CS4231 Local Area Networks HW1 – IP Packet Sniffer

王子健[email protected]

Summary目的

啟用網路卡之 promiscuous mode ( 混雜模式 )從網路卡抓取封包分析封包顯示分析結果

HintRaw socketData link layer socket programmingNetwork packet capture

Example of screen shot(after # sudo ./a.out)

What’s Raw SocketSimply put raw sockets provide a way to bypass the

whole network stack traversal of a packet and deliver it directly to an application.

Raw socket r/w packets from Data Link Layer利用 Raw socket 可以讀寫 IPv4 packet 的 headerRead/write 那些 kernel 不處理的 protocol 的 IP

packetARP (Address Resolution Protocol)RARP (Reverse ARP)

Why Raw SocketTCP/UDP packets

received from a socketcontains only payload

part of a IP packetETH/IP/ARP hdrs are

removed by kernelUse raw socket to r/w

the header of a IPv4 packet

only the data is shipped to the application layer

How to Use Raw Socket// 宣告一個 socket ，第二個參數指出這是 raw socket ，第三個參數指出這是 ARP 封包sd = socket(PF_PACKET , SOCK_RAW , htons(ETH_P_ALL));

// 第一個參數PF_PACKET // It is a software interface to send/receive packets at layer 2 of the OSI

// All packets received will be complete with all headers and data. // Supports filtering using Berkley Packet Filters.

// 第二個參數PF_PACKET 支援兩個 socket type ： SOCK_DGRAM // return packets with the link-layer header removed SOCK_RAW // return complete link-layer packet

// 最後一個參數ETH_P_ALL // return frames for all protocols that the data link receivesETH_P_IP // return IPv4 framesETH_P_ARP // return ARP Protocol framesETH_P_IPV6 // return IPv6 frames

How to Use Raw Socketaddr.sll_family = PF_PACKET;

addr.sll_protocol = htons(ETH_P_ARP);

recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len)/*第一個參數為 socket descriptor第二個參數為接收內容的 buffer ，

第三個參數為此內容的長度，第四個參數不會用到設為 0 ，第五個參數設定 address 的封包種類、接收的 protocol 等等第六個參數為 addr 的長度 */

Exampleint main(int argc, char *argv[]){

// 省略變數宣告// create raw socket for sniffing

sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if(sd == -1){ perror("socket error\n"); return; }

// set address addr.sll_family = PF_PACKET; addr.sll_protocol = htons(ETH_P_ALL);

Examplefor(;;){

len = sizeof(addr);// receive packetsret = recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len);if (ret == -1)

continue;/* 於此處按照 IP protocol 的格式 parse rcvbuffer 先判斷 Ethernet 是否是 IP 的封包，若是的話就 parse 並印出封包的內容 */

}} // end of main

Promiscuous ModeWe can only receive frames destined to us (Unicast) , to

everyone (Broadcast) and to some selected addresses we subscribe to (Multicast).

If we could receive the frames for all computers connected to our broadcast domain – Promiscuous mode

Promiscuous ModeIt is the “See All, Hear All” Wizard mode Tells the network driver to accept all packets irrespective

of whom the packets are addressed to.Used for Network Monitoring – both legal and illegal

monitoring We can do this by programmatically setting the

IFF_PROMISC flag or by using the ifconfig utility (ifconfig eth0 promisc) #include <sys/ioctl.h>

#include <net/if.h>struct ifreq ifrq;

strncpy(ethreq.ifr_name,"eth0",IFNAMSIZ);ioctl(sock,SIOCGIFFLAGS,&ifrq);ifrq.ifr_flags|=IFF_PROMISC;ioctl(sock,SIOCSIFFLAGS,&ifrq);

The making of a SnifferCreate Raw socket – socket()Set interface you want to sniff on in promiscuous mode.Bind Raw socket to this interface – bind()

optionalReceive packets on the socket – recvfrom()Process received packetsClose the raw socket().

Internet Address Manipulationin_addr_t inet_addr(const char *cp)

convert the Internet host address cp from numbers-and-dots notation into binary data in network byte order

char *inet_ntoa(struct in_addr in)convert the Internet host address in given in network byte

order to a string in standard numbers-and-dots notation (a.b.c.d)

The string is returned in a statically allocated buffer, which subsequent calls will overwrite.

Internet Address Manipulation

Network Byte OrderingNetwork is big-endian, host may be big- or little-endianFunctions work on 16-bit (short) and 32-bit (long) valueshtons() / htonl()

convert host byte order to network byte orderntohs() / ntohl()

convert network byte order to host byte orderUse these to convert network addresses, ports, …

Ethernet Header Format

Destination目的地的 MAC address

Source傳送方的 MAC address

Message Type (#define ETH_P_ARP 0x0806)封包種類，如果該值是 0x0806 ，則表示為 ARP 封包

Data封包內容

IP Header Format

Protocol IPPROTO_ICMP 1 IPPROTO_IGMP 2 IPPROTO_TCP 6 IPPROTO_UDP 17

Requirementspacket numbertime elapsed since capture was initiated (with

microsecond resolution)packet sizepacket type (protocol)

ETHERNET packet: ARPIP packet: TCP/UDP/ICMP/IGMP

source and destination IP addressessummary information about the IP packet

BonusGUIFilter

IP addressProtocol

Additional IP protocolsetc

Debugging

GradingCorrectness (60%)Report (30%)

How to run your program.What you’ve learned?What are you suffer from this HW?Any feedback?

Coding Style (10%)

Hand in your programDeadline: 2009/5/6 PM 23:59:59Write a simple report in text file.Please tar/zip/rar your files (including code and

report) named as 學號 .tar (ex: 9762560.tar) and login to ftp:// 140.114.71.48:4231, cs4231/cs4231s09 Change directory to Project1_upload and create a directory

named your 學號 , then upload your file in this directory.

AppendixRaw socket 收封包 :

http://blog.roodo.com/thinkingmore/archives/554037.htmlEthernet 封包格式 :

http://en.wikipedia.org/wiki/EtherTypeIP 封包格式 :

http://www.networksorcery.com/enp/protocol/ip.htmStudy-Area

http://www.study-rea.org/network/network_ip_arp.htm鳥哥的 Linux

http://linux.vbird.org/linux_server/0110network_basic/0110network_basic.php

CS4231 Local Area Networks HW1 – IP Packet Sniffer

Documents

Transcript of CS4231 Local Area Networks HW1 – IP Packet Sniffer