Quote:
|
And can you please tell me what are the differences between AF_INET, PF_PACKET, AF_PACKET .. I undertand what does second and third argument mean in socket(.. but I don't understand the first one!!
|
Well, let me start off by saying that AF_* is exactly the same as PF_*... Ie: AF_INET
is the same as PF_INET, AF_PACKET == PF_PACKET, etc... The AF/PF dichotomy
came about due to some misguided attempt early in the formation of the sockets
API to allow for a protocol to host multiple different address types... But, such a
thing never came about, and in practice there's absolutely no difference between
AF_* and PF_*, and people use them interchangably... (Though, technically, as I'm
sure Michael will mention, you're supposed to use PF_* as socket()'s first arg, and
AF_* as the *_family value in sockaddr_* structs... But, I say screw that, and just use
AF_* everywhere... ;-)
Here is an old message on Richard Stevens' old home page,
which goes into more detail on the original reason for the split, and why AF_* is
the only logical choice to use these days... *ducks Michael's wrath* ;-))
Now, as for AF_INET vs. AF_PACKET, well the former is the normal IP family, in
which you can have TCP, UDP, or raw sockets, while the latter is the Linux-specific
packet family, specifically designed for sniffing link-level packets off the wire... Ie:
with an AF_PACKET socket, you can sniff not only IP traffic, but anything else as
well... And, you can get at the link-level (eg: Ethernet) headers, as well... See
"man 7 packet" and "man 7 raw" for the difference between AF_INET/SOCK_RAW
and AF_PACKET/SOCK_{RAW,DGRAM}...
Oh, and you're IPs are probably wrong, because you failed to skip past the
Ethernet headers that are now in your sniffed packets, which aren't there if using
standard raw IP sockets...