From: grahn+nntp@snipabacken.se   
      
   On Fri, 06 Feb 2009 05:55:41 +0100, Ralf  wrote:   
   > David Schwartz wrote:   
   > > On Feb 5, 8:26 pm, Ralf  wrote:   
   > >>   
   > >> I need to capture TCP connect packets (ie. SYN-Packets)   
   > >> sent to a given local port, for example to port 1234.   
   > >>   
   > >> That small code needs to run on a normal host.   
   > >> It should not disturb the normal traffic flow,   
   > >> ie. without setting the interface(s) into promiscious mode or so.   
   > >> Is this possible?   
   > >   
   > > Yes. Simply open a socket, bind it to that port, then call 'listen'.   
   > > If you want to capture the SYN for special processing, you can use any   
   > > of the various packet capture techniques.   
   >   
   > Sorry, I'm new to packet capturing.   
   > Can you please tell me which packet capture techniques there are?   
      
   The most common by far is libpcap, which is used by well-known tools   
   like tcpdump and Wireshark. It abstracts away the differences between   
   how different OSes solves the problem, for different networking   
   interfaces -- otherwise you'd have to write code for Linux, OpenBSD,   
   *BSD, Solaris, Windows ...   
      
   > What would I need to do between the 'listen' and 'accept'   
   > to capture the initial SYN packet?   
   > Do you maybe have some code handy?   
      
   The simplest way is probably to get tcpdump, read the man page which   
   shows how to filter out TCP SYNs for a certain port, then popen()   
   tcpdump from your application.   
      
   Then you can rewrite it using libpcap directly.   
      
   > >> Can I then, when such a packet gets captured, use normal   
   > >> socket functions to accept the connection as usual?   
   > >   
   > > Yep. Just call 'accept'.   
   > >   
   > >> Or will the packet be removed from the device buffer when I capture it?   
   > >> It should not remove it if possible.   
   > >   
   > > Some of the packet capture interfaces give you to opportunity to   
   > > remove or not remove the packet. Some don't let you remove it. Use the   
   > > same mechanism 'tcpdump -p' uses.   
   > >   
   > >> I would prefer a solution without any external library if possible.   
   > >   
   > > Then you can implement the code yourself, but that makes life harder.   
   >   
   > How would you do it?   
   > Which library would you use?   
      
   "None of course" or "libpcap", depending on what you are refering to.   
      
   > >> BTW, is it possible to send a payload within a SYN packet?   
   > >   
   > > Not easily.   
   >   
   > :-) But your answer indicates that it somehow still is possible.   
   > I would like to learn how to do it.   
   > A 6 bytes payload in the 1st SYN packet would be sufficient for me,   
   > it can also be placed in some unused header fields if there are any such.   
      
   I assume David meant that the RFC kind of allows it, but that you   
   cannot make the BSD sockets API send it, and circumventing the TCP   
   part of the stack is painful/unfeasible.   
      
   Also, I think an earlier discussion here (where I asked the question)   
   showed that no modern TCP implementation at the other end would accept   
   it. I guess it would refuse the connection altogether, not just   
   discard that segment.   
      
   /Jorgen   
      
   --   
     // Jorgen Grahn           R'lyeh wgah'nagl fhtagn!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)