What is the use of ping -m option? I read the ping man page but I am unable to understand. After googling, I saw that if -m option is used, then SO_MARK option is added to the socket. So, what is the use of this option and when should we use it?
Thanks in advance.
On Linux, the SO_MARK is used to mark outgoing packets:
SO_MARK (since Linux 2.6.25)
Set the mark for each packet sent through this socket (similar
to the netfilter MARK target but socket-based). Changing the
mark can be used for mark-based routing without netfilter or
for packet filtering. Setting this option requires the
CAP_NET_ADMIN capability.
So if you ping with that option :
$ping -m 10 <host>
It can then be filtered with iptables on <host>:
$iptables -A INPUT -m mark --mark 0xa -j ACCEPT
or directly in code with getsockopt().
It can be used for a variety of reasons, for example for routing decisions or network debug.
Option -m exists only on OSX machines.
It allows you to set the IP Time To Live for outgoing packets. If not specified, the kernel uses the value of the net.inet.ip.ttl MIB variable.
TTL value defines how many hops between routers can packet do.
Related
This is my first time using raw sockets (yes, I need to use them as I must modify a field inside a network header) and all the documentation or tutorials I read describe a solution to sniff packets but that is not exactly what I need. I need to create a script which intercepts the packet, process it and sends it further to the destination, i.e. the packets should not reach the destination unless my script decides to.
In order to learn, I created a small prototype which detects pings and just prints "PING". I would expect ping not to work as I intercept the packets and I don't include the logic to send them to its destination. However ping is working (again, it seems as it is just sniffing/mirroring packets). My goal is that the ping packets are "trapped" in my script and I don't know how to do that. This is what I do in my current python script (I avoid writing how I do the decode for simplicity)
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003))
sock.bind((eth0, 0))
packet = sock.recvfrom(65565)
decode_eth(packet)
decode_ip(packet)
if (ipheader.ip_proto == 1):
print("\nPING")
Can somebody explain how can I achieve my goal or point me to the right documentation?
Your description seems to be different from what your title suggest. My understanding is that you want to receive, modify and possibly drop incoming network packets. And this is to be done on Linux. In that case I suggest you use a netfilter prerouting hook, which will make things a lot simpler (and likely more stable). Netfilter is well documented, a nice overview including information related to your requirements can be seen here. The important function to use is nf_register_hook(), read the answer to this question to get an idea of how to set things up.
I suppose that your Linux box is configured as a router (not a bridge). The packet will pass through your Linux because you have enabled IP Forwarding. So there are two solution:
Solution 1:
Disable IP Forwarding and then receive the packet from one interface and do the appropriate task (forwarding to another interface or dropping it).
Solution 2:
Use NetFilterQueue.
Install it on your Linux box (Debian/Ubuntu in my example):
apt-get install build-essential python-dev libnetfilter-queue-dev
Use iptables to send packets coming from input interface (eth0 in my example):
iptables -I INPUT -i eth0 -j NFQUEUE --queue-num 1
Run this script to handle packets forwarded to the Queue No.1 :
from netfilterqueue import NetfilterQueue
def print_and_accept(pkt):
print pkt
pkt.accept()
nfqueue = NetfilterQueue()
nfqueue.bind(1, print_and_accept)
try:
nfqueue.run()
except KeyboardInterrupt:
print
Note that pkt.drop() cause dropping the packet. Also you should accept/drop every packet.
Shell Scripting: How to calculate the number of bytes uploaded to a remote node?
1) I have used IPTRAF command it can capture all the data but when I try to run the script from a local system using vxargs(python), it doesn't work.
2) I have also tried to use IFTOP command but it doesn't save the output to a file.
3) Also /proc/net/dev doesn't work because its captures some extra packets.
Does tcpdump command capture only the number of bytes/packets of the data load transmitted or does the data transmitted will have some headers attached to it?
I would like to capture only data packets from my running network intensive application.
I don't think this can be done trivially. See http://mutrics.iitis.pl/tracedump for a program that seems to accomplish this. However it has not been updated since 2012 and only works on 32 bit arch.
A crude solution could be to run the application through strace and then summarize the return values of the relevant syscalls like write and sendto.
Maybe not what you want, but if you run the process with specified user, let's say appuser, you can add a firewall rule which will count the traffic for you.
example:
iptables -I OUTPUT -m owner --uid-owner appuser -j ACCEPT
check how much packet and bytes sent out by the user:
iptables -vL OUTPUT |sed -n '2p;/appuser/p'
I have a general question regarding software-based firewalls.
Specifically, I would like to know whether there are other firewalls than iptables
which allow the specification of jumps inside of the rule set.
In iptables, users have the possibility to specify "jumps" inside of the rule set by targeting specific chains when a rule matches on a packet.
For example, in the following rule set
(1) iptables -A INPUT --src 1.2.3.4 -j ACCEPT
(2) iptables -A INPUT --src 1.2.3.5 -j ACCEPT
(3) iptables -A INPUT --src 1.2.3.6 -j ACCEPT
(4) iptables -A INPUT --src 8.8.8.8 -j NEXT_CHAIN
(5) iptables -A INPUT --src 2.2.2.2 -j ACCEPT
(6) iptables -A INPUT --src 2.2.2.3 -j ACCEPT
<NEXT_CHAIN starts here ...>
rule (4) redirects packet processing to another rule set named "NEXT_CHAIN".
In other words, rules (5) and (6) are skipped (in some sense, if there is a match in NEXT_CHAIN).
I think this is also possible in iptables' predecessor ipchains.
Do you know whether there are any other firewalls that provide a similar feature?
The other main competitor to iptables is pf, which has similar capabilities to iptables.
Linux firewalls are built around Netfilter; the kernel's network packet processing framework which is made of several kernel modules performing specific tasks like:
The FILTER module (always loaded by default) mainly allows us to ACCEPT or DROP IP packets based on a certain matching criteria.
The NAT module set allows us to perform Network Address Translations (SNAT, DNAT, MASQUERADE).
The MANGLE module allows us to alter certain IP packet fields (TOS, TTL)
Users configure the Netfilter framework ("kernel mode") to suit their firewall needs using iptables which is an "userland" application run from the command line. With iptables we define rules that instruct the Linux kernel what to do with IP packets when they arrive into, pass through, or leave our Linux box.
All the Linux based firewalls are based in Netfilter and most of them use iptables as a way to control Netfilter.
Different technologies use a similar strategy; i.e. in BSD (OpenBSD) the kernel module is called PF (Packet Filter) an the "userland" application for controlling PF is called pfctl
Depending what technology you use you have one or the other; both systems do basically the same and of course they both can perform the jumps you mention. Remember a firewall in Linux or BSD is just a set of rules loaded by the corresponding userland application which set the behavior of the corresponding net traffic control kernel engine.
also consider when you jump into a user defined chain you can also "return"
I did some research on other packet filtering systems, and I found out the following:
OpenBSD's pf can implement some sort of control using conditional anchors:
EXAMPLE: anchor udp-only in on fxp0 inet proto udp
The OpenFlow switch provides direct jumps by using GOTO targets
NetBSD's ipfw provides the skipto action
Each of these features allows to modify the control flow during packet classification and can be used to implement JUMP semantics.
i'm trying to get the TX re-transmission amount for a specific network interface on a Linux 2.6.33.3 kernel.
is there any Linux raw data i can use in order to get/calculate this kind of information?
i've tried netstat, but i couldn't find a way to get the retransmissions value for a specific interface.
with no other "quick" choice, what would it require from me in order to build a small app especially for that? listen to all outgoing packets using any capturing library and count.. what? duplicate packets? by some kind of a packet id?
i'm not a network pro.. am i suppose to find troubles in this kind of mission? (btw, i'll probably try to do it with python. any reason why not to?)
You can check how your interface is configured with the following commands:
mii-tool eth0
ethtool eth0
mii-diag eth0
Not all of them are installed by default in any Linux system, but they are definitely in the distributive and installable.
When you want to measure, how fast is your interface really, you can use dd + netcat:
host1$ cat /dev/zero | nc -l -p 3000
host2$ nc host1 3000 | dd of=/dev/null
^C
dd will write you with which speed was the retransmission between host1 and host2.
If you want per interface, try ifconfig eth0, you probably have what you want there. Just parse it through python.
I want to capture all tcp packets on port 80 that are going to a forward address and pass them into a user-space program for mangling. I know how to do this with an IPtables rule such as
iptables -A FORWARD ... -j NFQUEUE --queue-num 10
but i can't seem to find any examples, and there is a time restriction, so I can't just sift through wireshark code. I'm looking for examples, or even a place to start. Can I use sockets? or is there a kernel data structure that I can use to pop packets off of the stack, and once I'm done, how can I pass the packets back to netfilter?
You can write a kernel module that registers for queued packets for a certain protocol.
You can read the netfilter-hacking-HOWTO, page 25 has a section "Processing Queued Packets". This section discusses at a higher level but answers everything you asked.
Download it from:
http://www.netfilter.org/documentation/index.html#documentation-howto
you can use nf_reinject() to let the packet get processed further.
I don't want to repeat whatever is in this guide but this should be enough to start with.