The IP Protocol injected, inspected, detected, infected

The IP Protocol injected, inspected, detected, infected - Part I

Programmers that deal with networks and TCP/IP, sometimes want or need to do the following nasty things to or with the protocol:

Injecting IP packets into the network.
Inspecting IP packets flowing through the network.
Detecting IP packets, doing some automatic analysis to the packets.
Infecting IP packets, i.e. taking innocent packets and changing them.

Today we will look at several tools that may be used to do the above, On a Linux system. Some of these tools are available on other platforms - some not.

Note: we will not cover the topics in the order stated above - it was there just because of a song...

IP Inspection - The little sniffer that could

Inspecting IP traffic is usually done using a packet sniffer.
A piece of software that can "catch" copies of IP packets directly at the interface level, log them and/or present them to the inspector.
One such great software is called 'ethereal', and is accompanied by its little non-GUI sister, 'tethereal'.
Note: a network sniffer copies IP packets - it does not disturb their normal path, so it should not cause network problems (other then slowing down the machine it is run on).

Using Ethereal - Starting A Capture Session

In order to use Ethereal - we need to become the little canary (i.e. have the root password).
Once the GUI opens, we go to the 'Capture' window, and click 'Start'.
In the dialog-box, we:
1. choose the network interface to listen on,
2. disable 'promiscuous mode' (for better performance),
3. Insert a proper filter (e.g. 'port 25 and host mail.actcom.co.il' to see traffic our Linux exchanges with this mail server),
4. Mark (or not) the 'update list of packets in real time' and 'auto-scroll' options.
5. Click 'Ok' to start capturing traffic.

Viewing The Captured Packets

Ethereal shows us a table of (numbered) IP packets.
We can click on a line in the table, and see the Packet's contents in the middle of the window.
The packet is displayed in layers, matching the protocols it contains.
At the top we see the hardware layer, then the raw packet data (in hex), the IP protocol layer, the TCP protocol layer, The application protocol layer...
Click on any layer to see its details in a tree-like view.
Ethereal contains code to parse hundreds of protocol...

Using Display Filters

We can write a display filter at the 'Filter' box.
Each field in each protocol has a name (e.g. 'ip.src' for IP address of the host sending the packet).

Thus, we can use it in a display filter, e.g.

ip.src == mail.actcom.co.il or ip.dst == mail.actcom.co.il

Tip: when clicking on a field in a packet, its 'Ethereal' name will be shown in the status line.

Tethereal And Capture Files

If we want to sniff without a GUI (because we're remote, because the GUI is slow for fast traffic...), we can use "Tethereal".

Running:

tethereal port 25 and host mail.actcom.co.il

To Capture into a log file:

tethereal -w mail-sniff.cap port 25 and host mail.actcom.co.il

To view the log file using "Ethereal" - "File -> Open".

Ethereal - Behind The Scenes

Ethereal uses a low-level library called "libpcap" to perform the actual packet capturing.
But the parsing of the protocols is done inside the Ethereal application itself.
We can use libpcap directly in programs we write.

IP Detection with libpcap - The Packet Capturing Library

Performs packet capturing on a network interface ("eth0", "ppp0"...) or several interfaces.
Identifies the encapsulation used on that interface.
Activates a programmer-defined callback function for each captured packet.
Note: might miss packets if they are coming too fast.

Basic Work With libpcap - The main Function

#include <pcap.h>

/* for some error messages. */
char err_buf[PCAP_ERRBUF_SIZE];
int rc;

/* open the device for capturing - read first 40 bytes of each packet. */
pcap_t* pc = pcap_open_live("ppp0", 40, 0 /* not promiscuous */,
                            50 /* read timeout, in milli-seconds. */
                            err_buf);
if (!pc) {
    fprintf(stderr, "error in pcap_open_line: %s\n", err_buf);
    exit(1);
}

/* capture 10 packets. 'pcap_packet_cb' is our per-packet callback.         */
/* 'pc' will be passed to the callback, along with the packet, for context. */
rc = pcap_loop(pc, 10, pcap_packet_cb, (u_char*)pc);
if (rc == -1)
    pcap_error(pc, "pcap failed:");

/* cleanup - close the device. */
pcap_close(pc);

Basic Work With libpcap - The Callback Function

#include <pcap.h>

/* A callback function invoked for each captured packet. */
void pcap_packet_cb(u_char* uparam,
                    const struct pcap_pkthdr* hdr,
                    const u_char* p_data)    /* <-- the actual packet's data. */
{
    /* we passed this to pcap_loop() */
    pcap_t* pc = (pcap_t*)uparam;
    struct pcap_stat ps;

    /* we'll just collect packet counts for now. */
    int rc = pcap_stats(pc, &ps);
    if (rc == -1)
        pcap_perror(pc, "");
    else
        printf("packets captured: %u, packets dropped: %u\n",
               ps.ps_recv, ps.ps_drop);
}

Basic Work With libpcap - Printing The Raw Data

#include <pcap.h>

/* A callback function invoked for each captured packet. */
void pcap_packet_cb(u_char* uparam,
                    const struct pcap_pkthdr* hdr,
                    const u_char* p_data)    /* <-- the actual packet's data. */
{
    int i;
    static int packet_count = 0;

    /* increase the packet's counter. */
    packet_count++;

    /* lets dump the packet's data on screen.            */
    /* we print as many bytes as were actually captured. */
    printf("PACKET %d:\n", packet_count);
    for (i = 0; i < hdr->caplen; ++i) {
        printf(" 0x%x", *(p_data+i));
    }
    printf("\n\n");
}

Basic Work With libpcap - Protocol Parsing

In order to do something useful, we need to know how the protocols are layered, byte for byte.

For example, on interface 'ppp0':
-------------------------------------------------------------- | PPP header | PPP Payload | -------------------------------------------------------------- / \ ------------------------------------------------- | IP header | IP Payload | ------------------------------------------------- / \ ------------------------------------- | TCP header | TCP Payload | -------------------------------------

Basic Work With libpcap - Understanding The IP header

On interface 'ppp0', libpcap will strip the PPP header, and give us the IP packet.
The contents of an IP packet's headers are 20 bytes (+ optional options).
interesting fields:
- first nibble (4 bits) - number of 4-byte words in the header.
- byte 9 - type of protocol passed in the payload.
- word at bytes 12-15 - source IP address, in network byte order.
- word at bytes 16-19 - destination IP address, in network byte order.

Basic Work With libpcap - Understanding The TCP header

The contents of a TCP packet's headers are 20 bytes.
interesting fields:
- first short word (bytes 0-1) - source port, in network byte-order.
- second short word (bytes 2-3) - destination port, in network byte-order.

Basic Work With libpcap - Protocol Parsing - Useful Include Files

#include <sys/types.h>    /* \                                 */
#include <sys/socket.h>   /*  > for inet_ntop and its friends. */
#include <arpa/inet.h>    /* /                                 */
#include <netinet/ip.h>   /* to parse IP headers.  */
#include <netinet/tcp.h>  /* to parse TCP headers. */

Basic Work With libpcap - Protocol Parsing - The Callback Function's Code

Here is a code to print the source/destination data for TCP traffic. */

static int packet_count = 0;
struct iphdr* ip_hdr;          /* to get IP protocol data.  */
struct tcphdr* tcp_hdr;        /* to get TCP protocol data. */
char src_ip[100], dst_ip[100];
int src_port, dst_port;

/* we're only interested in TCP packets. */
ip_hdr = (struct iphdr*)p_data;  /* the captured data is an IP packet. */
if (ip_hdr->protocol != IPPROTO_TCP) {
    printf("protocol in IP packet (0x%x) is not TCP\n", ip_hdr->protocol);
    return;
}

Basic Work With libpcap - Protocol Parsing - The Callback Function's Code (Cont.)

/* lets get the src and dst addresses - translate from */
/* network-byte-order binary data. */
inet_ntop(AF_INET, &ip_hdr->saddr, src_ip, sizeof(src_ip));
inet_ntop(AF_INET, &ip_hdr->daddr, dst_ip, sizeof(dst_ip));

/* lets get the port numbers - the payload of the IP packet is TCP.  */
/* NOTE: in IP, the ihl (IP Header Length) field contains the number */
/* of 4-octet chunks composing the IP packet's header.               */
tcp_hdr = (struct tcphdr*)(p_data + ip_hdr->ihl * 4);
src_port = ntohs(tcp_hdr->source);  /* ports are in network byte order. */
dst_port = ntohs(tcp_hdr->dest);

printf("PACKET: src %s:%d, dst %s:%d\n",
       src_ip, src_port, dst_ip, dst_port);

Identifying The Protocol Stack Dynamically

As you saw, we assumed that the captured data was an IP packet.
libpcap enables us to find the actual protocol at run-time:
```
int datalink = pcap_datalink(pc);
```
Example values:

DLT_EN10MB
Ethernet protocol.
DLT_RAW
IP protocol.

Using Filters

/* first we need to compile the filter.           */
/* Note: the filter requires knowing our netmask. */
bpf_u_int32 netmask;
inet_pton(AF_INET, "255.255.255.0", &netmask);

struct bpf_program filter;
char* filter_str = "port 22";
rc = pcap_compile(pc, &filter, filter_str, 1 /*optimize*/, netmask);
if (rc == -1) {
    fprintf(stderr, "Failed compiling filter '%s' - %s\n",
            filter_str, pcap_geterr(pc));
    exit(1);
}

/* then set this program as our filter. */
rc = pcap_setfilter(pc, &filter);
if (rc == -1) {
    fprintf(stderr, "Failed setting filter for pcap - %s\n",
            pcap_geterr(pc));
    exit(1);
}

/* after we're done with the filter struct - free it. */
pcap_freecode(&filter);

Originally written by

guy keren