how to store all messages flowing trough the network card (or only with given ip address) in linux operating system and store it to a file?
You should have a look to tcpdump / libcap. Of course there are many great packet sniffer based on these libraries that you can use to retrieve and store any traffic going through your network card.
http://www.tcpdump.org/
Related
I am recently writing some tool for testing some network processes that run across different hosts.
I am tempted to the idea that when testing, instead of running the client and server in different hosts, I can run them within one host.
Since the client and server are using TCP to communicate, so I think this should be fine, except one point below:
Is the TCP socket behavior the same when communicating data within the same host as the case of across hosts?
Will the data be physically present to the NIC interface and then routed to the target socket? Or the kernel will bypass the NIC interface under such scenarios? (Let's limit the OS as only Linux here for discussion)
There seems little specification regarding to such case.
==== EDIT ====
I actually notice some difference between intra-host and inter-host communications.
When doing inter-host communications, my program can successfully get hardware timestamp. But with the exact same code to run within the same host, the hardware timestamp disappears. When supported and enabled, hardware timestamp of TCP packet is available, and is returned as the ancillary data of recvmsg along with the received TCP data. Linux kernel timestamp doc has all the related info.
I checked the source code, the only difference is that whether the sender is within the same host of the receiver, no other difference.
So I am wondering whether Linux kernel will bypass the NIC and present the data directly to the receiver when doing intra-host communication, thus cause the issue.
Will the data be physically present to the NIC interface and then routed to the target socket?
No. There is typically no device that provides this capability, nor is there any need for one.
Or the kernel will bypass the NIC interface under such scenarios?
The kernel will not use the NIC unless it needs to send or receive a packet on a network. Typically, NICs can only return local packets if put in a test or loopback mode, which would require them to stop listening to the network.
Say the system is linux, I use TPC/IP protocol. When I send data to 127.0.0.1:1024 from A process, then B process get all the data.
How does the system handle these local data traffics?
Does the data go through the network interface card from A to B?
Or they are only manipulated in the memory (much faster than network interface card)?
It'll not be processed by your network card as 127.0.0.1 address is not set on any (it's on loopback device) but it'll go through whole ip stack. Benefits are that you can manipulate this traffic with iptables or iproute tools and whatever you made that way will be ready to work between remote hosts.
If you care more about performance and use only local communiaction consider AF_UNIX socket. You can find more in man socket and man unix.
Check man ipc as well.
Problem
I have just started to scratch the surface of this topic so excuse me if I'm formulating the question a bit strange and novice. Let's say I'm on a wireless network which I am right now, and I want to see all the data that is flowing in and out of this network from other clients connected to the network. I remember reading a book about someone doing this while being connected to the Tor network and it got me thinking about how this is done.
Questions
A: what is this process called?
B: How is it done?
Wireshark can do this:
http://www.wireshark.org/
It sniffs packets in "promiscuous mode":
http://en.wikipedia.org/wiki/Promiscuous_mode
That lets you see all the packets routed through a specified network interface, not just the packets targeted to a particular client.
A: It's call packet analyzing / packet sniffing.
B: In an unswitched network (e.g. a wifi network or hub), all you need is a network card that supports promiscuous mode and some software, as mentioned by sdanzig.
In a switched environment (e.g. most modern wired networks), you need to use a Layer 3 switch and set it up to mirror the traffic you're interested in to the port to which you are connected. (Otherwise your network adapter won't 'see' the other traffic.)
Some tools:
http://www.dmoz.org/Computers/Software/Networking/Network_Performance/Protocol_Analyzers/
Related topics on SO:
https://stackoverflow.com/questions/tagged/packet-sniffers
https://stackoverflow.com/questions/tagged/packet-capture
I am able to get the packets in the network by tcpdump.I want to get the device info like computer name,its model name ,OS running on it etc.
Is it possible by using tcpdump packets .
I got the mac address (by arp),IP but which layer protocol giving this above information what I want.
Can you tell me how to use this dumped data to get my required data.
Thanks
but which layer protocol giving this above information what I want
The details you mention aren't present in network data - for example there's no point in a TCP segment advertising "Windows XP emitted this.". At most you can use tools like nmap that try to guess the OS based on subtle network engine implementation differences.
I capture network packets of specific protocol (over UDP if this matters) and I need to repeat them to different destination. Just sending captured packets will lose original source/destination IPs but I need to preserve them.
That new destination is 3rd-party tool so I cannot supply original source/destination IPs in custom format. It's connected directly with my ethernet card, so I'm thinking about using raw sockets.
I have IP packets. Can I send them over raw sockets directly to one of my ethernet cards so device connected to this ethernet card will receive them in exactly original view (at least on IP level)? Any other solution?
P.S.
It's intended for completely legal usage if you worry about this, for remote monitoring/recording purposes.
If you have the packets captured in pcap format (tcpdump, wireshark, ...), you can use tcpreplay to replay them.