[a u t h o r] KAY
Copyright 1999 Kay
0. Abstract
Tazi statiq ima za cel da pokave i dwete strani na mrevowite snifferi - kakwo sa za sistemnite administratori: kak da gi otkriem, kak da gi sprem; i kakwo za programista Wkljucheni sa primeri za Linux-specifichni funkcii, kakto i za PCAP bibliotekata..
SydyRvanie:
1. Network basics 1.1. Network design, hardware and software 1.2. Devices and interfaces 1.3. Preventing and detecting sniffers 2. Introduction to packet sniffing 2.1. Example of Linux SOCK_PACKET usage 2.2. Libpcap example 2.3. BPF Packet filter programs 2.4. Loadable kernel Modules 3. Bibliography and Additional Files
NetWork Basics
Nqkoi hora biha osporili, che snifferite sa neshto dosta iztyrkano:.. Da, taka e Sled kato razpolagame s asimetrichno kodirashti algoritmi, se predpolaga, che tezi problemi sa resheni Wsyshtnost, wseki den hilqdi accounti, kreditni karti i druga wavna informaciq "iztichat" SiSHTO Taka Sniferite Sa WinAgi Polezen Instrument Za Otkriwane Na Problemi W Mrevowite Protokoli, Kakto I ZA Sledene Na Sigurnostta (IDS, Intrusion Detection Systems).
1.1. NetWork Design, Hardware and Software
Nqkoi osobenosti na ustrojstwoto i dizajna na lokalnite kompjutyrni mrevi pozwolqwat da se "podslushwa" komunikaciqta mevdu 2 stancii ot treti kompjutri, koito sa swyrzani w syshtiq segment. Towa se dylvi na osobenost w standarta IEEE 802.3 CSMA / CD (Carrier Sense Multiple Access with Collision Detection) i po-specialno w algorityma za izprashtane, izpolzwan ot NIC's (Network Interface Cards) za izbqgwane na kolizii. Koliziq nastypwa, kogato 2 stancii se opitat da predadat ednowremenno danni po mrevata. tyj kato wsichki izpolzwat edna i syshta chestotna lenta, towa wodi do wremenno spirane na wsichki komunikacii. Imenno tozi algoritym w adapterite sledi trafika po mrevata i izchakwa naj-udobniq moment "da se wkljuchi". Nqkoi po-stari modeli mrevowi ustrojstwa syshto taka "podslushwat" wsichki paketi, minawashti prez mrevata, za da REAGIRAT NA BROADCAST SYOBSHTENIQ.TOWA WSE OSHTE Ne E DOSTYCHNO ZA Da Move Da Se Podsluswat WSICHKI Wryzki: Operacionna ta sistema na wsqka stanciq wzima samo paketite, koito sa prednaznacheni za neq i propuska ostanalite. Izkljuchenie prawqt Broadcast paketite, chieto syshtestwuwane e wyzmovno samo w edin segment na lokalnite mrevi (rqdko iw drugi sluchai) poradi imenno tezi osobenosti. Broadcast se izprashta kym opredelen Adrs Na Mrevata, Na Kojto Reagirat Wsichki Stancii. Towa Se Izpolzwa Za Opredelqne Na DHCP, BootP Serveri, I Drugi Podobni UsluGi (Smurf ...).
1.2. Devices and interfaces
W Unix Otdelnite FIZICHESKI I LOGICHESKI MREVOWI USTROJSTWA SA Predstaweni s Taka Narechenite Interfejsi. Mogat Da Se Razgledat S Komandata 'IFCONFIG' (W NOWITE Linux Sistemi I S 'IP'):
$ / SBIN / IFCONFIG-A Lo Link Encap: Local Loopback Inet Addr: 127.0.0.1 Mask: 255.0.0 Up Loopback Running MTU: 3924 Metric: 1 RX Packets: 249 Errors: 0 Dropped: 0 overruns: 0 Frame: 0 TX Packets: 249 Errors: 0 carrier: 0 Collisions: 0 Carrier: 0 Collisions: 0 Carrier: 0: Ethernet Hwaddr 00: AC: 3B: 71: 1D: D0 INET Addr: 192.168.0.1 Mask: 255.255.255.0 MultiCast Promisc MTU: 1500 METRIC: 1 RX Packets: 5357 ERRORS: 0 Dropped: 0 Overruns: 0 Frame: 0 TX Packets: 2397 Errors: 0 Dropped: 0 overruns: 0 Trarier: 0 Collisions: 0 Interrupt: 12 Base Address: 0x420
ppp0 Link encap: Point-to-Point Protocol inet addr: 192.168.0.100 PtP: 192.168.1.1 Mask: 255.255.255.255 POINTOPOINT NOARP MULTICAST MTU: 1500 Metric: 1 RX packets: 913 errors: 1 dropped: 0 overruns: 0 frame: 1 TX Packets: 920 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0 Collisions: 0
W sluchaq -.. Linux sistema s loopback, edin Ethernet i edin PPP interfejs Wivda se, che eth0 interfejsyt ew promiscuous mode, te poluchawa wsichki paketi ot mrevata, dori i tezi, koito ne sa konkretno za dadeniq host Po-dolu shte widite kak Move Da Si Naprawite Sobstwena Takawa Program.
1.3. Kak Da Predotwratim Snifferi W Lokalnata Mreva
Syshtestwuwat harduerni i sofruerni resheniq, koito prawqt po-sigurna cqlata mreva. Prawilniqt dizajn i izgravdane na mrevowata topologiq sa predpostawka za izoliranost na otdelnite mrevowi segmenti. Izpolzwaneto na Switch-owe, kriptirashti Hub-owe i router-i, VPN namalqwat do golqma stepen SHANSA DA SE PODSLUSHWAT "Sigurni" Wryzki.
L0pth Heavy Industries obqwi softueren produkt za otkriwane na sniferi w lokalna mreva (ili izobshto mrevowi adapteri w promiscuous revim) za NT i Unix, kojto raboti na bazata na pasiwni priznaci i prowokira snifera da se izdade chrez spoofnati paketi. W BugTraq ima interesna diskusiq po powod efektiwnosta na AntiSniff, kakto i GPL AntiAntiSniff Sniffer. Velatelno e, kogato si prowerqwate lokalnata sistema za promiscuous mode interfejsi, da polzwate otdelna programa, a ne ifconfig, zashtoto tq move da byde troqnizirana da ne go pokazwa. Wivte lspromisc.c po- Nadolu.eto Edin Primer ZA ZLE IZGRADENA LOKALNA MREVA:
[Server] | [Bridge] - [HUB] --- [Border Router] ------------ - - Internet | | [Another Hub] / | | | | /. .......
Po tozi nachin wsichki stancii shte mogat da podslushwat trafika mevdu nashiq i sysedniq server, ili pyk e-mail parolata na Joe na drug server w Internet. Trqbwa da se izpolzwat switch-owe wmesto koncentratori, da se razdelqt mashinite na grupi i po wyzmovnost da Se Obosobqt W VLAN MREVI I TN I TN PomnetE Che Naj-Sigurnite Kompjutri Sa Izkljuchenite. No Neka Ostawim Towa Za Sega, Tyj Kato Tazi Statiq Ima Druga Oswina Tema.
2. Introduction to LibPCAP
Wsqka operacionna sistema predstawq swoj sobstwen metod za dostyp do naj-niskoto niwo na mrevata: Berkley Packet Filter pri BSD, Char device pri Solaris, specialen tip socket pri Linux i tn Towa prawi trudno syzdawaneto na portable programi, koito izpolzwat tezi funkcii i se kompilirat bez promqna na razlichni tipowe Unix. Bibliotekata PCAP (ot Packet Capture) e wsyshtnost obsht interfejs kym syotwetnite funkcii ot nisko niwo za nqkoq operacionna sistema, predostawqjki na programista mnogo dopylnitelni i polezni wyzmovnosti, kato dump na paketikte wyw fajl, prochitane ot fajl, BPF filtri i prawila za poluchawane samo na opredeleni paketi, informaciq za mrevata / hosta. Zatowa, ako poglednete nqkoj arhiw s publichni eksploiti, shte namerite nqkolko razlichni sniferi, raboteshti samo na opredelena operacionna sistema.Nqkolko dumi za izgravdaneto na samiq sniffer. Nemislimo e da Se Pishe Paketen Snifer, Bez Da Se Poznawat Dostatychno Dobre PRO tokolite i paketite, na koito move da se natyknem. Tyj kato osnownata cel na powecheto sniferi e podlushwane na TCP wryzki w lokalna mreva, trqbwa da se zapochne ot Ethernet ramkata, prez IPv4 (ili v6, no za sega towa ne e chak tolkowa neobhodimo ) i samiq TCP hedyr. tyj kato ne poluchawame dannite kato potok, a razdeleni na otdelni paketi, trqbwa da si sglobim neshto kato mini-TCP / IP-stek, za da movem da prosledim otdelnite logicheski TCP sesii (w qdroto tazi rabota se wyrshi OT TCP MULTIPLEXER).
Struct Ethhdr Eth; Struct iPhdr IP; struct tcphdr tcp; [... data ...]
Razbira Se, Movem Da Podlshushwame ICMP, IGMP, UDP I WSICHKO DRUGO, KOETO MOVE DA SE Prekara Wyrhu IPv4, Stiga Da Movem Korektrno Da Razoznaem Protokola.
#define mac_len 6
Struct Ethhdr {u_char dst_addr [mac_len]; u_char src_addr [mac_len]; u_short protocol;
Struct iphdr {u_char ver_ihl; u_short total_len; u_short id; u_short frag_offset; u_char ttl; u_char protocol; u_short checksum; u_long src_addr;};
Struct tcphdr {u_short src_port; u_short dst_port; u_long sequence; u_long acq_seq; u_short flags; u_short window; u_short checksum; u_short urg_ptr;};
Towa e priblizitelnata Shema Na Dejswie (Algoritym) NA Snifyra W PseewDokod (Mrazq Blokowi Shemi):
While (WE_WANT_TO_SNIFF) {Packet = Read_RAW_PACKET ();
IF (Starts_New_Connection (Packet) && port_is_interesting (packet)) add_to_stack (connection);
IF (packet_is_part_of_tracked_connection (packet)) {log (packet);
IF (WE_HAVE_LOGGED_ENOUGH (Connection) || packet_closes_connection (packet))))))))))))))))))))))))).
2.1. EXAMPLE of Linux Sock_Packet Usage
Za dostyp do link layer-a na opredelen interfejs Linux predostawq specialen tip socket - SOCK_PACKET, pri kojto movem da poluchim / izpratim ne prosto IPv4 ramka, a da izgradim paketa zapochwajki Ethernet, PPP, SLIP ili kakywto drug protokol polzwame za wryzka po syotwetniq Interfejs (TE OT Link Layer).
Za da poluchim wsichki interesuwashti ni paketi (wkljuchitelno i tezi, koito ne sa za nas), trqbwa syotwetniqt interfejs da e s wdignat flag promiscuous (IFF_PROMISC) W Linux towa stawa chrez strukturata ifreq.:
struct ifreq {#define IFNAMSIZ 16 union {char ifrn_name [IFNAMSIZ];} ifr_ifrn; union {struct sockaddr ifru_addr; struct sockaddr ifru_dstaddr; struct sockaddr ifru_broadaddr; struct sockaddr ifru_netmask; struct sockaddr ifru_hwaddr; short ifru_flags; int ifru_ivalue; int ifru_mtu; struct IFMAP IFRU_MAP; Char IFRU_SLAVE [IFNAMSIZ]; CHAR IFRU_NEWNAME [IFNAMSIZ]; CHAR * IFRU_DATA;} IFR_IFRU;
#define ifr_name ifr_ifrn.ifrn_name / * interface name * / #define ifr_hwaddr ifr_ifru.ifru_hwaddr / * MAC address * / #define ifr_addr ifr_ifru.ifru_addr / * address * / #define ifr_dstaddr ifr_ifru.ifru_dstaddr / * other end of pp lnk * / #define ifr_broadaddr ifr_ifru.ifru_broadaddr / * broadcast address * / #define ifr_netmask ifr_ifru.ifru_netmask / * interface net mask * / #define ifr_flags ifr_ifru.ifru_flags / * flags * / #define ifr_metric ifr_ifru.ifru_ivalue / * metric * / #define ifr_mtu ifr_ifru.ifru_mtu / * mtu * / #define ifr_map ifr_ifru.ifru_map / * device map * / #define ifr_slave ifr_ifru.ifru_slave / * slave device * / #define ifr_data ifr_ifru.ifru_data / * for use by interface * / #define ifr_ifindex ifr_ifru .IFRU_IVALUE / * Interface Index * / #define IFR_BANDWIDTH I fr_ifru.ifru_ivalue / * link bandwidth * / #define ifr_qlen ifr_ifru.ifru_ivalue / * Queue length * / #define ifr_newname ifr_ifru.ifru_newname / * New name * / i chrez SIOCGIFFLAGS (Socket I / O Control Get Interface Flags) i SIOCSIFFLAGS (Socket . I / O Control Set Interface Flags) ioctl () izwikwaniq Edinstweniqt obsht parametyr za wsichki izwikwaniq e ifr_name, ostanalite se izpolzwat spored syotwetnata operaciq Informaciq za konfiguraciqta na wsichki nalichni interfejsi move da se wzeme chrez SIOCGIFCONF, kato se izpolzwa strukturata ifconf.:
Struct ifconf {int IFC_LEN; Union {char * ifcu_buf; struct ifReq * ifcu_req;} IFC_IFCU;}; # define ifc_buf ifc_ifcu.ifcu_buf #define IFC_REQ IFC_IFCU.IFCU_REQ
W ifc_len se podawa razmer na bufera ifcu_buf, kojto shte poluchi ifreq strukturite za wsichki interfejsi. Pri nedostatychno golqm bufer kernela wryshta informaciq samo kolkoto buferyt move da prieme, bez da dawa greshka. Stojnostta na ifc_len se promenq na syotwetniq broj. Wsichko towa e neobhodimo , za da movem da wzemem spisyka s podhodqshti interfejsi za podslushwane, w sluchaj, che nikoj ot standartnite ne syshtestwuwa, oshte poweche che ne e zadylvitelno wseki ot tqh da otgowqrq na harduerno ustrojstwo - kernel modul move da syzdade specialen interfejs za VPN, pri koeto movem da podslushwame dannite predi oshte da sa kodirani. Za powecheto interfejsi obache, wkljuchitelno i pri podslushwane prez libpcap, move da ima dopylnitelni danni kym ramkata na paketa, chesto razlichni za ednakwi interfejsi w razlichni operacionni sistemi.
Kogato Iskame Da Podslushwame Opredelen Interfejs Se Izpolzwa Bind () Funkciqta, Po Syshtiq Nachin, Kakto I Pri Normalnite Soketi.
Struct SockAddr {UNSIGNED Short Sa_Family; Char SA_Data [14];
W SA_DATA SE Zadawa Kato Null-Terminated String Imeto Na Interfejsa.
-
#include
int main (int argc, char ** argv) {struct ifreq ifr; / * Linux interface request control structure * / short ifr_flags_orig; / * Initial flags if interface * / int sockfd; / * Socket descriptor * / u_char sp [2000] INT ERR;
Printf ("Example of Non-Portable Packet Sniffer for Linux / N");
/ * WE Want Only Ethernet Frames Containing IP Data * / SockFD = Socket (PF_PACKET, SOCK_PACKET, HTONS (Eth_P_IP)); if (SockFD <0) {PERROR ("socket"); exit (1);}
/ * Make the interface promiscuous * / strcpy (ifr.ifr_name, INTERFACE); err = ioctl (sockfd, SIOCGIFFLAGS, & ifr); if (err <0) {perror ( "SIOCGIFFLAGS"); exit (1);} ifr_flags_orig = IFR.IFR_FLAGS; IFR.IFR_FLAGS | = IFF_Promisc; Err = IOCTL (SockFD, Siocsifflags, & IFR); if (Err <0) {Perror ("Siocsifflags"); exit (1);}
/ * Read one packet * / err = read (SOCKFD, & SP, SIZEOF (SP)); if (Err <0) {PERROR ("read"); exit (0);}
/ * DUMP What WE COUGHT * / PRINTF ("DUMPING% I BYTES: / N", ERR); DUMP_ETH (Struct Ethhdr *) & SP); Dump_IP (Struct iPhdr *) & SP 14L); Dump_HEX ((void * ) & sp, err, 2, 16); dump_ascii ((void *) & sp, err, 16); Printf ("/ n / n");
/ * Restore original interface flags * / ifr.ifr_flags = ifr_flags_orig; if (ioctl (sockfd, SIOCSIFFLAGS, & ifr) <0) {perror ( "SIOCSIFFLAGS"); exit (1);} close (sockfd); return EXIT_SUCCESS;}
/ * EOF * / - -------------------------------------- ------------------
-
#include
Int main () {struct ifconf IFC; struct ifReq IFR_X [20]; int Sockfd, ERR;
SOCKFD = Socket (PF_PACKET, SOCK_PACKET, 0); if (SockFD <0) {Perror ("socket"); exit (1);}
IFC.IFC_LEN = 20 * sizeof (struct ifReq); ifc.ifc_req = IFR_X; Err = IOCTL (SockFD, Siocconf, & IFC); PERROR ("IOCTL"); Printf ("RETRIEVED INFO for% I Interface (s) / n ", IFC.IFC_LEN / SIZEOF (STRUCT IFREQ)); for (Err = 0; Err / * EOF * / - -------------------------------------- ------------------- 2.2. LibPCAP Primer Silednata Program Wyrshi Absolutno Syshtite Funkcii Kato Sockpacket.c, I WSICHKO E Poweche Ot Ochewidno Kak Raboti. - #include "pdump.h" int main (int argc, char ** argv) {pcap_t * pcap; / * PCAP descriptor * / u_char * packet; / * Our newly captured packet * / struct pcap_pkthdr pkthdr; / * PCAP packet information structure * / Printf ("EXAMPLE OF Portable Packet Sniffer Using LibPCAP / N"); / * Obtain a descriptor for interface, capture no more than * 8192 octets, set interface to promiscuous mode, 1000 miliseconds * read timeout, No buffer for error messages * / pcap = pcap_open_live (INTERFACE, 8192, 1, 1000, NULL); IF (PCAP == NULL) {PERROR ("PCAP_Open_Live"); exit_failure;} / * Get the next packet from the queue * / packet = (u_char *) PCAP_NEXT (PCAP, & PKTHDR); IF (packet! = null) {packet = offset; / * dump the packet in various forms * / printf ("DUMPING% I BYTES: / N", pkthdr.caplen; dump_eth (struct ethdr *) packet; DUMP_IP ((struct iPhdr *) packet; dump_hex ((void *) packet, pkthdr.caplen, 2, 16); dump_ascii ((void *) packet, pkthdr.caplen, 16); printf ("/ n / n" } Else {PCAP_PERROR (PCAP, "PCAP_NEXT RETURNED NULL"); / * ENOUGH for now ... * / pcap_close (PCAP); Return EXIT_SUCCESS; / * EOF * / - -------------------------------------- --------------------- Const U_CHAR * PCAP_NEXT (PCAP_T *, STRUCT PCAP_PKTHDR *); Ochewidno osnownata rabota se wyrshi ot funkciqta pcap_next (), koqto wryshta ukazatel kym sledwashtiq paket ot opashkata. Sled towa dejstwieto na sniffera e napylno analogichno na predishniq primer. Razbira se, tezi primeri w nikakyw sluchaj ne sa izpolzwaemi w tozi si wid, no sa Edna Dobra Oswowna. 2.3. BPF Packet Filter Programs Chrez Berkeley Packet Filter move da se zadade programa, koqto da filtrira whodqshtite paketi po opredeleni priznaci. Takawa programa se systoi ot masiw BPF instrukcii "izpylnqwani" na wirtualna mashina. Intrukciite dosta napomnqt asembleren ezik. Towa e izkljuchitelno moshten mehanizym, no syzdawaneto na tezi PROGRAMI CHESTO E Prekaleno Slovno, Za Si Struwa Da GI Pishem. Sledniq Primer Ot Man-Stranicata Pokazwa Program, Izbirashta Samo IP Paketi Mevdu 128.3.112.15 i 128.3.112.35: struct bpf_insn insns [] = {BPF_STMT (BPF_LD BPF_H BPF_ABS, 12), BPF_JUMP (BPF_JMP BPF_JEQ BPF_K, ETHERTYPE_IP, 0, 8), BPF_STMT (BPF_LD BPF_H BPF_ABS, 26), BPF_JUMP (BPF_JMP BPF_JEQ BPF_K, 0x8003700f, 0, 2), BPF_STMT (BPF_LD BPF_H BPF_ABS, 30), BPF_JUMP (BPF_JMP BPF_JEQ BPF_K, 0x80037023, 3, 4), BPF_JUMP (BPF_JMP BPF_JEQ BPF_K, 0x80037023, 0, 3), BPF_STMT (BPF_LD BPF_H BPF_ABS, 30), BPF_JUMP (BPF_JMP BPF_JEQ BPF_K, 0x8003700F, 0, 1), BPF_STMT (BPF_RET BPF_K, (U_INT) -1), BPF_STMT (BPF_RET BPF_K, 0),}; Za towa (kakto i pri normalnite ezici), w LBL e syzdaden ezik ot wisoko niwo, kojto se "kompilira" do BPF-instrukcii Pylnata dokumentaciq se namira w man-stranicata na tcpdump (8) Neka poglednem sledniq primer: -.. < Pfilter.c> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------- / * packet filter example * copyright (c) 1999 kay@phreedom.org; all rights reserved * / #include #include "pdump.h" / * PCAP descriptor * / u_char * packet;; / * Our newly captured packet * / struct pcap_pkthdr pkthdr; / * PCAP packet information structure * / struct bpf_program fp main (int argc, char ** argv) {pcap_t * pcap int; / * Structure to hold the compiled prog * / char pfprogram [] = "IP Host 128.3.112.15 and 128.3.112.35"; Printf ("EXAMPLE OF Portable Packet Sniffer Using LibPCAP / N"); / * Obtain a descriptor for interface, capture no more than * 8192 octets, set interface to promiscuous mode, 1000 miliseconds * read timeout, No buffer for error messages * / pcap = pcap_open_live (INTERFACE, 8192, 1, 1000, NULL); IF (PCAP == NULL) {PERROR ("PCAP_Open_Live"); exit_failure;} / * Compile and set the filter program * / if (PCAP_Compile (PCAP, & FP, PfProgram, 1, 0x0) == -1) {PCAP_PERROR (PCAP, "PCAP_Compile"); exit (exit_failure);} if (PCAP_SETFILTER (PCAP , & fp) == -1) {PCAP_PERROR (PCAP, "PCAP_SETFILTER"); exit_failure; / * Get the next packet from the queue * / packet = (u_char *) PCAP_NEXT (PCAP, & PKTHDR); if (packet) {/ * dump the packet in various forms * / printf ("DUMPING% u Bytes: / N" , pkthdr.caplen; packet = offset; dump_eth ((struct ethdr *) packet); dump_ip ((struct iPhdr *) packet); dump_hex (void *) packet, pkthdr.caplen, 2, 16); dump_ascii (void *) packet, pkthdr.caplen, 16); Printf ("/ n / n");} else {printf ("Packet Not Captured Because of Filter / N"); / * ENOUGH for now ... * / pcap_close (PCAP); Return EXIT_SUCCESS; / * EOF * / - -------------------------------------- --------------------- Izrazyt "ip host 128.3.112.15 and 128.3.112.35" se prewevda w BPF programa ot pcap_compile () i togawa se prikachwa kym PCAP descriptora chrez pcap_setfilter (). Dosta po-lesno ot predniq primer, nali? Linux Socket Filter (ili LSF) e Linux-wersiqta na BPF, s nqkoi dopylneniq Imenno:. Toj pozwolqwa na potrebitelski programi da prikachat filtri kym tehnite soketi i po tozi nachin da filtrirat wryzkite si; syshto taka toj e po-lesen za polzwane po Otnoshenie Na "Prikachwaneto" Si. Samite FilTyrni Programi SA Napylno Identichni. 2.4. Loadable kernel modules Loadable kernel modules (LKM) sa bili syzdadeni, za da se predostawi mehanizym za dinamichno dobawqne na nowi funkcii w qdroto na operacionnata sistema, bez da e nuven reboot ili drug wid prekyswane na normalnata rabota. LKM, koito rabotqt w ring 0 pri powecheto OS , estestweno imat prawa wyrhu cqlata pamet i mogat da promenqt wytreshni strukturi na kernel-a kakto i da se skriqt ot ochite na administratora izpolzwajki razlichni tehniki. Towa e dosta dobyr nachin za trojanizirane na crack-nati sistemi. Kokretno za Linux kernel interfejsite i pisaneto na moduli sa mnogo dobre opisani -.. za obshto wywedenie poglednete "The Linux Kernel" i "Linux Kernel Hacker's Guide" ot Linux Documentation Project Temata za LKM e podrobno opisana wyw Phrack 55.3 Bibliography and additional files MAN PAGES: PCAP (3), Setsockopt (2), BPF (7) RFC's: 791, 792, 793, 894 IEEE 802 (ESP. 802.3) Utsl: Linux Kernel 2.2.12, libpcap 0.4 libpcap: ftp: // ftp .e.lbl.gov Linux Documentation Project: http://metalab.unc.edu/ldp phrack magazine: http://www.phrack.com W primerite za SOCK_PACKET i PCAP sa izpolzwani funkcii ot pdump.c za pokazwane na HEX / ASCII / IP / Ethernet danni / strukturi na terminal. Linux-specifichnite primeri za izprobwani na Debian GNU / Linux 2.1 (kernel 2.0.36 glibc 2.0.7 ), Debian GNU / Linux 2.2 (Kernel 2.2.12 Glibc 2.2). PCAP-Primerite Sa Izprobwani Na Debian GNU / Linux 2.2 libpcap 0.4 I OpenBSD 2.4 Generic, libpcap 0.4. - Void dump_eth (struct ethdr *); void dump_ip (struct iphdr *); void dump_hex (void *, u_long, u_long, u_long); void dump_ascii (void *, u_long, u_long); - --- -------------------------------------------------- --------- #include Void dump_eth (struct ethdr * eth) {int CNT; Printf ("/ TH_DEST ="); for (CNT = 0; CNT Void dump_ip (struct iPhdr * IP) {struct protoent * pp; struct in_addr ia; Printf ("/ TiHL =% x; / n", IP-> IHL); Printf ("/ tversion =% x; / n", ip-> version); Printf ("/ ttos =% x; / n" , IP-> TOS); Printf ("/ TTOT_LEN =% x; / n", IP-> TOT_LEN); Printf ("/ TID =% x; / n", IP-> ID); Printf ("/ TFRAG_OFF =% X; / n ", IP-> FRAG_OFF); Printf (" / tttl =% x; / n ", ip-> ttl); Printf ("/ tprotocol =% x;" PP-> protocol); PP = getProtobynumber (IP-> protocol); if (pp == null) Printf ("/ n"), PERROR (NULL); Else Printf "/ t (% s) / n", pp-> p_name); Printf ("/ tCHECK =% x; / n", ip-> check); IA.s_addr = ip-> saddr; printf ("/ tsaddr =% X; / t (% s) / n ", IP-> Saddr, INET_NTOA (IA)); IA.S_ADDR = IP-> DADDR; Printf (" / TDADDR =% x; / t (% s) / N ", IP-> DADDR, INET_NTOA (IA)); FFLUSH (stdout);} / * ITS Obvious: * Data, How Many Octets, Interval of Spaces, Interval of '/ N'-S * / Void Dump_HEX (Void * Bare, U_LONG OCTS, U_LONG INT_SP, U_LONG INT_NL) {U_LONG S; U_LONG SPC = 0 , NLC = 0; char * buf = (char *) Bare; For (s = 0; s INT IS_PRINTABLE (CHAR C) {IF ((C> = '1') && (c <= '0')) RETURN 1; IF ((c> = 'a') && (c <= 'z')) Return 1; IF ((C> = 'a') && (c <= 'z')) Return 1; Return 0;} Void Dump_ascii (Void * Bare, U_LONG OCTS, U_LONG INT_NL) {U_LONG S; U_LONG NLC = 0; Char * BUF = (Char *) Bare; For (s = 0; s - # Set interface to sniff. Some Common Offsets: # Ethernet (eth0, le0) Offset 0 # loopback (lo, lo0, ...) Offset 4 # PPP Link (PPP0, PPP1, ...) Offset 0 Defs = -dinterface = / "lo /" -doffset = 4 CC = CC RM = RM -F CFLAGS = -O2 -wall -pipe $ (DEFS) libpcap = -lpcap Default: @echo "Type One of:" @echo "make PCAP - Build Only PCAP EXAMPLES" @echo "make all - build pcap and linux-specific examples" All: Libpcap Pfilter Sockpacket Lspromisc GetifConf PCAP: LibPCAP Pfilter .c.o: $ @ $ (cc) $ (cflags) -c $ Sockpacket: PDump.o Sockpacket.O $ (cc) $ (cflags) -o sockpacket sockpacket.o pdump.o Pfilter: Pdump.o Pfilter.O $ (cc) $ (cflags) -o pfilter pfilter.o $ (libpcap) Libpcap: libpcap.o pdump.o $ (cc) $ (cflags) -o libpcap libpcap.o pdump.o $ (libpcap) GetifConf: GetifConf.c $ (cc) $ (cflags) -o getifconf getifconf.c LSPromisc: Lspromisc.c $ (cc) $ (cflags) -o lspromisc lspromisc.c Clean: $ (rm) pdump.o sockpacket.o sockpacket libpcap.o / libpcap getifconf lspromisc pfilter pfilter.o - ------------------- ---------------------------------------- #include INT main () {struct ifconf IFC; struct ifreq IFR_X [50]; int suckfd, err, i; SOCKFD = Socket (PF_PACKET, SOCK_PACKET, 0); if (SockFD <0) {Perror ("socket"); exit (1);} IFC.IFC_LEN = 50 * sizeof (struct ifReq); ifc.ifc_req = IFR_X; Err = IOCTL (SockFD, Siocconf, & IFC); if (Err == -1) Return EXIT_FAILURE; for (i = 0; i / * EOF * / - -------------------------------------- ------------------- >> EOA <<
