1 / 17

Raw Socket e LIBPCAP

Raw Socket e LIBPCAP. “vanilla” socket. int socket(int domain, int type, int protocol) domain PF_INET type SOCK_STREAM  TCP SOCK_DGRAM  UDP protocol 0 getprotobyname()  /etc/protocols  TCP (6) – UDP (17). raw socket. int socket(int domain, int type, int protocol) domain

rasha
Télécharger la présentation

Raw Socket e LIBPCAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Raw SocketeLIBPCAP

  2. “vanilla” socket int socket(int domain, int type, int protocol) • domain • PF_INET • type • SOCK_STREAM  TCP • SOCK_DGRAM  UDP • protocol • 0 • getprotobyname()  /etc/protocols  TCP (6) – UDP (17)

  3. raw socket int socket(int domain, int type, int protocol) • domain • PF_INET • type • SOCK_RAW • protocol • IPPROTO_TCP / IPPROTO_UDP / IPPROTO_ICMP / IPPROTO_RAW (send only – implica IP_HDRINCL) [/usr/include/netinet/in.h] • TCP (0,6) / UDP (17) / ICMP (1)

  4. Strutture /usr/include/netinet/ip.h struct ipheader { uchar ip_hl:4; // ip_hl: # of 32bit words (4bytes) uchar ip_v:4; uchar ip_tos; ushort ip_len; ushort ip_id; ushort ip_off; uchar ip_ttl; uchar ip_p; ushort ip_sum; uint ip_src; uint ip_dst; }; // total iphdr len 20 bytes

  5. Strutture /usr/include/netinet/ip_icmp.h struct icmpheader { uchar icmp_type; uchar icmp_code; ushort icmp_cksum; ushort icmp_id; ushort icmp_seq; }; // icmp hdr len 8 bytes

  6. Strutture /usr/include/netinet/udp.h struct udpheader { ushort uh_sport; ushort uh_dport; ushort uh_len; ushort uh_check; }; // udp hdr len 8 bytes

  7. Strutture /usr/include/netinet/tcp.h struct tcpheader { ushort th_sport; ushort th_dport; uint th_seq; uint th_ack; // prev seq num ACK’d uchar th_x2:4, th_off:4; // x2 unused (zeroes) uchar th_flags; // URG | ACK | PSH | RST | … uint th_win; ushort th_sum; // on pseudohdr+tcphdr+payload ushort th_urp; }; // tcp hdr len 20 bytes

  8. Lettura pacchetti • sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP) • read(sd, buffer, 8192) • ip = (struct iphdr *) buffer lettura campi ip (ipip_v / ipip_ttl / …) • tcp = (struct tcphdr *) (buffer+ipip_hl*4) lettura campi tcp (tcphdrth_flags / …) • data = buffer+(ipip_hl*4)+(tcpth_doff*4)

  9. Scrittura pacchetti • sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP) • riempimento struct ipheader (NO checksum!!) • riempimento struct tcpheader (checksum = 0 – ci pensa il SO) • ORA devo calcolare ip checksum • int uno = 1; const int *val = &uno setsockopt (sd, IPPROTO_IP, IP_HDRINCL, val, sizeof (uno)

  10. Riferimenti per raw socket • MAN Pages [http://www.die.net/doc/linux/man/] • ip(7) • raw(7) • setsockopt(2) • (socket(7)) • Includes in /usr/include/netinet • in.h / ip.h / tcp.h / udp.h / ip_icmp.h • http://unsecure.altervista.org/rawsocket/rawsocket.htm

  11. LIBPCAP

  12. Inizializzare una sessione (1) • Scelta dell’interfaccia dev = pcap_lookupdev(errbuf) • Ottenimento configurazione di rete result = pcap_lookupnet(dev, &net, &mask, errbuf) • Apertura della sessione handle = pcap_open_live(dev, snaplen, promisc, timeout, errbuf)

  13. Inizializzare una sessione (2) • Compilazione del filtro… result = pcap_compile(handle, &filter, filter_exp, optimize, net) • …e applicazione del filtro stesso result = pcap_setfilter(handle, &filter) • Predisposizione del file di cattura dumper = pcap_dump_open(handle, filename)

  14. Cattura • result = pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) result -2: Interrotto da pcap_breakloop() -1: Errore! 0: Interrotto perché “sniffati” cnt pacchetti • In alternativa: pcap_next(): “sniffa” un solo pacchetto pcap_dispatch(): “sniffa” un solo ‘burst’ di pacchetti

  15. pcap_handler Callback • void packet_handler( u_char *user, const struct pcap_pkthdr *header, const u_char *packet ) Scrittura pacchetto: void pcap_dump(u_char *user, struct pcap_pkthdr *header, u_char *packet) Interruzione del loop di cattura: void pcap_breakloop(pcap_t *)

  16. Chiusura sessione • Ottenimento statistiche sulla sessione pcap_stats(handle, *stats) • Chiusura della sessione di cattura pcap_close(handle) • Flushing dei dati e chiusura del file di dump pcap_dump_flush(dumper) pcap_dump_close(dumper)

  17. Riferimenti per LIBPCAP • MAN Pages • pcap(3) • http://www.tcpdump.org/pcap.htm

More Related