1

Recently I developed a packet sniffer in python using socket module. In order to do that, I created a socket of type raw. Then I started receiving and parsing packets.

My assumption was, by default, there is a raw socket on the operating system, which takes a packet and gives it to other modules to parse the packet. When I create a raw socket, it will be the second raw socket in the operating system.

My question is, are packets broadcasted to all of the raw sockets available in OS?? Because while using my packet sniffer I can see packets that are related to other applications (e.g browser). That means those packets are going through at least two sockets. One of them is my packet sniffer, and the other is the real application. Is that right?

Improve this question

1 Answer 1

Reset to default
2

RAW sockets are bound to interfaces. When a message arrives on the interface, the kernel will find all raw sockets that are bound to the protocol number seen in the packet or have issued "connect" to the sending IP.

Any and all raw sockets that match these will receive the packets.

For more precise rules, this text is taken from Microsoft's TCP/IP Raw Sockets:

Received datagrams are copied into all SOCK_RAW sockets that satisfy the following conditions:

  • The protocol number specified in the protocol parameter when the socket was created should match the protocol number in the IP header of the received datagram.
  • If a local IP address is defined for the socket, it should correspond to the destination address as specified in the IP header of the received datagram. An application may specify the local IP address by calling the bind function. If no local IP address is specified for the socket, the datagrams are copied into the socket regardless of the destination IP address in the IP header of the received datagram.
  • If a foreign address is defined for the socket, it should correspond to the source address as specified in the IP header of the received datagram. An application may specify the foreign IP address by calling the connect or WSAConnect function. If no foreign IP address is specified for the socket, the datagrams are copied into the socket regardless of the source IP address in the IP header of the received datagram.

For Linux, there is a less-detailed description in raw(7) - Linux manual page:

All packets or errors matching the protocol number specified for the raw socket are passed to this socket.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .