Packet Sniffing using Raw Sockets |
|
Raw Socket is a software interface through which a process can fully control the packets it sends or receives to or from the network. This is done by bypassing the network stack of the host and communicating directly with the device driver.
Most of us might remember the Syn flood attacks on Yahoo in 2000 and countless other Denial of Service attacks which followed on innumerable hosts on the Internet. The tools used in these attacks leveraged the raw socket interface to accomplish this feat.
Before diving deeper into how such tools work, let us go through a basics presentation first. The presentation can be downloaded here for viewing. |
|
|
| |
Simply put we can use raw sockets to perform either of 2 tasks :
1. Packet Sniffing ( Receiving packets from raw socket )
2. Packet Injection ( Sending packets into raw socket )
For this discussion we will be limiting ourselves to the PF_PACKET interface on linux. In this tutorial we will talk only about Packet Sniffing . Another tutorial will cater to Packet Injection.
As you must have understood by now in the "Making of a Sniffer" slide in the above presentation that we open a raw socket and start receiving packets from that interface. Once we receive a packet we should be able to parse that packet intelligibly and be able to find out the details of all the headers (Ethernet, IP, TCP , ARP, FTP etc).
Lets refresh our memory as to how the headers look like:
|
| |
|
|
|
| |
Ethernet Header
EthDHost :
Destination address (6 bytes).
EthSHost
Source address (6 bytes).
EthType
Encapsulated packet type (2 bytes). It is ETHERTYPE_IP for IP based communication.
Lets now look the IP header. Please look up the fields in the header if there is any confusion. |
| |
|
IP Header |
Finally, the TCP and UDP headers look as below. After these headers, application specific data would be there. |
| |
|
TCP Header |
| |
|
UDP Header |
| |
Whenever our sniffer is receiving a packet it needs to know how to parse it. Assuming we are on an Ethernet Interface we will first parse the Ethernet Header to figure out what the packet contains by looking at the EthType field.
So how would an Ethernet Header look like in c code ? An IP header ? TCP ? UDP ? ....???
The next set of videos should hopefully answer all your question. The first video will feature a basic sniffer which just captures packets and prints them in hex. Please download the code and follow the video. |
|
|
| |
Now we have a simple sniffer which dumps captured packets in hex. Lets start decoding the packet trace in more detail by first parsing the Ethernet header. Please download the code for the next video . |
|
|
|
|
| |
Please go through the above video very seriously. If you understood the parsing logic clearly, then you've graduated to the next level :D . Now lets move on and decode the IP header in the packet. Download code. |
|
|
| |
Now lets go ahead and decode the TCP header in the packet. The code for the next video is available for download here. |
|
|
| |
All this header decoding might look a little complicated at first glance but be rest assured ...a couple of practice programs and you will be able to do it blindfolded.
Now for decoding the data portion of the packet. Please download this code and follow the video. |
|
|
| |
Done ! We have traversed the whole OSI stack right from the Ethernet, IP, TCP and Data layers. By now you must hopefully have some idea about packet parsing and decoding the headers. I would advice you to write programs to display all the fields in the headers. This will help you gain confidence.
Also in a later section we will talk about filtering packets at the driver layer itself using Berley Socket Filters. For now we can filter packets in user space.
Now let us look at some sniffers which are already available to us. We will look at Tcpdump and Ethereal in this example.
|
|
|
| |
This brings us to the conclusion of how to write sniffers. We will go into advanced filtering techniques using Berkley Packet Filters (BPF) in a different section. Packet Injection techniques using raw sockets will also be a separate section.
Raw Sockets have been known to have problems with portability because of which one might frequently run into problems when switching platforms. I would recommend using libpcap if you want to write code with portability in mind. Libpcap provides a unified interface for packet capture and is in wide use. It is a simple to use library.
I hope you enjoyed this tutorial ! Please drop your comments here. |
|
| |
| |
| |
| |
| |
| |
