Charles Engelke's Blog

February 25, 2004

Programming with libnet

Filed under: RSA 2004 — Charles Engelke @ 8:18 pm

Yesterday I took no notes, but today I think I’m prepared for that.
This is the first session with live notes.

This morning’s first session is about libnet, a network programming
library. This is apparently not Perl’s libnet, but a library
related to libpcap and other low level network tools.

The speaker is Mike Schiffman from Cisco (and he’s a Mac OS X user
so his presentation slides aren’t quite right due to exporting to
PowerPoint for the conference; he’s a defector from OpenBSD).
He’s on several technical advisory
boards (Qualys, Vigilant, Sensory Networks) and is a Wiley technical
editor. Author of “Building Open Source Security Tools”.
He’s also the primary author and maintainer of libnet, an
open source library. The talk will be centered on using it with C.

libnet is a C library for packet construction and injection (while
libpcap is for packet capturing). It’s good for building tools
that require meticulous control over every field of every header
of every packet. It’s not for applications that care about the
data flowing over a network (the OS does that for you). libnet
is portable to Windows, OS X, BSD, Linux, Solaris, HPUX.

libnet 1.1.x is easy to use (which earlier versions apparently
weren’t). The old libnet way:

    Old libnet process:

  • libnet_init_packet(…);
  • libnet_open_link_interface(…);
  • libnet_build_ip(…);
  • libnet_build_ethernet(…);
  • libnet_build_tcp(…);
  • libnet_do_checksum(…);
  • libnet_do_checksum(…);
  • libnet_write_link_layer(…);
  • libnet_destroy_packet_memory(…);
  • libnet_close_link_interface(…);

Now, in libnet 1.1.2:

  • libnet_init(…);
  • libnet_build_tcp(…);
  • libnet_build_ipv4(…);
  • libnet_build_ethernet(…);
  • libnet_write(…);

Packets are built in pieces. Each protocol layer is usually a
separate function call. Packet builders take arguments specifying
header values (on the wire). The packet construction process
approximates an IP stack; must be called in order from highest
OSI layer to lowest (opposite of libnet 1.0.x approach).
Successful build calls return a

I’m not going to take notes with actual code or arguments; there’s
too much detail. I’ll find the library on-line and point to its

His first detailed example is building our own ping with
the library. It uses libnet to build and inject the packets,
and libpcap to capture the return packets.

The second example is building traceroute. This adds use
of a net library: libipg, an IP geotargeting library
(which uses a database to figure out where a host is physically located
based on the IP address). The database isn’t part of the library;
you have to get it separately.

It’s an interesting talk, but not what I was looking for from the
RSA Conference.


Blog at

%d bloggers like this: