c++linuxtcplibpcap

Get uid of packet with libpcap


Is it possible to get the effective uid of a captured tcp packet with libpcap? In other words, can I use libpcap to get the user id of whomever created said packet?


Solution

  • If the packet was sent from another computer, there is no guarantee that whoever sent the packet has a user ID - it might have, for example, been sent by a small embedded operating system that has no notion of user IDs.

    If the packet was sent from your computer, libpcap can't, by itself, tell you the user ID of who sent it. However, if you parse the TCP packet, you can get the source IP address and port number of the packet and, depending on the operating system on which you're running, you might be able to get a table of all active TCP connections on your machine, perhaps with a process ID or user ID associated with it. (Note, however, that, for example, on a UN*X system, a given file descriptor for a given TCP connection can be shared by multiple processes running with different effective or real user IDs, in which case if all you have is the transmitted packet as captured using libpcap, you wouldn't have enough information to determine the user ID, effective or real, of the process that sent the packet, as you wouldn't know the process that sent the packet.)