S3Stellar/udp-packet-inspector

# udp-packet-inspector A small, single-file UDP traffic inspector for Linux. Opens an `AF_PACKET` raw socket, walks **Ethernet → IPv4 → UDP**, and prints a tcpdump-flavored line per packet. Built for learning the stack from the wire up, not as a tcpdump replacement. 21:14:08.402117 UDP 192.168.1.42:51322 -> 1.1.1.1:53 len=44 ttl=64 21:14:08.418664 UDP 1.1.1.1:53 -> 192.168.1.42:51322 len=68 ttl=57 21:14:09.001003 UDP 192.168.1.42:5353 -> 224.0.0.251:5353 len=187 ttl=255 ## Build make ## Run # everything sudo ./udp-inspector # only DNS traffic, stop after 20 matches sudo ./udp-inspector --port 53 --count 20 # also dump the first 64 payload bytes as hex sudo ./udp-inspector --port 53 --hex Needs `CAP_NET_RAW`. Easiest path is `sudo`. To run without `sudo`: sudo setcap cap_net_raw=ep ./udp-inspector ./udp-inspector ## Why it exists Practice project. The parsing path is annotated with the bytes each header contributes so the protocol layout is obvious from the code: | Layer | Header | Size | Key field used here | |------:|:-------|:----:|:--------------------| | L2 | Ethernet II (RFC 894) | 14 B | `ethertype == 0x0800` → IPv4 | | L3 | IPv4 (RFC 791) | `ihl * 4` B | `protocol == 17` → UDP | | L4 | UDP (RFC 768) | 8 B | `src_port`, `dst_port`, `len` | The whole thing is one `udp-inspector.c` plus a Makefile, so the read-path is short: `main → recv → parse_and_print → printers`. ## Limitations (on purpose) - **IPv4 only.** No IPv6 path; adding one means handling `0x86DD` and walking the IPv6 next-header chain. Out of scope for a study aid. - **No BPF.** Filtering happens in user space (cheap for a learning tool, expensive at line rate). A real inspector would push the port filter into the kernel via `SO_ATTACH_FILTER`. - **No interface selection.** Captures on every interface. Bind one with `SO_BINDTODEVICE` if you need it. - **No IPv4 fragments.** The first fragment is shown; following ones are ignored. ## License MIT. See [LICENSE](./LICENSE).

标签：客户端加密