Java version of tcpdump

[James Kimble]

I'm trying to sniff for local port traffic on a Linux machine. I have
an application that uses UDP to communicate with it's various
distributed parts and I want to view the packets in order to replace a
part of this thing with something of my own. (no nothing sinister,
boring, but not sinister).

I can use tcpdump to view traffic by port number on the local host. I
need to be able to capture the packet data and manipulate it and for
that I need something better. I wrote a simple java program (below)
that creates a socket and a datagram and tries to start receiving on a
port. However I always get a "BindException: Address already in use
occured" error. Isn't there some way to just listen to traffic without
actually binding to the port and interfering with traffic (like
tcpdump)? Any help would be much appreciated....

My current program is simply:

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
import java.io.*;
import java.net.*;
import java.util.*;

public class PortListener
{
protected static DatagramSocket socket = null;

public static void main ( String args[] )
{
if ( args.length != 1 )
{
System.out.println ("\nUsage: java PortListener <port
number>\n");
System.exit(1);
}

int data_port = new Integer(args[0]).intValue();

try
{
socket = new DatagramSocket(data_port);
}
catch (SocketException se)
{
System.out.println ("Socket exception: " + se + "
occured\n" );
}
catch (IOException ioe)
{
System.out.println ("IO exception: " + ioe + " occured\n"
);
}

while (true)
{
System.out.println ("\nListening to " + data_port + "\n");

try
{
byte[] buf = new byte[256];

// Receive request
DatagramPacket packet = new DatagramPacket(buf,
buf.length);
socket.receive(packet);

// Get the client at "address" and "port"
InetAddress address = packet.getAddress();
int port = packet.getPort();

System.out.println ( "\nWe recieved packet from address
" +
address + " on port " + port +
"\n" );
}
catch (IOException e)
{
e.printStackTrace();
}
}
socket.close();
}
}

 

[Gordon Beaton]

I can use tcpdump to view traffic by port number on the local host. I
need to be able to capture the packet data and manipulate it and for
that I need something better. I wrote a simple java program (below)
that creates a socket and a datagram and tries to start receiving on a
port. However I always get a "BindException: Address already in use
occured" error. Isn't there some way to just listen to traffic without
actually binding to the port and interfering with traffic (like
tcpdump)?

What makes you think tcpdump interferes with the traffic?

Creating a socket and binding it to a port will only let you see
traffic specifically sent to that port, to that socket. And if the
port is already in use, then you will fail.

To capture packets, get jpcap or libpcap and do it the way tcpdump
does.

http://jpcap.sourceforge.net/
http://www.tcpdump.org/

If you're just trying to reverse engineer a protocol, then ethereal is
probably better suited than tcpdump, and certainly easier than writing
your own.

http://www.ethereal.com/

/gordon

 

[Thomas Weidenfeller]

I'm trying to sniff for local port traffic on a Linux machine. I have
an application that uses UDP to communicate with it's various
distributed parts and I want to view the packets in order to replace a
part of this thing with something of my own.

You probably don't want a sniffer, but a transparent proxy on transport
layer. It is one thing to sniff some packet data, it is a completely
different animal to replace data in a packet. If you just sniff, the
packet is already off and away on the network when you see it. You have
to intercept the traffic, not just sniff it.

Isn't there some way to just listen to traffic without
actually binding to the port and interfering with traffic (like
tcpdump)?

Not in pure Java, at least not last time I looked, and I would be
surprised if it has changed.

For such things you need to have the cooperation of the specific IP
stack and network card in your system. tcpdump or Ethereal for example
enlists the help of the pcap library. That C library is different for
different operating systems, e.g. WinPcap or libpcap, and knows how to
talk shop with a particular OS.

Standard Java has no binding to that library, or a similar service, but
there exists at least on 3pp:
http://netresearch.ics.uci.edu/kfujii/jpcap/doc/

But I doubt this will help you to implement a transparent UDP proxy.

/Thomas

 

[James Kimble]

No no, what I meant was not interfere with traffic in the way that
tcpdump "doesn't" interfere with traffic. What I want to do is listen
to the traffic going to a particular port without binding to the port.
Like listening in a permiscuous mode or something. I'm hoping there is
some simple way to modify what I've got to do that. The tcpdump utility
has a ton of options and filtering capabilities that are tremendous
overkill. I simply want to look at the packets going to a particular
port and manipulate the data to make it human readable. Eventually this
code will become part of a communications class in a larger program
that will be using this data. It will be OK to bind to the port then
because the program that currently uses the port will be displaced by a
new Java program. For now I just want to watch the comm flow while the
old program is up and running so I can see what it's data requirements
are. This is a little bit of reverse engineering. No specs on the
original program are available. We just have to observe it and copy it.

 

[James Kimble]

Thanks for the explanation. I didn't get it until now. I guess I'll
just have to use tcpdump until I'm ready to replace the existing
program with the Java. It just makes things a little more complicated.

Thanks again...

 

[Rogan Dawes]

I'm trying to sniff for local port traffic on a Linux machine. I have
an application that uses UDP to communicate with it's various
distributed parts and I want to view the packets in order to replace a
part of this thing with something of my own. (no nothing sinister,
boring, but not sinister).

I can use tcpdump to view traffic by port number on the local host. I
need to be able to capture the packet data and manipulate it and for
that I need something better. I wrote a simple java program (below)
that creates a socket and a datagram and tries to start receiving on a
port. However I always get a "BindException: Address already in use
occured" error. Isn't there some way to just listen to traffic without
actually binding to the port and interfering with traffic (like
tcpdump)? Any help would be much appreciated....

Look for "jpcap"

Rogan

 

[Nigel Wade]

Thanks for the explanation. I didn't get it until now. I guess I'll
just have to use tcpdump until I'm ready to replace the existing
program with the Java. It just makes things a little more complicated.

Thanks again...

Do like Gordon suggested, and get Ethereal. Think of tcpdump for capturing
packets with a GUI for inspecting individual packets in detail when the capture
is complete. It understands most of the common UDP/TCP protocols and will
interpret the contents of the traffic. For a custom protocol it's not as
useful, but it's still a whole lot easier to use the tcpdump.

It's available for both Linux and Windows. It should be a part of any network
diagnostic toolbox.