I need to write a packet sniffer in Linux that detects HTTPS packet that are sent and save the url from the request. I found code for this in security-freak and ran it. This code runs and only sniffs the received packet but I need to get the sent packet in the sniffer.
How do I get the sent packet in this code?
I can't use any library like libcap (forbidden).
The code is :sniffer.c
You should be using ETH_P_ALL instead of ETH_P_IP as the protocol. ETH_P_IP only listens for incoming IP packets.
Why can't you use any library? Homework?
It's hard to answer without having examples from your code, for example how you set sll_pkttype.
The urlsnarf tool in the dnsiff suite could be worth a look.
With appropriate libpcap or DNET usage You should be able to get all network
traffic on the desired layer (protocol - 5) (also this outgoing).
But You should know that already.
You need to go through the above libraries manuals and find the appropriate filtering.
Related
I'm working on Linux 4.13.x. And I'm considering to send a packet response in the kernel.
Consider an echo TCP or UDP server running in the userland and there is also another node running a TCP or UDP client. Clients are sending requests to the server. I want to send the packet response back to the client without any involvement of server application running at userspace.
Here is my thoughts about this problem:
I started thinking how it is possible and I come across to a solution like netfilter. If I can capture the packets in NF_INET_PRE_ROUTING and then try to swap the source and destination IP addresses of IP header and also swapping the ports in the TCP header, then according to this answers and this presumably modified packet should be forwarded to the originator throughout the routing system.
Actually, I tried this scenario and it seems it is not possible to do so from netfilter hooks, however, I'm not sure of it. I thought that it is not working since it has problem with checksums because I'm manipulating packets so I did another experiment to figure this issue out. I just change the packet data and everything worked well. I think checksums don't have any problem since they will be check at NIC while receiving and also same situation while sending so manipulation in between doesn't make anything wrong. I also activate the IPv4 forwarding at the server host(sysctl.config) still nothing changes.
I don't want to create new packet, I only want to alter this packet and send it back. There is another similar question which is creating another packet. Moreover, I'm just thinking why this scenario is not working? But based on the netfilter's architecture it should work.
Thank you
I am also working on this, actually kernel validate the source ip address after ip_rcv function in NF_HOOK which check the source ip address. So just try below command:-
sudo sysctl -w "net.ipv4.conf.all.rp_filter=0"
after doing this also disable your interface from which you send and receive packet just like below:-
sudo sysctl -w "net.ipv4.conf.enp2s0.rp_filter=0"
For learning purposes I'm implementing TCP (for now just RFC 793) but I have no
idea how to test it. Most TUN/TAP stuff on the internet are out of date (e.g.
Linux API calls no longer work) and just doesn't explain enough. In addition, I
feel like a creating a device and forwarding packages etc. are not the best way
for learning purposes. For example, I'd rather only override socket(),
listen(), connect(), accept(), send(), recv() etc. in a program rather
than forwarding all ethernet traffic to a device/program that does the
bookeeping for the whole system rather than for a single program.
I'm wondering if this is possible. If not, I'd like to know the simplest way to
test a TCP implementation on Linux.
Because I'm following RFC 793, it'd be great if I could have an IP (Internet
Protocol as mentioned in the RFC) API in my application. Is this possible or do
I have to mess with TUN/TAP stuff?
Thanks..
If we talk about research I strongly recommend you read Engineering with Logic: Rigorous Test-Oracle Specification and
Validation for TCP/IP and the Sockets API
It contains section about testing TCP/IP implementation:
"EXPERIMENTAL VALIDATION: TESTING INFRASTRUCTURE"
You could try setting up two peers, one using a RAW socket and the other a TCP socket.
If they can communicate and packets are really delivered/recovered the same way TCP does, you know that your custom implementation is successful.
C sockets
C RAW sockets
C TCP implementation
All you need is to intercept all tcp packets with bits (syn, ack, fin, etc.) your application has sent and to see if it works properly:
It could simply be done with wireshark or other sniffer. When testing you will see all tcp packets with bits you've sent.
In order you want to see linux system calls which your application are calling, you can use GDB or any other debugger.
I would like to create a demo with the following topology:
... --->[switch] <---> [Host]
DEMO: A switch sends a packet to a monitoring Host (The packets original destination is not this Host, yet switch will send to it via a mirror port). The monitor-Host is to capture that packet, do something with it (e.g., just dump the L2-L4 header fields into some log file), and then send the original packet back towards the switch.
Host Environment: Ubuntu 12.04 Linux.
Dilemma: What's the simplest way I can capture the packet in Host and send back the original packet to the switch?
Possibilities to Explore:
Create a packet sniffer program in C (looks complex ... libpcap, AF_Packet sockets etc.).
Try to use python scapy (don't know how complex this will be).
Try to install some open source proxy server of some kind to which I can write a plugin that will examine the captured packets.
Question: Any better recommendations (if I can avoid going the programming route, it would be preferred. Is there any simple scripting method to do this?). Looking for a quick-and-dirty method here. Thanks.
well, you can use packets sniffers available such as wireshark, ettercap which will capture all network packets (using promisc mode) and dump them in readable format.
Or, you can preety much easily code sniffer for yourself in python, linux which is not so much complex to understand..
I'm an Automation Developer and lately I've taken it upon myself to control an IP Phone on my desk (Cisco 7940).
I have a third party application that can control the IP phone with SCCP (Skinny) packets. Through Wireshark, I see that the application will send 4 unique SCCP packets and then receives a TCP ACK message.
SCCP is not very well known, but it looks like this:
Ethernet( IP( TCP( SCCP( ))))
Using a Python packet builder: Scapy, I've been able to send the same 4 packets to the IP Phone, however I never get the ACK. In my packets, I have correctly set the sequence, port and acknowledge values in the TCP header. The ID field in the IP header is also correct.
The only thing I can imagine wrong is that it takes Python a little more than a full second to send the four packets. Whereas the application takes significantly less time. I've tried raising the priority for the Python shell with no luck.
Does anyone have an idea why I may not be receiving the ACK back?
This website may be helpful in debugging why on your machine you aren't seeing the traffic you expect, and taking steps to modify your environment to produce the desired output.
Normally, the Linux kernel takes care of setting up and sending and
receiving network traffic. It automatically sets appropriate header
values and even knows how to complete a TCP 3 way handshake. Uising
the kernel services in this way is using a "cooked" socket.
Scapy does not use these kernel services. It creates a "raw" socket. The
entire TCP/IP stack of the OS is circumvented. Because of this, Scapy
give us compete control over the traffic. Traffic to and from Scapy
will not be filtered by iptables. Also, we will have to take care of
the TCP 3 way handshake ourselves.
http://www.packetlevel.ch/html/scapy/scapy3way.html
I am trying to verify a new functionality added to the router kernel. So lets assume I added a filter,iptable and such. I have live traffic. I tried to use tcp dump and look into the packet header and see if the new values in the header are there but I am getting random traffic passing through.
I wonder if it is possible to have tcpdump send traffic and dump it so I have specific packets I sent ? or any other linux commands I can use to do the process. I have a destination port that has no traffic but I don't know how I can send to it and capture those packets. I did some reading on sendip and tcpdump and couldnt help myself.
Send packets, tcpdump it or something like that, verify the packet header has what I want and move on with my life.
I hope I was clear enough.