I've got one question. Is it possible to create wireshark/tcpdump from netcat? I mean,if you can use, for example, flags or series of commands combined with netcat to get the same / similar monitoring results as tcpdump / wireshark?
It is not possible because netcat cannot eavesdrop on existing connections.
tcpdump and wireshark get access to all packets that go through a network device. netcat cannot possibly do that.
Related
I'm doing this project, where I have to send a bunch of packets (using rte_eth_tx_burst) ,from one network card, to another network card. these 2 network cards are linked(by Fiber I guess? it was not me who linked them.), so if I just use tcpdump to listen to the other network card, I can capture the whole thing, and store them into a pcap file.
My test environment:
1.a Linux machine, with 2 pairs of linked network cards: eth1 and eth2 are linked, eth3 and eth4 are linked also.
2.my program, listens to eth1.
3.I send a pcap file using eth2 (cmd: tcpreplay -i eth2 test.pcap)
4.my program gets the packet stream, frame by frame, for every frame it recieves, it sends it out, from eth3, using rte_eth_tx_burst() provided by dpdk.
5.I run tcpdump to listen to eth4(cmd:tcpdump -i eth4 -w recieve.pcap -B 1000)
My current problem is:
1. the frames are not in their original orders. (but the contents are the same.)
2. the time gap between frames are not the original gaps.(but I guess this is inevitable).
question:
1.does dpdk guarantees the send order for packets you put in the send queue.
2.perhaps it's because that tcpdump doesn't guarantee the order?
3.or is this problem unsolvable?
Yes, the order of packets send by tx_burst should be guaranteed, provided you're just using one queue.
The out of place packet you are seeing is a reply from eth4, as tcpdump also records outgoing traffic. Remember that the TCP stack is still working as usual on eth4.
Why not use DPDK to capture the packets too? It'd be more reliable and you'd only see incoming packets. Theres an utility for that: pdump. Or you can choose only incoming direction in tcpdump using -Q in.
Also, maybe you already know this, but there's an example app bundled with DPDK that does exactly what you're trying to do: L2FWD.
I'm working on Linux 4.13.x. And I'm considering to send a packet response in the kernel.
Consider an echo TCP or UDP server running in the userland and there is also another node running a TCP or UDP client. Clients are sending requests to the server. I want to send the packet response back to the client without any involvement of server application running at userspace.
Here is my thoughts about this problem:
I started thinking how it is possible and I come across to a solution like netfilter. If I can capture the packets in NF_INET_PRE_ROUTING and then try to swap the source and destination IP addresses of IP header and also swapping the ports in the TCP header, then according to this answers and this presumably modified packet should be forwarded to the originator throughout the routing system.
Actually, I tried this scenario and it seems it is not possible to do so from netfilter hooks, however, I'm not sure of it. I thought that it is not working since it has problem with checksums because I'm manipulating packets so I did another experiment to figure this issue out. I just change the packet data and everything worked well. I think checksums don't have any problem since they will be check at NIC while receiving and also same situation while sending so manipulation in between doesn't make anything wrong. I also activate the IPv4 forwarding at the server host(sysctl.config) still nothing changes.
I don't want to create new packet, I only want to alter this packet and send it back. There is another similar question which is creating another packet. Moreover, I'm just thinking why this scenario is not working? But based on the netfilter's architecture it should work.
Thank you
I am also working on this, actually kernel validate the source ip address after ip_rcv function in NF_HOOK which check the source ip address. So just try below command:-
sudo sysctl -w "net.ipv4.conf.all.rp_filter=0"
after doing this also disable your interface from which you send and receive packet just like below:-
sudo sysctl -w "net.ipv4.conf.enp2s0.rp_filter=0"
I want to test how the netfilter/ip6tables firewall handles some IPv6-related stuff like tiny/overlapped fragments, type 0 routing headers, excessive HPH options etc. For this I wanted to use Scapy to craft my own packets, but apparently Scapy using raw sockets means bypassing iptables. Is there another way of achieving my goal and how would I go about it? Some library I could use to make my own packets, which iptables can act on?
Run your packet injection program from a VM, and inspect the network connected to that VM.
Scapy is useful for such odd tasks. Sometimes what you want to do is just as easily done by writing small programs using the normal C APIs (including raw sockets in some cases, or TCP connections with odd options set). In many cases, a trivial TCP or UDP client in any high level language such as Python will do.
I would like to create a demo with the following topology:
... --->[switch] <---> [Host]
DEMO: A switch sends a packet to a monitoring Host (The packets original destination is not this Host, yet switch will send to it via a mirror port). The monitor-Host is to capture that packet, do something with it (e.g., just dump the L2-L4 header fields into some log file), and then send the original packet back towards the switch.
Host Environment: Ubuntu 12.04 Linux.
Dilemma: What's the simplest way I can capture the packet in Host and send back the original packet to the switch?
Possibilities to Explore:
Create a packet sniffer program in C (looks complex ... libpcap, AF_Packet sockets etc.).
Try to use python scapy (don't know how complex this will be).
Try to install some open source proxy server of some kind to which I can write a plugin that will examine the captured packets.
Question: Any better recommendations (if I can avoid going the programming route, it would be preferred. Is there any simple scripting method to do this?). Looking for a quick-and-dirty method here. Thanks.
well, you can use packets sniffers available such as wireshark, ettercap which will capture all network packets (using promisc mode) and dump them in readable format.
Or, you can preety much easily code sniffer for yourself in python, linux which is not so much complex to understand..
I am trying to verify a new functionality added to the router kernel. So lets assume I added a filter,iptable and such. I have live traffic. I tried to use tcp dump and look into the packet header and see if the new values in the header are there but I am getting random traffic passing through.
I wonder if it is possible to have tcpdump send traffic and dump it so I have specific packets I sent ? or any other linux commands I can use to do the process. I have a destination port that has no traffic but I don't know how I can send to it and capture those packets. I did some reading on sendip and tcpdump and couldnt help myself.
Send packets, tcpdump it or something like that, verify the packet header has what I want and move on with my life.
I hope I was clear enough.