Packet Capture & Analyze Homework Assignment #1 Packet Capture & Analyze

Homework Assignment #1: Packet Capture and Analyze Lots of tools or libraries exist for packet capture & analyze Sniffer, Pcap,… However, in this homework, you are required to directly utilize the operating system services Use ioctl function to change a NIC’s flag Capture all packets passing the NIC Use raw socket to obtain layer 2 & layer 3 information Analyze all captured packets Environment Linux

About ioctl A system call used by a process to access features of a device that aren’t supported by the standard system calls like read, write… int ioctl(int fd, unsigned long com, char *argp) Command Third argument Description SIOCGIFCONF struct ifconf * Retrieve list of interface configuration SIOCGIFFLAGS struct ifreq * Get interface flags SIOCGIFMETRIC Get interface metric SIOCSIFFLAGS Set interface flags SIOCSIFMETRIC Set interface metric

Flowchart Start Setup interface Establish socket Get interface flag struct ifreq ethreq; //ifreq in <net/if.h> char interface[16]; memset(interface,0x00,sizeof(interface)); main function’s parameter argv[1]=‘eth0’ Setup interface Header: #include <sys/types.h> #include <sys/socket.h> Define: int socket(int domain,int type,int protocol) You need defining a Raw Socket to get L2,L3 information. Establish socket Header: #include <sys/ioctl.h> Define: int ioctl(int fd, unsigned long com, char *argp) Using command SIOCGIFFLAGS to get the original flag Get interface flag

Flowchart (cont.) IP ARP Others …. TCP UDP ICMP …. Receive packets Define in header file “if.h” #define IFF_PROMISC 0x100 /*receive all packets */ You need to set NIC’s flag to IFF_PROMISC Set promiscuous mode Receive packets IP ARP Others …. Analyzing & Filtering TCP UDP ICMP …. Loop receive

Data Structure Define structure #include <linux/if_ether.h> //for ethernet header struct ethhdr { unsigned char h_dest[ETH_ALEN]; unsigned char h_source[ETH_ALEN]; unsigned short h_proto; } #include <linux/ip.h> //for ip header struct iphdr { 　unsigned int version:4; 　unsigned int h_len:4; 　unsigned char tos; 　unsigned short total_len; 　unsigned short ident; 　unsigned short frag_and_flags; 　unsigned char ttl; 　unsigned char proto; 　unsigned short checksum; 　unsigned int sourceIP; 　unsigned int destIP;

RAW Socket RAW socket enable you to establish the protocol what you need Advantages: When you using RAW socket, the packets you receiving are not modified Constrain No port number : system forward raw packets to suitable raw socket. In linux , raw socket can only be used by root.

Executable Command Format: capture [options][filter] Default: no option and filter Capture 100 packets and print out a summary of the packets #capture ------statistics------ IP :75 ARP :3 RARP :3 TCP :6 UDP :60 ICMP :0 IGMP :0 -----finish-----

Option -n <maxcount> -v The number of packets to be captured Print out the information for each captured packet Format: Source MAC address: 00:0E:6A:D3:B3:1E Destination MAC address: 00:E0:18:ED:D7:13 IP->protocol = TCP IP->src_ip = 220.130.208.127 IP->dst_ip = 220.130.208.129 Src_port =2345 Dst_port=64

Filter srcmac <MAC_ADDR> destmac <MAC_ADDR> Specify the source MAC address destmac <MAC_ADDR> Specify the destination MAC address srcip <IP_ADDR> Specify the source IP address destip <IP_ADDR> Specify the destination IP address srcport <PORT_NUM> Specify the source port number destport <PORT_NUM> Specify the destination port number tcp Specify the layer 4 protocol as TCP udp Specify the layer 4 protocol as UDP

Filter (Cont) Example 1 Example 2 Finding out 10 UDP packets belongs to you and printing out the information of packets (use v option) #capture –n 10 –v upd destip 140.120.15.1 Example 2 Finding out 10 TCP packets with source IP = 140.120.15.1 and destination MAC address = 4578CD4E and printing out the information of packets (use v option) #capture –n 10 –v tcp srcip 140.120.15.1 destmac 4578CD4E

Turn In Source code Executing result (snapshot)

Turn In (cont.) Deadline Ftp Filename If you want to update 23:59, Nov 24, 2005 Ftp IP:140.120.15.123 2222 Username/Password: comm94/comm94 Filename HW1_ID.doc eg.HW1_79356001.doc If you want to update HW1_ID_new1.doc, HW1_ID_new2.doc …etc

Turn In (cont.) No late work is acceptable No cheat work is acceptable You get zero if you miss the due day No cheat work is acceptable You get zero if you copy other people’s version

Reference TCP/IP Illustrated,Volume 2,Wright Stevens, Addison Wesley Linux C/C++ 網路程式設計,金禾 Linux C 函式庫參考手冊,旗標 Linux Socket Programming,碁峰