Transcript Use raw socket to r/w the header of a IPv4 packet

王子健
[email protected]
Summary
 目的
 啟用網路卡之 promiscuous mode (混雜模式)
 從網路卡抓取封包
 分析封包
 顯示分析結果
 Hint
 Raw socket
 Data link layer socket programming
 Network packet capture
Example of screen shot
(after # sudo ./a.out)
What’s Raw Socket
 Simply put raw sockets provide a way to bypass the
whole network stack traversal of a packet and deliver it
directly to an application.
 Raw socket r/w packets from Data Link Layer
 利用 Raw socket 可以讀寫 IPv4 packet 的 header
 Read/write 那些 kernel 不處理的 protocol 的 IP packet
 ARP (Address Resolution Protocol)
 RARP (Reverse ARP)
Why Raw Socket
 TCP/UDP packets received
from a socket
 contains only payload
part of a IP packet
 ETH/IP/ARP hdrs are
removed by kernel
 Use raw socket to r/w the
header of a IPv4 packet
only the data is shipped to the application layer
How to Use Raw Socket
// 宣告一個socket，第二個參數指出這是raw socket，第三個參數指出這是ARP封包
sd = socket(PF_PACKET , SOCK_RAW , htons(ETH_P_ALL));
// 第一個參數
PF_PACKET
// It is a software interface to send/receive packets at layer 2 of the OSI
// All packets received will be complete with all headers and data.
// Supports filtering using Berkley Packet Filters.
// 第二個參數
PF_PACKET 支援兩個 socket type：
SOCK_DGRAM
// return packets with the link-layer header removed
SOCK_RAW
// return complete link-layer packet
// 最後一個參數
ETH_P_ALL
ETH_P_IP
ETH_P_ARP
ETH_P_IPV6
// return frames for all protocols that the data link receives
// return IPv4 frames
// return ARP Protocol frames
// return IPv6 frames
How to Use Raw Socket
addr.sll_family = PF_PACKET;
addr.sll_protocol = htons(ETH_P_ARP);
recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len)
/*
第一個參數為 socket descriptor
第二個參數為接收內容的 buffer，
第三個參數為此內容的長度，
第四個參數不會用到設為 0，
第五個參數設定 address 的封包種類、接收的 protocol 等等
第六個參數為 addr 的長度 */
Example
int main(int argc, char *argv[])
{
// 省略變數宣告
// create raw socket for sniffing
sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if(sd == -1){
perror("socket error\n");
return;
}
// set address
addr.sll_family = PF_PACKET;
addr.sll_protocol = htons(ETH_P_ALL);
Example
for(;;)
{
len = sizeof(addr);
// receive packets
ret = recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len);
if (ret == -1)
continue;
/* 於此處按照 IP protocol的格式 parse rcvbuffer
先判斷 Ethernet 是否是 IP 的封包，若是的話就parse
並印出封包的內容 */
}
}
// end of main
Promiscuous Mode
 We can only receive frames destined to us (Unicast) , to
everyone (Broadcast) and to some selected addresses we
subscribe to (Multicast).
 If we could receive the frames for all computers
connected to our broadcast domain – Promiscuous mode
Promiscuous Mode
 It is the “See All, Hear All” Wizard mode 
 Tells the network driver to accept all packets irrespective
of whom the packets are addressed to.
 Used for Network Monitoring – both legal and illegal
monitoring 
 We can do this by programmatically setting the
IFF_PROMISC flag or by using the ifconfig utility (ifconfig
#include <sys/ioctl.h>
eth0 promisc)
#include <net/if.h>
struct ifreq ifrq;
strncpy(ethreq.ifr_name,"eth0",IFNAMSIZ);
ioctl(sock,SIOCGIFFLAGS,&ifrq);
ifrq.ifr_flags|=IFF_PROMISC;
ioctl(sock,SIOCSIFFLAGS,&ifrq);
The making of a Sniffer
 Create Raw socket – socket()
 Set interface you want to sniff on in promiscuous mode.
 Bind Raw socket to this interface – bind()
 optional
 Receive packets on the socket – recvfrom()
 Process received packets
 Close the raw socket().
Internet Address Manipulation
 in_addr_t inet_addr(const char *cp)
 convert the Internet host address cp from numbers-anddots notation into binary data in network byte order
 char *inet_ntoa(struct in_addr in)
 convert the Internet host address in given in network byte
order to a string in standard numbers-and-dots notation
(a.b.c.d)
 The string is returned in a statically allocated buffer, which
subsequent calls will overwrite.
Internet Address Manipulation
Network Byte Ordering
 Network is big-endian, host may be big- or little-endian
 Functions work on 16-bit (short) and 32-bit (long) values
 htons() / htonl()
 convert host byte order to network byte order
 ntohs() / ntohl()
 convert network byte order to host byte order
 Use these to convert network addresses, ports, …
Ethernet Header Format
 Destination
 目的地的 MAC address
 Source
 傳送方的 MAC address
 Message Type (#define ETH_P_ARP 0x0806)
 封包種類，如果該值是0x0806，則表示為ARP封包
 Data
 封包內容
IP Header Format
 Protocol
 IPPROTO_ICMP 1
 IPPROTO_IGMP 2
 IPPROTO_TCP 6
 IPPROTO_UDP 17
Requirements
 packet number
 time elapsed since capture was initiated (with
microsecond resolution)
 packet size
 packet type (protocol)
 ETHERNET packet: ARP
 IP packet: TCP/UDP/ICMP/IGMP
 source and destination IP addresses
 summary information about the IP packet
Bonus
 GUI
 Filter
 IP address
 Protocol
 Additional IP protocols
 etc
Debugging
Grading
 Correctness (60%)
 Report (30%)
 How to run your program.
 What you’ve learned?
 What are you suffer from this HW?
 Any feedback?
 Coding Style (10%)
Hand in your program
 Deadline: 2009/5/6 PM 23:59:59
 Write a simple report in text file.
 Please tar/zip/rar your files (including code and
report) named as 學號.tar (ex: 9762560.tar) and login
to
 ftp:// 140.114.71.48:4231, cs4231/cs4231s09
Change directory to Project1_upload and create a directory
named your 學號, then upload your file in this directory.
Appendix
 Raw socket 收封包:
 http://blog.roodo.com/thinkingmore/archives/554037.html
 Ethernet 封包格式:
 http://en.wikipedia.org/wiki/EtherType
 IP 封包格式:
 http://www.networksorcery.com/enp/protocol/ip.htm
 Study-Area
 http://www.study-rea.org/network/network_ip_arp.htm
 鳥哥的Linux
 http://linux.vbird.org/linux_server/0110network_basic/0110network_b
asic.php
Demo