From: grahn+nntp@snipabacken.se   
      
   On Fri, 06 Feb 2009 12:50:37 +0100, Ralf  wrote:   
   > Jorgen Grahn wrote:   
   >>   
   >> And the mandatory question: what are you really trying to do, what   
   >> problem are you trying to solve? There are probably easier, more   
   >> normal ways.   
   >   
   > I just need to record *all* IPs who send a connect packet   
   > (ie. the 1st SYN packet) to that TCP port, including failed   
   > connect attempts from spoofed IPs etc.   
   > It is my app which exclusively listens and serves on that port,   
   > ie. there is no other app which listens/serves on that port.   
   >   
   > I cannot use any external utility like tcpdump etc.   
      
   I only suggested that for early experimentation.   
      
   > I guess I would need to use raw sockets.   
      
   No, you can use libpcap, like I and other people here have suggested.   
   It's a library, so I assume it doesn't break the "no external   
   utilities" rule.   
      
   Other options include Linux packet sockets (which I think is what   
   libpcap uses on Linux). Maybe it's even enough for you to set up Linux   
   iptables to log packets which match a certain firewall rule (incoming   
   SYNs to port X).   
      
   > I'm already experimenting with raw sockets but   
   > I don't know how to receive the SYN packets with raw sockets.   
   > The examples I found on the net so far are just sending out, but not   
   receiving.   
   >   
   > Does anybody know how to solve this problem?   
      
   W. R. Stevens' books deal with raw sockets. I vaguely recall a long   
   list of limitations, caused by (a) lack of standardization and (b)   
   they did not want conflict with the TCP part of the stack.   
      
   There is documentation for Linux in the raw(7) man page.   
      
   /Jorgen   
      
   --   
     // Jorgen Grahn           R'lyeh wgah'nagl fhtagn!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)