Reputation: 11
Packet Sniffing with pcap Segmentation Fault
I am trying to write a packet sniffing program in C and I am experiencing a segmentation fault when I try running the program after successful compilation. I have tried to identify the exact line of code that causes the program to segfault by commenting out some of the code and recompiling the program and then rerunning the smaller version of my program. Here is my code.
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
printf("Got a packet\n");
}
int main()
{
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program fp;
char filter_exp[] = "ip proto icmp";
bpf_u_int32 net;
// Step 1: Open live pcap session on NIC with name eth3
handle = pcap_open_live("eth3", BUFSIZ, 1, 1000, errbuf);
// Step 2: Compile filter_exp into BPF psuedo-code
pcap_compile(handle, &fp, filter_exp, 0, net);
pcap_setfilter(handle, &fp);
// Step 3: Capture packets
pcap_loop(handle, -1, got_packet, NULL);
pcap_close(handle); //Close the handle
return 0;
}
After commenting out the code and recompiling the program and rerunning the program, I have found that the segfault occurs at the pcap_compile line:
pcap_compile(handle, &fp, filter_exp, 0, net);
When I compile and run a program with everything after the handle (Step 1) line commented out, the program runs without segfaulting and nothing happens. As soon as I include the pcap_compile statement by making it active in the program, the program segfaults. Does anyone know what could be the problem, whether it's with the pcap_compile call or something else?
Upvotes: 1
Views: 2213
Answers (3)
Reputation: 133
I was also getting a segmentation fault when I tried to run Wenliang Du's SEED lab code on sniffing and spoofing . But it ran fine when run with sudo. It is mentioned in comments here that it won't run without sudo since it won't have right to interface. Maybe you have the same issue.
Upvotes: 0
Reputation: 1
I want to remind that the first param of function pcap_open_live you called is your Linux's network interface. So you must make sure that your Linux has the network interface named eth3. You can check your Linux's network interface by the ifconfig -a command, and if you find that there exists no interface named eth3, then this may be where the problem comes from.
Upvotes: 0
Reputation: 21
Steffen Ullrich is 100% correct here.
If you're going to call any routine that returns a pcap_t *, such as pcap_open_live(), you must check to make sure it succeeds, by checking whether it returns a null pointer or not:
handle = pcap_open_live("eth3", BUFSIZ, 1, 1000, errbuf);
if (handle != NULL) {
fprintf(stderr, "Can't open eth3: %s\n", errbuf);
exit(1);
}
If it fails and returns a null pointer, then pcap_compile() - and other libpcap routines - will crash if you pass that null pointer to it as the first argument.
If you comment out the call to pcap_open_live(), then handle isn't set to anything, so it contains an unknown value. If that value happens to point to a location in memory such that if pcap_compile(), pcap_setfilter(), and pcap_loop() don't happen to crash, then it will appear as if the program is working - but it's not.
So you should check whether pcap_open_live() succeeds, as in the example above - and you should check whether pcap_compile(), pcap_setfilter(), and pcap_loop() succeed as well.
Upvotes: 2
Related Questions
- Issue sniffing PCAP
- Getting error "The capture file appears to be damaged or corrupt. (pcap: File has 1847605831-byte packet, bigger than maximum of 65535)"
- Pcap Incomplete Type
- pcap_next() returns address to inaccessible memory area
- C PCAP library unknown types error
- error running a simple libpcap example
- Segmentation Fault in TCP communication
- C - Cannot set pcap filter. function not working properly
- Some error in the code - libpcap
- Error in packet parsing