Re: [clisp-list] rawsock sniffer demo

[<don...@is...>]

Fred Cohen writes:

 > Also - in trying your test script, even after recompiling clisp with  
 > rawsock built in, it failed...
BTW I should report success on my machine with this:
 $ clisp -K full /tmp/sniffer.lisp inet 10

 >  >sudo clisp -K full /u/fc/lisp/sniffer.lsp inet 100
 > *** - UNIX error 43 (EPROTONOSUPPORT): Protocol not supported
 > 
 >  >sudo clisp -K full /u/fc/lisp/sniffer.lsp packet 100
 > *** - RAWSOCK:SOCKET: Lisp value :PACKET is not found in table  
 > "check_socket_domain":
 >         ((0 :UNSPEC) (1 :UNIX) (1 :LOCAL) (2 :INET) (3 :IMPLINK)  
 > (4 :PUP) (5 :CHAOS) (9 :DATAKIT) (10 :CCITT) (23 :IPX) (6 :NS) (7 :ISO)
 >          (7 :OSI) (8 :ECMA) (16 :APPLETALK) (30 :INET6) (12 :DECNET)  
 > (13 :DLI) (14 :LAT) (15 :HYLINK) (17 :ROUTE) (11 :SNA) (33 :NETBIOS))
Wow, that's quite a bit different from what I see:
      "check_socket_domain":
       ((0 :UNSPEC) (1 :UNIX) (1 :LOCAL) (2 :INET) (3 :AX25) (4 :IPX)
        (5 :APPLETALK) (6 :NETROM) (7 :BRIDGE) (8 :ATMPVC) (9 :X25)
        (10 :INET6)
        (11 :ROSE) (12 :DECNET) (13 :NETBEUI) (14 :SECURITY) (15 :KEY)
        (16 :NETLINK) (16 :ROUTE) (17 :PACKET) (18 :ASH) (19 :ECONET)
        (20 :ATMSVC) (22 :SNA) (23 :IRDA) (24 :PPPOX) (25 :WANPIPE)
        (31 :BLUETOOTH))
Let me guess - you're using a mac?

 > Somehow, a demo should work across all such situations...
Clearly not this sort of demo.

 >             (rawsock:socket :inet :dgram 0 #+ignore #x300))
My man ip(7) says 

   An   IP  socket  is  created  by  calling  the  socket(2) function  as
   socket(AF_INET,  socket_type,  protocol).   Valid  socket types   are
   SOCK_STREAM  to  open  a  tcp(7)  socket,  SOCK_DGRAM  to open a udp(7)
   socket, or SOCK_RAW to open a raw(7) socket to access the  IP protocol
   directly.   protocol is the IP protocol in the IP header to be received
   or sent.  The only valid values for protocol are 0 and IPPROTO_TCP  for
   TCP  sockets,  and 0 and IPPROTO_UDP for UDP sockets.  For SOCK_RAW you
   may specify a valid IANA IP protocol defined in RFC 1700 assigned  num-
   bers.
Maybe it's different on your machine.
This seems to mean that your line above should be watching for udp.
When I try that I get nothing - no udp, no icmp.
When I try (rawsock:socket :inet :raw 0) I get protocol not supported
which is strange since 
 (rawsock:socket :inet :raw t)
 *** - RAWSOCK:SOCKET: Lisp value T is not found in table
      "check_socket_protocol":
       ((0 :IPPROTO-IP) (41 :IPPROTO-IPV6) (1 :IPPROTO-ICMP) (255 :IPPROTO-RAW)
        (6 :IPPROTO-TCP) (17 :IPPROTO-UDP) (2 :IPPROTO-IGMP) (4 :IPPROTO-IPIP)
On the other hand rfc 1700 (which I think is now obsolete) does say
Decimal    Keyword     Protocol                         References
-------    -------     --------                         ----------
     0                 Reserved                              [JBP]
     1     ICMP        Internet Control Message       [RFC792,JBP]
     2     IGMP        Internet Group Management     [RFC1112,JBP]
     3     GGP         Gateway-to-Gateway              [RFC823,MB]
     4     IP          IP in IP (encasulation)               [JBP]
 ...
So I think the problem is in the (0 :IPPROTO-IP) above.

When I use
 (rawsock:socket :inet :raw 1) 
I do indeed see icmp and 17 shows udp.