Skip to main content

urlsnarf uses obsolete PF_INET

Just before going to sleep, I spotted this in my kernel log:

urlsnarf uses obsolete (PF_INET,SOCK_PACKET)
As someone else a few years back already explained:
It means that it should be opening a PF_PACKET socket (see packet(7))
instead of a PF_INET, SOCK_PACKET (see COMPATIBILITY ip(7)):

    "For compatibility with Linux 2.0, the obsolete socket(PF_INET,
     SOCK_RAW, protocol) syntax is still supported to open a
     packet(7) socket.  This is deprecated and should be replaced by
     socket(PF_PACKET, SOCK_RAW, protocol) instead.  The main
     difference is the new sockaddr_ll address structure for generic
     link layer information instead of sockaddr_pkt." - ip(7)
This made me curious: where exactly does urlsnarf use PF_INET or SOCK_PACKET? Turns out - it doesn't. But the Debian package introduces a patch trying to fix #420129:
$ cat 15_checksum_libnids.dpatch
+       *ifaces = malloc(ifaces_size);
+       sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
+       if (sock <= 0)
Well, turns out that even with the patch applied (i.e. a stock Debian/dsniff-2.4b1+debian-18 installed) dsniff is not working. However, urlsnarf is working - regardless wether the patch is applied or not :-)