Login/Register
What is the (0X0003) in socket creation?
Asked Answered
pythonsniffing
O

5

6

i m developing a program for packet sniffing in PYTHON but i am not getting what does the (0x0003)parameter means in 'ntohs' function in python..

s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
Oedipus answered 17/7, 2015 at 6:23 Comment(1)
seems like a hex code.Hartley
S
7

In linux socket.ntohs(0x0003) tells capture everything including ethernet frames. To capture TCP, UDP, or ICMP only, instead of socket.ntohs(0x0003) you will write socket.IPPROTO_TCP, socket.IPPROTO_UDP and socket.IPPROTO_ICMP respectively.

In windows, the socket can only capture IP and above and cannot capture ethernet. To do that you can use pypcap library in the windows.

Sepia answered 25/8, 2020 at 9:30 Comment(1)
I'm using socket.ntohs(0x0003) to capture UDP. socket.IPPROTO_UDP isn't working for me. Linux. Python 3.6.8Linnell
Y
2

It is the protocol to use. From documentation -

socket.socket([family[, type[, proto]]])

Create a new socket using the given address family, socket type and protocol number. The address family should be AF_INET (the default), AF_INET6 or AF_UNIX. The socket type should be SOCK_STREAM (the default), SOCK_DGRAM or perhaps one of the other SOCK_ constants. The protocol number is usually zero and may be omitted in that case.

If protocol is ommitted it defaults to 0 , which causes the protocol to be taken based on the family (first argument).

For linux, You can find the list of protocol numbers in /etc/protocols . I believe when you give protocol as 0x0003 it is using GGP (Gateway-Gateway protocol) .

Yestreen answered 17/7, 2015 at 6:46 Comment(1)
I am using same line in my program: s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003)) and getting error that .. _sock = _realsocket(family, type, proto) socket.error: [Errno 1] Operation not permitted .. what should I use instead of there parameters?Minorite
S
1

The last parameter is the protocol and is normally left as 0, which is documented here.

The IANA list the Assigned Internet Protocol Numbers, '0x0003` is defined as:

3 GGP Gateway-to-Gateway

The ntohs() function though is used to do an endian swap on the number if required (based on the architecture you are running on). For your example this could be 0x0300 or 768, which does not make sense to me. Perhaps someone else knows of a special use case for which I am not aware.

Springtime answered 17/7, 2015 at 6:49 Comment(0)
A
0

If you check linux/if_ether_h you will aww

#define ETH_P_ALL   0x0003  /* Every packet (be careful!!!) */

so 0x0003 means capture all packets

Assignor answered 19/12, 2017 at 12:42 Comment(0)
S
0

from the python official socket doc

socket.ntohs(0x0003) captures all the send & receive traffic from the network interface.

Sundaysundberg answered 20/11, 2020 at 12:19 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.