socketswinapinetwork-programmingpacketssniffer

What is the goal of using GGP(0x0003) as a protocol parameter in socket()

I started to program a packet sniffer, And I have searched for the correct parameters to pass to socket() function in order to capture packets with their Ethernet header.

I noticed that in this tutorial , In order to recieve the Ethernet header, they changed this line:

s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)

To this line:

s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))

And my questions are:

  1. I understood from this link that AF_INET with raw socket won't give me the Ethernet header. My question is why?

  2. Why he also changed from IPPROTO_TCP to ntohs(0x0003) which I know that this is GGP protocol. As far as I understood, the third parameter states the protocol which the socket will recieve. If the protocol parameter is GGP, then the socket will look for packets who have GGP as their internet layer protocol, isn't? then why they pass GGP and not TCP or IP? After all, almost every PDU has IP and\or TCP\UDP as their data protocols.. Does it matter what's the third parameter for my packet sniffer?

  3. In addition to the second question, I think that I didn't get the objective of the third parameter. If this is IPPROTO_TCP, the socket will capture packets with TCP in the network layer (and not UDP for example)? and if i'll pass IPPROTO_IP, the socket will capture packets with IP as their internet layer protocol, without checking the other layer's protocols (It doesn't matter for the socket what protocol is used for the network layer? It only cares that IP is exists as the internet layer protocol)?

Thanks and sorry for the grammer mistakes (English isn't my first language).

Solution

    1. The raw socket feature can be set up at different layers of the network stack, in order to allow the kernel do perform some of the work for you at lower levels (eg: ethernet crafting).

    2. The change to GGP protocol might make sense on the website you found the example, but it is ugly to do so and getprotoent() should be used rather than using magic numbers.

    3. Yes you can tweak (filter) how the packet capture will happen. If you want to capture all packets then use ETH_P_ALL:

    When protocol is set to htons(ETH_P_ALL) then all protocols are received.