張詠承 [email protected]. summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 )...
TRANSCRIPT
![Page 2: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/2.jpg)
Summary目的
啟用網路卡之 promiscuous mode ( 混雜模式 )從網路卡抓取封包分析封包顯示分析結果
HintRaw socket/libpcap/winpcapData link layer socket programming/Packet capture libraryNetwork packet capture
![Page 3: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/3.jpg)
Example of screen shot(after # sudo ./a.out)
![Page 4: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/4.jpg)
What’s Raw SocketSimply put raw sockets provide a way to bypass the
whole network stack traversal of a packet and deliver it directly to an application.
Raw socket r/w packets from Data Link Layer利用 Raw socket 可以讀寫 IPv4 packet 的 headerRead/write 那些 kernel 不處理的 protocol 的 IP
packetARP (Address Resolution Protocol)RARP (Reverse ARP)
![Page 5: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/5.jpg)
Why Raw SocketTCP/UDP packets
received from a socketcontains only payload
part of a IP packetETH/IP/ARP hdrs are
removed by kernelUse raw socket to r/w
the header of a IPv4 packet
only the data is shipped to the application layer
![Page 6: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/6.jpg)
How to Use Raw Socket// 宣告一個 socket ,第二個參數指出這是 raw socket ,第三個參數指出這是 ARP 封包sd = socket(PF_PACKET , SOCK_RAW , htons(ETH_P_ALL));
// 第一個參數PF_PACKET // It is a software interface to send/receive packets at layer 2 of the OSI
// All packets received will be complete with all headers and data. // Supports filtering using Berkley Packet Filters.
// 第二個參數PF_PACKET 支援兩個 socket type : SOCK_DGRAM // return packets with the link-layer header removed SOCK_RAW // return complete link-layer packet
// 最後一個參數ETH_P_ALL // return frames for all protocols that the data link receivesETH_P_IP // return IPv4 framesETH_P_ARP // return ARP Protocol framesETH_P_IPV6 // return IPv6 frames
![Page 7: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/7.jpg)
How to Use Raw Socketaddr.sll_family = PF_PACKET;
addr.sll_protocol = htons(ETH_P_ARP);
recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len)/*第一個參數為 socket descriptor第二個參數為接收內容的 buffer ,
第三個參數為此內容的長度, 第四個參數不會用到設為 0 , 第五個參數設定 address 的封包種類、接收的 protocol 等等 第六個參數為 addr 的長度 */
![Page 8: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/8.jpg)
Exampleint main(int argc, char *argv[]){
// 省略變數宣告// create raw socket for sniffing
sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if(sd == -1){ perror("socket error\n"); return; }
// set address addr.sll_family = PF_PACKET; addr.sll_protocol = htons(ETH_P_ALL);
![Page 9: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/9.jpg)
Examplefor(;;){
len = sizeof(addr);// receive packetsret = recvfrom(sd, rcvbuffer, sizeof(rcvbuffer), 0, (struct sockaddr*)&addr, &len);if (ret == -1)
continue;/* 於此處按照 IP protocol 的格式 parse rcvbuffer 先判斷 Ethernet 是否是 IP 的封包,若是的話就 parse 並印出封包的內容 */
}} // end of main
![Page 10: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/10.jpg)
Network API - libpcaplibpcap (Packet CAPture) provides a portable framework
for low-level network monitoring.Applications include network statistics collection,
security monitoring, network debugging, etc.libpcap is the library we are going to use to grab packets
right as they come off of the network cardTutorial
http://yuba.stanford.edu/~casado/pcap/section1.html
![Page 11: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/11.jpg)
Libpcap - Functionspcap_t * pcap_open_live(char *device, int snaplen, int
promisc, int to_ms, char *ebuf)int pcap_dispatch(pcap_t *p, int cnt, pcap_handler
callback, u_char *user)
![Page 12: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/12.jpg)
libpcap - Open up NIC for PCAPdev = pcap_lookupdev(errbuf);// 亦可寫成 dev = “eth0”If (dev == NULL){
fprintf(stderr,“%s\n”, errbuf);return -1;
} descr = pcap_open_live(dev, BUFSIZ, promisc, pcap_time_out, errbuf);If (descr == NULL){
printf(“pcap_open_live(): %s\n”, errbuf);return -1;
}
![Page 13: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/13.jpg)
libpcap - Capture a Packetint ret;ret = pcap_dispatch( pt_a, 0, dev_a_handle, NULL);if ( ret == -1 ){
pcap_perror( pt_a, "pcap_dispatch err:");}
void dev_a_handle( u_char *devId, const struct pcap_pkthdr *hdr, const u_char *packet )
![Page 14: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/14.jpg)
Network API - libnetDesigned by Mike Schiffman, libnet is a portable, open
source, C-language library for creating and injecting network packets.
libnet supports packet creation at all network levels with the TCP/IP network model.
![Page 15: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/15.jpg)
libnet - Functionslibnet_t *libnet_init(int injection_type, char *device, char
*err_buf);int libnet_write_link(struct libnet_link_int *l,
const u_char *device, u_char *packet,int packet_size);
![Page 16: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/16.jpg)
libnet - Initializationnet_b = libnet_init( LIBNET_LINK, "eth0", errbuf );if( net_a == NULL ){
fprintf(stderr, "libnet_init fail:%s ", errbuf ); return;}
![Page 17: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/17.jpg)
libnet - Send a Packetc = libnet_write_link( net_b, (u_char*)packet, hdr->caplen );
![Page 18: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/18.jpg)
pthreadint pthread_create(pthread_t * thread, const
pthread_attr_t * attr,void * (*start_routine)(void *),void *arg);
thread - returns the thread id. (unsigned long int defined in bits/pthreadtypes.h)
attr - Set to NULL if default thread attributes are used. void * (*start_routine) - pointer to the function to be threaded.
Function has a single argument: pointer to void. *arg - pointer to argument of function. To pass multiple
arguments, send a pointer to a structure.
![Page 19: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/19.jpg)
pthreadint pthread_join(pthread_t * thread, void
**value_ptr); The pthread_join() function suspends execution of
the calling thread until the target thread terminates
![Page 20: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/20.jpg)
libpcap, libnet Installationlibpcap
sudo apt-get install libpcap0.8-devlibnet
sudo apt-get install libnet1-devRemember to Install these two library first
![Page 21: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/21.jpg)
Programming EnvironmentYou have to write your program on Linux platform.You can install VMware to run Linux on it.
![Page 22: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/22.jpg)
Promiscuous ModeWe can only receive frames destined to us (Unicast) , to
everyone (Broadcast) and to some selected addresses we subscribe to (Multicast).
If we could receive the frames for all computers connected to our broadcast domain – Promiscuous mode
![Page 23: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/23.jpg)
Promiscuous ModeIt is the “See All, Hear All” Wizard mode Tells the network driver to accept all packets irrespective
of whom the packets are addressed to.Used for Network Monitoring – both legal and illegal
monitoring We can do this by programmatically setting the
IFF_PROMISC flag or by using the ifconfig utility (ifconfig eth0 promisc) #include <sys/ioctl.h>
#include <net/if.h>struct ifreq ifrq;
strncpy(ethreq.ifr_name,"eth0",IFNAMSIZ);ioctl(sock,SIOCGIFFLAGS,&ifrq);ifrq.ifr_flags|=IFF_PROMISC;ioctl(sock,SIOCSIFFLAGS,&ifrq);
![Page 24: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/24.jpg)
The making of a SnifferCreate Raw socket – socket()Set interface you want to sniff on in promiscuous mode.Bind Raw socket to this interface – bind()
optionalReceive packets on the socket – recvfrom()Process received packetsClose the raw socket().
![Page 25: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/25.jpg)
Internet Address Manipulationin_addr_t inet_addr(const char *cp)
convert the Internet host address cp from numbers-and-dots notation into binary data in network byte order
char *inet_ntoa(struct in_addr in)convert the Internet host address in given in network byte
order to a string in standard numbers-and-dots notation (a.b.c.d)
The string is returned in a statically allocated buffer, which subsequent calls will overwrite.
![Page 26: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/26.jpg)
Internet Address Manipulation
![Page 27: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/27.jpg)
Network Byte OrderingNetwork is big-endian, host may be big- or little-endianFunctions work on 16-bit (short) and 32-bit (long) valueshtons() / htonl()
convert host byte order to network byte orderntohs() / ntohl()
convert network byte order to host byte orderUse these to convert network addresses, ports, …
![Page 28: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/28.jpg)
Ethernet Header Format
Destination目的地的 MAC address
Source傳送方的 MAC address
Message Type (#define ETH_P_ARP 0x0806)封包種類,如果該值是 0x0806 ,則表示為 ARP 封包
Data封包內容
![Page 29: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/29.jpg)
IP Header Format
Protocol IPPROTO_ICMP 1 IPPROTO_IGMP 2 IPPROTO_TCP 6 IPPROTO_UDP 17
![Page 30: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/30.jpg)
Requirementspacket numbertime elapsed since capture was initiated (with
microsecond resolution)packet sizepacket type (protocol)
ETHERNET packet: ARPIP packet: TCP/UDP/ICMP/IGMP
source and destination IP addressessummary information about the IP packet
![Page 31: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/31.jpg)
BonusGUIFilter
IP addressProtocol
Additional IP protocolsetc
![Page 32: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/32.jpg)
Debugging
![Page 33: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/33.jpg)
GradingCorrectness (60%)Report (30%)
How to run your program.What you’ve learned?What are you suffer from this HW?Any feedback?
Coding Style (10%)
![Page 34: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/34.jpg)
Hand in your programDeadline: 2009/5/20 PM 23:59:59Write a simple report in text file.Please tar/zip/rar your files (including code and
report) named as 學號 .tar (ex: 9762560.tar) and login to ftp:// 140.114.71.48:4231, cs4231/cs4231s10 Change directory to Project1_upload and create a directory
named your 學號 , then upload your file in this directory.
![Page 35: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/35.jpg)
AppendixRaw socket 收封包 :
http://blog.roodo.com/thinkingmore/archives/554037.htmlWinPcap 函式庫使用入門:
http://blog.roodo.com/thinkingmore/archives/554037.htmlWinPcap 函式庫下載與文件:
http://www.winpcap.org/devel.htmLibPcap 函式庫使用入門:
http://yuba.stanford.edu/~casado/pcap/section1.htmlhttp://www.tcpdump.org/pcap.htm
VMWare Server 2.0 安裝入門:http://full827.pixnet.net/blog/post/24011324
![Page 36: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/36.jpg)
Appendixlibpcap / libnet
http://web.zyline.com.cn/prolist.asp?id=4916http://dev.csdn.net/article/21/21009.shtm
pthreadhttp://www.yolinux.com/TUTORIALS/
LinuxTutorialPosixThreads.html
![Page 37: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/37.jpg)
Appendix WireShark-the open source
http://www.wireshark.org/Ethernet 封包格式 :
http://en.wikipedia.org/wiki/EtherTypeIP 封包格式 :
http://www.networksorcery.com/enp/protocol/ip.htmStudy-Area
http://www.study-rea.org/network/network_ip_arp.htm鳥哥的 Linux
http://linux.vbird.org/linux_server/0110network_basic/0110network_basic.php
![Page 38: 張詠承 passtaiker@gmail.com. Summary 目的 啟用網路卡之 promiscuous mode ( 混雜模式 ) 從網路卡抓取封包 分析封包 顯示分析結果 Hint Raw socket/libpcap/winpcap](https://reader031.vdocuments.site/reader031/viewer/2022012318/56649e1b5503460f94b09b74/html5/thumbnails/38.jpg)
Demo