verify  Ʈ ܰ   Ǵµ 
              ȣƮκ  ARP޽  ִ arp 
              ִ.

            end to end   . tcpshow ̷  Ѵ. ׷
             ȶ  Ʈ ῡ tab Ϸ   ġ̴.

            Ʈ ε带 ͸Ѵ. Ƹ    Ǵ 
            κ ̴.  ǰ ̰ ϴ Ư ϵ Ѵ.

        1.7) Ʈ ݸǾ ĸĵ Ŷ üҼ ִ°?
	   
             . Ŷ ĸĴ Ŷ 纻  ̴. ׸ ý TCP/IP κ
	     װ͵  ʴ´.  TCP/IP ؿ ϴ Ŷ ؼ ȭ
	       ʿ䰡 ִ. (װ Ŷ ͸   ִ.) ȭ  Ŷ ĸĿ 
	     Ŷ ͸ ȥ . װ ٸ  ȴ.	
	     
        1.8) Ʈ raw packet  portable API ִ°?

	     ִ. route <route@infonexus.com>  Libnet  ߴµ, ̰ 
	      Ŷ ۼ, ڵ鸵  API Ѵ. װ libpcap  縦
	     µ,  Ʈ  Ʒ  ִ.
	
             http://www.packetfactory.net/libnet/ 

        1.9) raw IP ＼  C  ƴ   API  ִ°?
            
 	     raw socket ＼  PERL  밡ϴ.
	     http://quake.skif.net/RawIP/

             Python ̺귯 "py-libpap"     ִ.
	     ftp://ftp.python.org/pub/python/contrib/Network/ 
        

    2) RAW socket : 
    ------------------------ 

        2.1) RAW socket̶ ΰ? 

        BSD  API  츮 raw socket  TCP/IP ÿ layer Ѵ.
           OS ùٸ BSD ü踦  , ̰ ۵ǵ ϴµ
           ̴. Ʒ   Ǵ    
        ش.    ýۿ  root ڸ raw 
          ִ.

        2.2) raw socket ϴ ? 

            2.2.1) raw socket  TCP/IP Ŷ ϴ ? 

              ̳Ŀ  ٸ, ó socket  װ type Ѵ.

            sockd = socket(AF_INET,SOCK_RAW,<protocol>); 

            ׸ IPPROTO_RAW   ݵ   ִ.
              ȣ IP  ״ . IPPROTO_RAW  IP 
            0  ְԵȴ.

            κ ý IP_HDRINCL̶  ڽ IP Ŷ  Բ
              ֵ ִ  ɼ  ִ.   ý
             ɼ   ʴٸ,  ڽ IP     ̴.
             ׷ٸ     ϰ   ִ.

            char on = 1; 
            setsockopt(sockd,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)); 

            ,  IP  ϱ  ʴ´ٸ, ׻  socket
            Ҷ     ۰  װ;ȿ  ų  ִ.

            ׷  Ŷ  Ϲ sendto() Լ ȣ   ִ.

            2.2.2) TCP/IP Ŷ  ? 

            http://www.whitefang.com/rin/    ִ.   õ 
             ϰ ֵ.   Ʒ ޵ ׿ ؼ ϰ ִ.

            ϰ ؼ,  ޸  Ŷ ۼϰ Ͽ Ѱش.
            ׷   װ  ų   Ŷ ٸ  ̴.

            2.2.3) raw socket  Ŷ listenϴ ? 

             BSD socket API  Ŷ raw socket  listenϴ 
             ʾҴ. 
             Linux (2.0.30   ֽ ̴) ̰ , װ Linux
            ڽ  TCP/IP  ؾ߸ ϴ.  BSD ü 
            īװ(Ʒ ִ) ġǴ  Ŷ  ϴ  Ѵ.

            ̷  Ŀ   ִ.   TCP Ŷ ׻
            Ŀο  ٷ.  Ʈ  SYN-ACK ϰ 
            ϰų Ǵ ڷ RST . ٸ ϸ,  Ÿ ICMP(Ʒ 
            Ʈ  .) Ŀ ڵ鸵  Ѵ. ICMP echo reply 
            ġǴ raw socket ۵ȴ. ֳϸ  α׷ װ ϰ
            Ǵ  ǹϱ ̴.

            ذå  װ UDPǴ TCP Ŷ 쿡 Ư Ʈ ȭ ġϴ ̴.
            ׸ Ŷ ĸ API( Ǿ ִ ͵)  װ sniffѴ.
            ̰ TCP/IP  Ŷ ڵ鸵 ϴ  ش. ׷Ƿ װ õǰ
               ڽ  װ ڵ鸵   ְ ȴ.

             ȭ  ʰ, ڽſ replyϸ   üκ
            ߰  ް  ̴.

            ⿡  Richard Stevens  raw BSD socket ü迡    ִ.

            From <rstevens@kohala.com> (Sun Jul 6 12:07:07 1997) : 

            "BSD raw sockets ü: 

            -  TCP  UDP: Ŀθ ̰ ޴´.            

            -  ICMP:  ICMP Ŀ װͿ  (ICMP  û, timestampû,
               mask û  Ϳ ) replyϴ    ġǴ 
               raw   Ų.

            -  IGMP: ̵ δ  ġǴ raw socket ȴ.

            -  Ŀ ٷ ʴ  ٸ (OSPF, etc.):  ġǴ raw socket
               ޵ȴ.

            BSD4.4 TCP/IP  icmp_input()ƾ 캻  Ʒ ICMP  ġǴ
            raw socket Ǵ  .

                Echo Reply: (0) 

                Router Advertisement (9) 

                Time Stamp Reply (13) 

                Mask Reply (18) 


          2.3) raw socket Ҷ ˾Ƶξ  ״  ִ°?

              2.3.1) IP  /ɼ ȣƮ/Ʈ Ʈ 
              (feature/bug?) 

              4.4BSDκͿ ý ip   ip_len ip_off 
              network Ʈ  ƴ host Ʈ  õǾ ־ ϴµ
              ׷  ׸  ִ.  ý װ .
               װ   Ȯ ý OpenBSD 2.1̴.

              2.3.2) Solaris 2.4/2.5 checksum weirdness  . 

               ׿   workaound Ȯ ʾҴ.
              Michael Masino <mmasino@mitre.org> ̰Ϳ   Ȯ
              workaround  ־. Ʒ    
              ̴.(Thu, 19 Feb 1998): 

              " ֶ󸮽 2.5 ͸ raw socket  Ҷ
              TCPǴ UDP checksum Ϸ ϴ  ߰Ͽϴ.
                  ùٸ checksum  ʵ忡 ϸ
               ۵ Ŷ  checksum   checksum
               ־ϴ.    byte  Ϳ ̸
               checksum 1 Ǿϴ. ׷   
              checksum 0 ϸ  ۵ Ŷ ùٸ checksum +
              checksum ̿ شϴ TCP checksum  Ǿϴ.

              ùٸ checksum ϱ   Ʒ  
              checksum  ̷ ä մϴ. FAQ
              ޵Ȱ װ sizeof(struct tcphdr) ϱ ̸
                Ŷȿ ͸   
              ۵  Դϴ.   TCP  (  ƴ)
                 ̸ ä ־ մϴ."

		    SUN ̰ known bugμ ,  װ
               Ǿ ˸ official  ߰ 
              ߴ.

               װ Solaris 2.6  ߻ ʴ´ٴ   ִ.

              2.3.3) Solaris 2.x Irix 6.x  ߰ IP Ŷ ó 
              ----------------------------------------------------------------
              

              (Bug report from Lamont Granquist 
              <lamontg@hitl.washington.edu> ) 

              "Irix 6.x Solaris 2.x(2.5.1  2.6)  SOCK_RAW 
              IP Ŷ ۵Ǳ   ġ ʴ ó Ѵ.
              Ư, װ IP_DF( )÷׸ Ѱ ϰ, ٸ IP idȣ
              ٸ TCP seqȣ ackȣ Ҵϸ,  checksum Ѵ.
               IP_DF ÷׸ ϱ  ڵ  ŷϷ ߴµ
               IP/seq/ackȣ Ҵϰ checksum Ѵ"

            2.4) Ϲ raw socket  Ǵ°? 
            -------------------------------------------- 

            پ н ƿƼ raw socket Ѵ. ű⿡ traceroute, ping, arp 
             ͳ   raw socket Ѵ. ׷  raw socket
            װ , portable ʰ 뿡  ִ  ǸǾ Դ.

          3) libpcap (Portable Packet Capturing Library) 
          ------------------------------------------------ 

              3.1) Ŷ ĸ縦  ü  API  libpcap ؾ ϴ°?

              libpcap ø̼ Ŷ ĸ縦 portableϰ   ֵ ϱ  
               . װ ý  پ ü  
               Ŷ ĸ ø̼ پ ýۿ   ֵ
               portableϰ    ִ.

              3.2) ˾ƾ libpcap Ϳ  ִ°?

              ׷. libpcap BSD Ļ ýۿ ߰ߵǴ BPF
              Ҷ  kernel Ŷ ͸ ɸ Ѵ.
              ̰ BPF  ʴ ٸ ü Ǵ  Ŷ ͵
                 ̸,  ӵȭ ȿ   ִ.
               ε尡 ɷ ִ Ʈ sniffҶ Ŷ ν Ǳ  
              ̰  ϴ  ƴ ̴.
              
              DEC OSF/1 BPF-Ÿ ͸ ϱ  Ȯ API  ִ.
              libpcap ̰ ̿Ѵ.

              ߿, Libpcap BPF Ÿ ͵ ٸ Ŷ ĸ  translate
               ̴. ׷ ̰   0.3  ʾҴ.

               1.4 ϸ  Ŷ ͵  Ʈ ŷڼְ
              ͸       ̴.

              3.3) libpcap ҽڵ  ã  ִ ? 

              LBNL ftpƮ õ  ҽڵ尡 ִ.
              ftp://ftp.ee.lbl.gov/  libpcap Ѵ.  ڼ ϸ
              ftp://ftp.ee.lbl.gov/tcpdump.tar.Z  Ƹ libpcap Ŀٶ Ȯ
              ø   ̴.

          4)  Ʈ
          ------------------------ 

            Thamer Al-Herbish <shadows@whitefang.com> 
            W. Richard Stevens <rstevens@kohala.com> 
            John W. Temples (III) <john@whitefang.com> 
            Michael Masino <mmasino@mitre.org> 
            Lamont Granquist <lamontg@hitl.washington.edu> 
            Michael T. Stolarchuk <mts@rare.net> 
            Mike Borella <Mike_Borella@mw.3com.com> 
            route <route@infonexus.com> 
            Derrick J Brashear <shadow@dementia.org> 
                  
