Hi! I've got several question about raw ip sockets...

1. Imagine we have several apps which use raw ip sockets running on the same system and some packet reaches the destination (the machine we're on). What happens next? Does the kernel pass the packet to one of the applications, or to all of them?

2. How can I handle raw ip packets without touching packets, which do not belong to my application, but are to be processed by the other applications running on the system? And, on the other side, how do I receive all incoming IP packets and not allow them to pass to 'their' applications?

3. How does the kernel distinguish the IP and upper protocols (UDP, TCP, etc..)? For example, what if I had two apps running: one with raw ip socket and one with a tcp socket? Now let's imagine that there's an incoming tcp packet. What application will receive it? That one with a tcp socket, or the other one with the raw ip socket?

Thanks in advance...

FYI, there is a separate raw sockets FAQ page (http://www.whitefang.com/rin/), which
might be of more help with such matters than here... (Though, it's a
bit out of date itself, now... Eg: it still points to ee.lbl.gov for libpcap,
when that's now at tcpdump.org (http://www.tcpdump.org/)....

But, to make some attempts at a reply:

1. I believe all processes with appropriate raw sockets for the protocol
of the packet recieved would see the packet...

2. You would have to come up with your own protocol, of some sort, and
only receive those packets for the protocol you wish to handle... Or, use
a BPF style packet filter to limit the packets your socket receives... As for
not allowing the packets to pass to others, well that's more difficult... In
general, I think the only way to do that is to hack your kernel... (Or,
perhaps using some kind of firewalling features might work, too...)

3. It depends on the nature of the raw socket... If it's configured to
receive all packets, regardless of protocol, and with no filtering restrictions,
then it will see the packet, AND it'll also still be processed by the TCP/IP
stack, and passed onto the normal TCP app... But, the raw socket could
just be a specific type, which only receives a certain protocol; or, it could
have packet filters attached to it... Eg: ping and traceroute use a raw
socket, but it typically is only set to receive ICMP packets...

Ok, thanks, Rob!
Everything is now absolutely clear, except the 3rd question...
According to the Raw IP Networking FAQ you pointed me to, the TCP and UDP packets are recognized by the kernel, and kernel is responsible for delivering the upper-protocol packets to the proper applications (sockets, running up in the system). The kernel only retransmits the tcp and udp packets to the appropriate applications. So there's no way to receive tcp packets with a raw ip socket, right? Now.. what do I do to receive packets of all kinds? Do i have to go to a lower level according to the OSI-model and use the SOCK_PACKET? Or maybe you have any other/better ideas? I think that specifying protocol number '6' as the 3rd parameter to the socket() function can make it for tcp packets (17 for udp), but I don't yet have possibility to test it... what do you think about it?

Well, I've honestly never tested it, but I would be surprised if you
couldn't use a standard raw socket to receive TCP/UDP... (But,
given that the quote in the raw sockets FAQ seems to come from
The Master himself, Richard Stevens, I certainly could be and
probably am quite wrong... ;-)) But, you most certainly CAN do so
via raw sockets in domains other than AF_INET, at least (eg: AF_PACKET,
AF_RAW, etc.)... (Or, via alternatives to SOCK_RAW, such as
SOCK_PACKET...) Otherwise, packet sniffers wouldn't be able to work,
since that's certainly one of the things they do: intercept normal TCP/UDP
packets... But, the exact method of doing so is not very standard, and
tends to vary on different systems... That's why libpcap exists: to try
to hide the back-end implementation, and present a single standard
interface, regardless of how your system really does things...

Hmm... I was looking for some info on how to implement an application which would be able to deal with data on all OSI levels (under FreeBSD) and found nothing useful on the topic. FreeBSD man pages are extremely poor =(... And I don't want to use any 3rd-party software. I want to make it by myself. Could you please give some links to additional info about coding such applications?

Sorry, I don't know much about *BSD... I don't really use it very much...
But, even if you don't want to actually USE libpcap, I still think you might
want to get it to look at the source, for ideas on how to do such things...
(And, in addition to libpcap (http://www.tcpdump.org/), you also might want to look at libnet (http://www.packetfactory.net/libnet/),
libnids (http://www.packetfactory.net/projects/libnids/), and lcrzo (http://www.laurentconstantin.com/en/lcrzo/)...)

Thanks a lot, Rob! =)