How can I capture raw IP packets under Ubuntu?

Question

I want to use Python to capture all the IP packets on an Ubuntu’s network. By using the below code, I’ve got all the packet with the Ethernet header. How can I get rid of the Ethernet header and directly get only the IP packets?

s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
while True:
    packet = s.recvfrom(65565)

Answer 1

I would suggest you have a look at scapy, a tool that enables the user to send, sniff, dissect and forge network packets. the sniffing paragraph is a probably what you're looking for. Here's an example where I capture 10 IP packets, show a summary of their information, then store them to a pcap file:

$ scapy
Welcome to Scapy (2.3.2)
>>> pkts = sniff(filter='ip', count=10)
>>> print len(pkts)
10
>>> pkts.nsummary()
0000 Ether / IP / TCP 31.13.90.2:https > 192.168.1.14:63748 PA / Raw
0001 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https A
0002 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https PA / Raw
0003 Ether / IP / TCP 31.13.90.2:https > 192.168.1.14:63748 PA / Raw
0004 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https A
0005 Ether / IP / UDP 192.168.1.21:48007 > 192.168.1.255:32412 / Raw
0006 Ether / IP / UDP 192.168.1.21:49808 > 192.168.1.255:32414 / Raw
0007 Ether / IP / UDP 192.168.1.11:64817 > 192.168.1.255:32412 / Raw
0008 Ether / IP / UDP 192.168.1.11:64819 > 192.168.1.255:32414 / Raw
0009 Ether / IP / UDP 192.168.1.11:49670 > 239.255.255.250:ssdp / Raw
>>> wrpcap("temp.cap",pkts)
>>> 

Answer 2

socket (AF_INET, SOCK_RAW, IPPROTO_RAW) will get you an IP Layer raw socket

socket (PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)) will get you a layer 2 raw socket`

There are examples (in C) here.