Mac OS X上奇怪的RAW插槽

Question

当我在我的Mac OS X上运行一个简单的数据包嗅探器在C编码，我根本没有输出，这是一件奇怪的事情！有人可以帮助我理解正在发生的事情吗？

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 

int main(void) { 
    int i, recv_length, sockfd; 

    u_char buffer[9000]; 

    if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) { 
     printf("Socket failed!!\n"); 

     return -1; 
    } 

    for(i=0; i < 3; i++) { 
     recv_length = recv(sockfd, buffer, 8000, 0); 
     printf("Got some bytes : %d\n", recv_length); 
    } 

    return 0; 
} 

我编译它在我的箱子运行它，没有任何事情：

MacOsxBox:Desktop evariste$sudo ./simpleSniffer 

感谢您的帮助。

Answer 1

这不适用于* BSD（包括OSX/Darwin）。见调查here了解更多详情：

b. FreeBSD 
********** 

FreeBSD takes another approach. It *never* passes TCP or UDP packets to raw 
sockets. Such packets need to be read directly at the datalink layer by using 
libraries like libpcap or the bpf API. It also *never* passes any fragmented 
datagram. Each datagram has to be completeley reassembled before it is passed 
to a raw socket. 
FreeBSD passes to a raw socket: 
    a) every IP datagram with a protocol field that is not registered in 
    the kernel 
    b) all IGMP packets after kernel finishes processing them 
    c) all ICMP packets (except echo request, timestamp request and address 
    mask request) after kernel finishes processes them 

这个故事的寓意：使用libpcap这一点。它会让你的生活更轻松。 （如果您使用MacPorts，请执行sudo port install libpcap。）

Answer 2

我运行，并得到：

# ./a.out 
Got some bytes : 176 
Got some bytes : 168 
Got some bytes : 168 
# 

我猜这将是一些非常奇怪的，像你没有权限打开一个套接字和标准错误重定向奇怪。

我建议的老式狼陷阱调试：

printf("I got ti 1\n"); 
    if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) { 
     printf("Socket failed!!\n"); 

     return -1; 
    } 
    printf("I got to 2\n"); 
    for(i=0; i < 3; i++) { 
     printf("About to read socket.\n"); 
     recv_length = recv(sockfd, buffer, 8000, 0); 
     printf("Got some bytes : %d\n", recv_length); 
    } 
    printf("Past the for loop.\n"); 

...，看看它说。