Java version of tcpdump

Discussion in 'Java' started by James Kimble, Feb 3, 2006.

  1. James Kimble

    James Kimble Guest

    I'm trying to sniff for local port traffic on a Linux machine. I have
    an application that uses UDP to communicate with it's various
    distributed parts and I want to view the packets in order to replace a
    part of this thing with something of my own. (no nothing sinister,
    boring, but not sinister).

    I can use tcpdump to view traffic by port number on the local host. I
    need to be able to capture the packet data and manipulate it and for
    that I need something better. I wrote a simple java program (below)
    that creates a socket and a datagram and tries to start receiving on a
    port. However I always get a "BindException: Address already in use
    occured" error. Isn't there some way to just listen to traffic without
    actually binding to the port and interfering with traffic (like
    tcpdump)? Any help would be much appreciated....

    My current program is simply:

    //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
    import java.io.*;
    import java.net.*;
    import java.util.*;

    public class PortListener
    {
    protected static DatagramSocket socket = null;

    public static void main ( String args[] )
    {
    if ( args.length != 1 )
    {
    System.out.println ("\nUsage: java PortListener <port
    number>\n");
    System.exit(1);
    }

    int data_port = new Integer(args[0]).intValue();

    try
    {
    socket = new DatagramSocket(data_port);
    }
    catch (SocketException se)
    {
    System.out.println ("Socket exception: " + se + "
    occured\n" );
    }
    catch (IOException ioe)
    {
    System.out.println ("IO exception: " + ioe + " occured\n"
    );
    }

    while (true)
    {
    System.out.println ("\nListening to " + data_port + "\n");

    try
    {
    byte[] buf = new byte[256];

    // Receive request
    DatagramPacket packet = new DatagramPacket(buf,
    buf.length);
    socket.receive(packet);

    // Get the client at "address" and "port"
    InetAddress address = packet.getAddress();
    int port = packet.getPort();

    System.out.println ( "\nWe recieved packet from address
    " +
    address + " on port " + port +
    "\n" );
    }
    catch (IOException e)
    {
    e.printStackTrace();
    }
    }
    socket.close();
    }
    }
     
    James Kimble, Feb 3, 2006
    #1
    1. Advertising

  2. On 3 Feb 2006 06:23:44 -0800, James Kimble wrote:
    > I can use tcpdump to view traffic by port number on the local host. I
    > need to be able to capture the packet data and manipulate it and for
    > that I need something better. I wrote a simple java program (below)
    > that creates a socket and a datagram and tries to start receiving on a
    > port. However I always get a "BindException: Address already in use
    > occured" error. Isn't there some way to just listen to traffic without
    > actually binding to the port and interfering with traffic (like
    > tcpdump)?


    What makes you think tcpdump interferes with the traffic?

    Creating a socket and binding it to a port will only let you see
    traffic specifically sent to that port, to that socket. And if the
    port is already in use, then you will fail.

    To capture packets, get jpcap or libpcap and do it the way tcpdump
    does.

    http://jpcap.sourceforge.net/
    http://www.tcpdump.org/

    If you're just trying to reverse engineer a protocol, then ethereal is
    probably better suited than tcpdump, and certainly easier than writing
    your own.

    http://www.ethereal.com/

    /gordon

    --
    [ do not email me copies of your followups ]
    g o r d o n + n e w s @ b a l d e r 1 3 . s e
     
    Gordon Beaton, Feb 3, 2006
    #2
    1. Advertising

  3. James Kimble wrote:
    > I'm trying to sniff for local port traffic on a Linux machine. I have
    > an application that uses UDP to communicate with it's various
    > distributed parts and I want to view the packets in order to replace a
    > part of this thing with something of my own.


    You probably don't want a sniffer, but a transparent proxy on transport
    layer. It is one thing to sniff some packet data, it is a completely
    different animal to replace data in a packet. If you just sniff, the
    packet is already off and away on the network when you see it. You have
    to intercept the traffic, not just sniff it.

    > Isn't there some way to just listen to traffic without
    > actually binding to the port and interfering with traffic (like
    > tcpdump)?


    Not in pure Java, at least not last time I looked, and I would be
    surprised if it has changed.

    For such things you need to have the cooperation of the specific IP
    stack and network card in your system. tcpdump or Ethereal for example
    enlists the help of the pcap library. That C library is different for
    different operating systems, e.g. WinPcap or libpcap, and knows how to
    talk shop with a particular OS.

    Standard Java has no binding to that library, or a similar service, but
    there exists at least on 3pp:
    http://netresearch.ics.uci.edu/kfujii/jpcap/doc/

    But I doubt this will help you to implement a transparent UDP proxy.

    /Thomas
    --
    The comp.lang.java.gui FAQ:
    ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq
    http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/
     
    Thomas Weidenfeller, Feb 3, 2006
    #3
  4. James Kimble

    James Kimble Guest

    No no, what I meant was not interfere with traffic in the way that
    tcpdump "doesn't" interfere with traffic. What I want to do is listen
    to the traffic going to a particular port without binding to the port.
    Like listening in a permiscuous mode or something. I'm hoping there is
    some simple way to modify what I've got to do that. The tcpdump utility
    has a ton of options and filtering capabilities that are tremendous
    overkill. I simply want to look at the packets going to a particular
    port and manipulate the data to make it human readable. Eventually this
    code will become part of a communications class in a larger program
    that will be using this data. It will be OK to bind to the port then
    because the program that currently uses the port will be displaced by a
    new Java program. For now I just want to watch the comm flow while the
    old program is up and running so I can see what it's data requirements
    are. This is a little bit of reverse engineering. No specs on the
    original program are available. We just have to observe it and copy it.
     
    James Kimble, Feb 3, 2006
    #4
  5. James Kimble

    James Kimble Guest

    Thanks for the explanation. I didn't get it until now. I guess I'll
    just have to use tcpdump until I'm ready to replace the existing
    program with the Java. It just makes things a little more complicated.

    Thanks again...
     
    James Kimble, Feb 3, 2006
    #5
  6. James Kimble

    Rogan Dawes Guest

    James Kimble wrote:
    > I'm trying to sniff for local port traffic on a Linux machine. I have
    > an application that uses UDP to communicate with it's various
    > distributed parts and I want to view the packets in order to replace a
    > part of this thing with something of my own. (no nothing sinister,
    > boring, but not sinister).
    >
    > I can use tcpdump to view traffic by port number on the local host. I
    > need to be able to capture the packet data and manipulate it and for
    > that I need something better. I wrote a simple java program (below)
    > that creates a socket and a datagram and tries to start receiving on a
    > port. However I always get a "BindException: Address already in use
    > occured" error. Isn't there some way to just listen to traffic without
    > actually binding to the port and interfering with traffic (like
    > tcpdump)? Any help would be much appreciated....
    >


    Look for "jpcap"

    Rogan
     
    Rogan Dawes, Feb 3, 2006
    #6
  7. James Kimble

    Nigel Wade Guest

    James Kimble wrote:

    >
    >
    > Thanks for the explanation. I didn't get it until now. I guess I'll
    > just have to use tcpdump until I'm ready to replace the existing
    > program with the Java. It just makes things a little more complicated.
    >
    > Thanks again...


    Do like Gordon suggested, and get Ethereal. Think of tcpdump for capturing
    packets with a GUI for inspecting individual packets in detail when the capture
    is complete. It understands most of the common UDP/TCP protocols and will
    interpret the contents of the traffic. For a custom protocol it's not as
    useful, but it's still a whole lot easier to use the tcpdump.

    It's available for both Linux and Windows. It should be a part of any network
    diagnostic toolbox.

    --
    Nigel Wade, System Administrator, Space Plasma Physics Group,
    University of Leicester, Leicester, LE1 7RH, UK
    E-mail :
    Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
     
    Nigel Wade, Feb 6, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tomerger

    TCPdump format

    tomerger, Sep 2, 2006, in forum: VHDL
    Replies:
    1
    Views:
    803
  2. V Green
    Replies:
    0
    Views:
    862
    V Green
    Feb 5, 2008
  3. PA Bear [MS MVP]
    Replies:
    0
    Views:
    972
    PA Bear [MS MVP]
    Feb 5, 2008
  4. Martin Kahlert
    Replies:
    10
    Views:
    1,055
    William Morgan
    Sep 9, 2004
  5. Romain
    Replies:
    5
    Views:
    390
    Michael Fuhr
    Dec 2, 2004
Loading...

Share This Page