Raw socket grabs packets, and packets on some ports cannot be caught

background

TCP Packet filter items , After deploying the execution program to the real disk , Found some port( Or connecting ) The message of can be captured , But some connected messages cannot be captured , And according to Murphy's law , The target message is not captured （dog head）;

location

1、 Recall the whole execution process , No problem found , And also added printing , It is found that the target is indeed not captured port The connection of , Instead of being captured and filtered to because of other conditions ;
2、 This problem can only be reproduced in the real offer environment , And locally docker The problem cannot be reproduced under , But the real offer debugging should be completed by Party B , Very trouble , So Wen long suggested that tcpreplay To reproduce ; Tossed about for a moment , Find out tcpreplay You can only specify the sending condition of the local specific network card （ In fact, these packages cannot reach the application level of the destination , Even if the destination plane can arrive ）, What I need is to monitor the reception of the network card ！ Later, teacher Shen said that you can set , To make 2 Servers , An analog transmitter （ adopt tcpreplay）, An analog receiver （ Be careful ： This reception is only at the network card level , Can't reach the upper floor , But for my program , It should be ok ？– Later I thought about , Maybe not , You need to determine raw socket What level is monitored ）, It's a toss in the back tcpreplay Of tcpprep and tcprewrite, Object files are also generated , But it failed in the end ;
3、 Look back and continue to look at the code , Although I feel impossible , But a dead horse should be a living horse doctor , Try to release raw socket, From the original only monitor TCP My bag , Change to monitor all network packets , Find a solution to ;

solve

Specific code changes ：
The original raw socket Initialize settings ：

AF_INET, SOCK_RAW, IPPROTO_TCP

Revised raw socket Initialize settings ：

PF_PACKET, SOCK_RAW, htons(ETH_P_IP)

In addition, we need to pay attention to ：
Revised raw socket The intercepted message content , It contains etheric head （ether_header） Of , So it's parsing buf When , You need to pay attention to crossing this many etheric head , Then it is captured in the original setting ip_header, Then proceed to the original parsing process ;

summary

1、 Before the cause is found , Don't give up any possible way because of your existing knowledge ;
2、 Try not to build your own wheels , Try to search existing tools ;