How to debug the network stack in linux - linux

I am trying to inject a packet into the network using raw sockets, but somehow can't seem to get a receiver to capture this packet. How do i check whether the packet is being dropped by the linux network stack? Could someone point out some tools for doing this?

I don't know about accessing the network stack directly (not saying it's impossible, just that I don't know how to do it if you can), but you could probably use Wireshark or something similar to see if the NIC on the receiving end is receiving the packets. You could also use it on the sending end to check if the packets are being sent out properly (or are actually being sent out in the first place, if that's the issue), as it allows you to examine the fields/etc. of individual packets. Quite a useful tool, really.
http://www.wireshark.org/
Note that the website doesn't have direct downloads for Linux builds, but does list third-party packages for various Linux distros.

Options include wireshark and tcpdump, or tcpdumping into a pcap file and then analyzing that using wireshark. One option probably is also to use strace or similar tool to trace the system calls that do the sending.

Another option is to use BPF to instrument the TCP stack in the kernel. You can take a look at some of the already existent scripts for TCP, e.g. tcplife:
https://github.com/iovisor/bcc/blob/master/tools/tcplife.py
http://manpages.ubuntu.com/manpages/bionic/man8/tcplife-bpfcc.8.html
http://www.brendangregg.com/blog/2016-11-30/linux-bcc-tcplife.html

Related

Packet injection, filtering and mangling WITHOUT GPL?

I'll have to do packet inspection, mangling, dropping and injection of packets on a Linux system. Ideally, this would be in user space and on IP packets and Ethernet frames, too.
Unfortunately, I cannot go OpenSource for this which basically rules out any approach based on NFQUEUE and libnetfilter_queue, since all of netfilter (and their dog) is GPL only.
I thought about using TAP/TUN devices in parallel to controlling netfilter by simply calling iptables, but this seems to be messy at best...
So, are there any alternatives to netfilter?
I believe your issue is that libnetfilter is subject to the GPLv2 licence (not LGPL) and any project building on these would thus be subject to the GPLv2 licence too; this is what you want to avoid (I think).
An alternative would be to use a language binding which is not subject to the GPLv2 licence. One candidate would appear to be the Go bindings - see here for example, which appears to be under the Apache licence. I have obviously not checked the provenance of every file therein. Another way would be to divide your application into two - a small layer that communicates with Netfilter, communicating via (e.g.) an RPC interface with the rest of your application.
However, the last time I faced this, I used libpcap instead, which is BSD licensed. It's a little known fact that libpcap can send raw packets as well as receive them. However, it is much lower level than netfilter - you get raw packets and that's about it.
The license does not apply to your userspace application.

Best way to inject packets into linux kernel to emulate ethernet packet arrival

I am writing a linux kernel module for some tunnelling activity. The module will get packets from the networking stack and perform some operations on it. What is the best possible way to inject packets into the stack from the bottom(emulate ethernet packet arrival on wire) so that the packet traverses the entire receive path and is delivered to my module.
My module uses the kernel br_handle_frame_hook hook to get the packet which means that it cannot co-reside with the linux native bridge module. Any ideas will be appreciated.
Consider using NetFilter
http://www.phrack.org/issues.html?issue=61&id=13
TAP would be great, if you're working in user space, which you're not
I believe that TAP device is what you are looking for - a nice way to send/receive Ethernet packets from user-space
I recommend tap like #raber before me. I also recommend reading this excelet tutorial: http://backreference.org/2010/03/26/tuntap-interface-tutorial/ .
You asked whether you can make the tap non-programatically and then replay traffic into it. The answer is yes. Look for the 'persistency' options (which b.t.w. can also be done programatically with a short tool you can write yourself if you prefer not to download tools that can already do it). You may also want/need to define the user that may use the tap (or otherwise just sudo your operations).

Tool to monitor and log a single HTTP connection on Linux?

We're trying to debug an issue with a server that must receive and respond to a large number of persistent HTTP connections.
Ideally we'd like a tool that could pick (at random) a single HTTP connection and log all traffic to and from it, such that we can see what is going on.
Unfortunately we don't have the ability to limit the number of persistent connections we must respond to (typically it is thousands of them), so we really need to tool to narrow down its monitoring to just a single connection.
Can anyone recommend such a tool, and give guidance on how to persuade it to do what we need?
Wireshark is a great open source tool for this purpose.
If using wireshark directly doesn't work out, you could fiddle with the routing on a firewall/router type box and have the monitored connection go out over a different interface (where you can tap into it using wireshark or whatever) than all the rest of the connections to the server.
The actual capturing of packets is usually done by libpcap.
There are different tools building on top of it:
First there is good old tcpdump. It is a text tool, which allows you to specify what packets you are interested in and prints (per default) a line for each matching packet. Actually you have lots of option what shall be done. You can also dump all traffic in a capture file.
Then there is wireshark (formerly known as ethereal). This is a GUI allowing you to capture packets as in tcpdump, and has lots of ways to analyze such data. It can also read and analyze capture files created by tcpdump.
Along with wireshark comes tshark (formerly known as tethereal), which is pretty much the console version of wireshark.
If you are only interested in the data send in the packets have a look at tcpflow.
There are also some more advanced tools which can also be used to attack other hosts.
For example ettercap, will list all current connections and among others can show you the data send on that connection.
It is not completely clear from your question, what exactly you try to find out, but it sounds like something like tcpflow might be what you want.

Hijacking communication between application and network in Linux

I have an embedded system that can be treated as an Access Point. There's a program that runs in that system and performs some network communication with devices connected to that Access Point. It is sending UDP packets containing some diagnostic information (a data structure) and receiving commands. The problem is that sometimes some fields of that outgoing data structure are not filled with data (eg. there are zeroes or some garbage). I need those fields to be correctly filled every time and I know what values should be put there.
Another task that I need to accomplish is to filter incoming packets that come to this program (I know what ports it listens on) - usually I need to simply pass them, but occassionaly (eg. when I get some information from sensors) it is necessary to completely replace them with new packets that I would generate.
I have several ideas varying from some smart usage of iptables and pcap to writing my own kernel module. I do not own sources of that embedded application so I cannot embed this functionality in its code. Performance is a crucial thing here, and I'd like to hear your suggestions: what should I go for? Writing my own kernel modules seems to be the best solution to me, but I have no experience in network hacking so maybe there are some other ways that are better suited for this problem. Any opinion will be highly appreciated!
One standard approach is to use libnetfilter_queue to intercept and modify packets directly. You should at least try this before attempting to write your own kernel modules.
You could do it in userspace. Just write a server that receives the packets changes them and send them again out. You have to configure the application just to use your localhost as destination ip (or configure your system that it has the target address). Its a typical "man-in-the-middle" setup.

intercept data received and sent from my computer?

I want to test a new protocol of communication, and for this i need to intercept every single package entering and leaving the network layer of the OSI model.
any idea how to intercept those packages and perform the tasks i want to perform on them before letting them go.
http://www.charlesproxy.com/ is a great tool for intercepting, inspecting, modifying, and resending network requests. Its main mode is for http however it has an option to catch and forward any port and a socks proxy option. It understands quite a few payload formats natively and is very useful with minimum effort.
Wireshark is a useful program for letting you sniff network traffic (i.e. passively observe). And on *nix systems, raw sockets give you the ability to bypass most of the network stack and craft custom packets.
Use "Microsoft Network Monitor" if you want to check those Microsoft protocols. Well, though it's much slower than Wireshark.

Resources