I would like to create a demo with the following topology:
... --->[switch] <---> [Host]
DEMO: A switch sends a packet to a monitoring Host (The packets original destination is not this Host, yet switch will send to it via a mirror port). The monitor-Host is to capture that packet, do something with it (e.g., just dump the L2-L4 header fields into some log file), and then send the original packet back towards the switch.
Host Environment: Ubuntu 12.04 Linux.
Dilemma: What's the simplest way I can capture the packet in Host and send back the original packet to the switch?
Possibilities to Explore:
Create a packet sniffer program in C (looks complex ... libpcap, AF_Packet sockets etc.).
Try to use python scapy (don't know how complex this will be).
Try to install some open source proxy server of some kind to which I can write a plugin that will examine the captured packets.
Question: Any better recommendations (if I can avoid going the programming route, it would be preferred. Is there any simple scripting method to do this?). Looking for a quick-and-dirty method here. Thanks.
well, you can use packets sniffers available such as wireshark, ettercap which will capture all network packets (using promisc mode) and dump them in readable format.
Or, you can preety much easily code sniffer for yourself in python, linux which is not so much complex to understand..
Related
I've written my own packet sniffer in Linux.
I open a socket with socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) and then process the Ethernet packets - unpacking ARP packets, IP packets (and ICMP / TCP / UDP packets inside those).
This is all working fine so far.
Now I can read packets like this - and I can also inject packets by wrapping up a suitable Ethernet packet and sending it.
But what I'd like is a means to block packets - to consume them, as it were, so that they don't get further delivered into the system.
That is, if a TCP packet is being sent to port 80, then I can see the packet with my packet sniffer and it'll get delivered to the web server in the usual fashion.
But, basically, I'd like it that if I spot something wrong with the packet - not coming from the right MAC address, malformed in some way, or just breaking security policy - that I can just "consume" the packet, and it won't get further delivered onto the web server.
Because I can read packets and write packets - if I can also just block packets as well, then I'll have all I need.
Basically, I don't just want to monitor network traffic, but sometimes have control over it. E.g. "re-route" a packet by consuming the original incoming packet and then writing out a new slightly-altered packet to a different address. Or just plain block packets that shouldn't be being delivered at all.
My application is to be a general "network traffic management" program. Monitors and logs traffic. But also controls it too - blocking packets as a firewall, re-routing packets as a load balancer.
In other words, I've got a packet sniffer - but if it sniffs something that smells bad, then I'd like it to be able to stop that packet. Discard it early, so it's not further delivered anywhere.
(Being able to alter packets on the way through might be handy too - but if I can block, then there's always the possibility to just block the original packet completely, but then write out a new altered packet in its place.)
What you are looking for is libnetfilter_queue. The documentation is still incredibly bad, but the code in this example should get you started.
I used this library to develop a project that queued network packets and replayed them at a later time.
A bit of a tangent, but it was relevant when I was resolving my problem. Blocking raw packets is relatively complicated, so it might make sense to consider doing that at a different layer. In other words, does your cloud provider let you set up firewall rules to drop specific kind of traffic?
In my case it was easier to do, which is why I'm suggesting such a lateral solution.
I'm working on Linux 4.13.x. And I'm considering to send a packet response in the kernel.
Consider an echo TCP or UDP server running in the userland and there is also another node running a TCP or UDP client. Clients are sending requests to the server. I want to send the packet response back to the client without any involvement of server application running at userspace.
Here is my thoughts about this problem:
I started thinking how it is possible and I come across to a solution like netfilter. If I can capture the packets in NF_INET_PRE_ROUTING and then try to swap the source and destination IP addresses of IP header and also swapping the ports in the TCP header, then according to this answers and this presumably modified packet should be forwarded to the originator throughout the routing system.
Actually, I tried this scenario and it seems it is not possible to do so from netfilter hooks, however, I'm not sure of it. I thought that it is not working since it has problem with checksums because I'm manipulating packets so I did another experiment to figure this issue out. I just change the packet data and everything worked well. I think checksums don't have any problem since they will be check at NIC while receiving and also same situation while sending so manipulation in between doesn't make anything wrong. I also activate the IPv4 forwarding at the server host(sysctl.config) still nothing changes.
I don't want to create new packet, I only want to alter this packet and send it back. There is another similar question which is creating another packet. Moreover, I'm just thinking why this scenario is not working? But based on the netfilter's architecture it should work.
Thank you
I am also working on this, actually kernel validate the source ip address after ip_rcv function in NF_HOOK which check the source ip address. So just try below command:-
sudo sysctl -w "net.ipv4.conf.all.rp_filter=0"
after doing this also disable your interface from which you send and receive packet just like below:-
sudo sysctl -w "net.ipv4.conf.enp2s0.rp_filter=0"
I want to test how the netfilter/ip6tables firewall handles some IPv6-related stuff like tiny/overlapped fragments, type 0 routing headers, excessive HPH options etc. For this I wanted to use Scapy to craft my own packets, but apparently Scapy using raw sockets means bypassing iptables. Is there another way of achieving my goal and how would I go about it? Some library I could use to make my own packets, which iptables can act on?
Run your packet injection program from a VM, and inspect the network connected to that VM.
Scapy is useful for such odd tasks. Sometimes what you want to do is just as easily done by writing small programs using the normal C APIs (including raw sockets in some cases, or TCP connections with odd options set). In many cases, a trivial TCP or UDP client in any high level language such as Python will do.
I have a setup having Ipsec Tunnel between two end systems. When I capture packets on outgoing interface e.g eth0 I can only see encrypted ESP packets going out of my system. I have to go and look at the receiving end to see what was actually transmitted i.e on the receiving end I can see packets after decryption. similarly for the ack sent by receiver. How it works actually in the linux kernel ? Is there a way to see the packets on sender side in tcpdump before they get encrypted ?
You have three questions in your question :
How to see outgoing ESP packets in tcpdump before they get encrypted ?
How it works actually in the linux kernel ?
Is there a way to see the packets on sender side in tcpdump before they get encrypted ?
The answer to the third question is
It depends on your kernel and which implementation you are using.
If you are using KLIPS in 2.4 Kernel as part of any of the *swan solutions, then Yes.
Otherwise if you are using the 2.6 kernel which uses the KAME / *BSD model then
No, unless you change your Ipssec or iptables configuration so that you send the packets to another interface unencrypted and then forward the unencrypted packets to an interface which they will be encrypted on.
The answer to the first question is change your iptables configuration and IPSec configuration.
To send the data from one interface to another interface on the same host.
To setup forwarding of data from that second interface to your destination
configure the ip address of the second interface in the security policy to create the tunnel on the second interface.
This way could can tcpdump on the encrypted interface without changing anything and before the data is encrypted.
For the KLIPS and 2.4 kernel it is just as simple as specific the interface in tcpdump as ipsec0 using the -i switch.
Other options to see the data unencrypted involve using tcpdump with -E flag and relevant parameters (see man page) which decrypts the data after it is encrypted or to use tcpdump to capture the encrypted data and then decrypt it in Wireshark (more information regarding ESP decryption of IPSec in Wireshark is located here).
Alternatively you can place instrumentation using printk or printk_times in the source code to xfrm or esp_input.
Regarding the second question, there are several pictures which explain how it works at a high level including the ones explaining the Solaris Implementation as part of Oracle's System Administration Guide: IP Services and Linux's Foundation Network Flow through the kernel diagram.
Also see the following reference. Basically either manual configuration using setkey or automatic configuration using an IKE daemon in userspace passes the information to the XFRM which then transforms the packet before it reaches netfilter prerouting.
See here for more information on the history of KLIPS and KAME.
Assuming you are on Linux:
My approach is to place iptables rule with NFQUEUE target on the correct place in the processing pipeline. Then use tshark with -i nfqueue to capture packets.
I need to write a packet sniffer in Linux that detects HTTPS packet that are sent and save the url from the request. I found code for this in security-freak and ran it. This code runs and only sniffs the received packet but I need to get the sent packet in the sniffer.
How do I get the sent packet in this code?
I can't use any library like libcap (forbidden).
The code is :sniffer.c
You should be using ETH_P_ALL instead of ETH_P_IP as the protocol. ETH_P_IP only listens for incoming IP packets.
Why can't you use any library? Homework?
It's hard to answer without having examples from your code, for example how you set sll_pkttype.
The urlsnarf tool in the dnsiff suite could be worth a look.
With appropriate libpcap or DNET usage You should be able to get all network
traffic on the desired layer (protocol - 5) (also this outgoing).
But You should know that already.
You need to go through the above libraries manuals and find the appropriate filtering.