Homework Assignment 1 Packet Capture Analyze Homework Assignment

Homework Assignment #1: Packet Capture and Analyze • Lots of tools or libraries exist

About ioctl • A system call used by a process to access features of

Flowchart Start Setup interface Establish socket Get interface flag struct ifreq ethreq; //ifreq in

Flowchart (cont. ) Set promiscuous mode Receive packets Define in header file “if. h”

Data Structure • Define structure – #include <linux/if_ether. h> //for ethernet header struct ethhdr

RAW Socket • RAW socket enable you to establish the protocol what you need

Executable Command • Format: capture [options][filter] • Default: no option and filter – Capture

Option • -n <maxcount> – The number of packets to be captured • -v

Filter • srcmac <MAC_ADDR> – Specify the source MAC address • destmac <MAC_ADDR> –

Filter (Cont) • Example 1 – Finding out 10 UDP packets belongs to you

Turn In 1. Source code 2. Executing result (snapshot)

Turn In (cont. ) • Deadline – 23: 59, Nov 24, 2005 • Ftp

Turn In (cont. ) • No late work is acceptable – You get zero

Reference • TCP/IP Illustrated, Volume 2, Wright Stevens, Addison Wesley • Linux C/C++ 網路程式設計,

Slides: 15

Download presentation

Homework Assignment #1 Packet Capture & Analyze

Homework Assignment #1: Packet Capture and Analyze • Lots of tools or libraries exist for packet capture & analyze – Sniffer, Pcap, … • However, in this homework, you are required to directly utilize the operating system services – Use ioctl function to change a NIC’s flag • Capture all packets passing the NIC – Use raw socket to obtain layer 2 & layer 3 information • Analyze all captured packets • Environment – Linux

About ioctl • A system call used by a process to access features of a device that aren’t supported by the standard system calls like read, write… • int ioctl(int fd, unsigned long com, char *argp) • Command Third argument Description SIOCGIFCONF struct ifconf * Retrieve list of interface configuration SIOCGIFFLAGS struct ifreq * Get interface flags SIOCGIFMETRIC struct ifreq * Get interface metric SIOCSIFFLAGS struct ifreq * Set interface flags SIOCSIFMETRIC struct ifreq * Set interface metric

Flowchart Start Setup interface Establish socket Get interface flag struct ifreq ethreq; //ifreq in <net/if. h> char interface[16]; memset(interface, 0 x 00, sizeof(interface)); main function’s parameter argv[1]=‘eth 0’ Header: #include <sys/types. h> #include <sys/socket. h> Define: int socket(int domain, int type, int protocol) You need defining a Raw Socket to get L 2, L 3 information. Header: #include <sys/ioctl. h> Define: int ioctl(int fd, unsigned long com, char *argp) Using command SIOCGIFFLAGS to get the original flag

Flowchart (cont. ) Set promiscuous mode Receive packets Define in header file “if. h” #define IFF_PROMISC 0 x 100 /*receive all packets */ You need to set NIC’s flag to IFF_PROMISC IP ARP …. Others TCP UDP …. ICMP Analyzing & Filtering Loop receive

Data Structure • Define structure – #include <linux/if_ether. h> //for ethernet header struct ethhdr { unsigned char h_dest[ETH_ALEN]; unsigned char h_source[ETH_ALEN]; unsigned short h_proto; } – #include <linux/ip. h> //for ip header struct iphdr { 　unsigned int version: 4; 　unsigned int h_len: 4; 　unsigned char tos; 　unsigned short total_len; 　unsigned short ident; 　unsigned short frag_and_flags; 　unsigned char ttl; 　unsigned char proto; 　unsigned short checksum; 　unsigned int source. IP; 　unsigned int dest. IP; }

RAW Socket • RAW socket enable you to establish the protocol what you need • Advantages: – When you using RAW socket, the packets you receiving are not modified • Constrain – No port number : system forward raw packets to suitable raw socket. – In linux , raw socket can only be used by root.

Executable Command • Format: capture [options][filter] • Default: no option and filter – Capture 100 packets and print out a summary of the packets #capture ------statistics-----IP : 75 ARP : 3 RARP : 3 TCP : 6 UDP : 60 ICMP : 0 IGMP : 0 -----finish-----

Option • -n <maxcount> – The number of packets to be captured • -v – Print out the information for each captured packet – Format: Source MAC address: 00: 0 E: 6 A: D 3: B 3: 1 E Destination MAC address: 00: E 0: 18: ED: D 7: 13 IP->protocol = TCP IP->src_ip = 220. 130. 208. 127 IP->dst_ip = 220. 130. 208. 129 Src_port =2345 Dst_port=64

Filter • srcmac <MAC_ADDR> – Specify the source MAC address • destmac <MAC_ADDR> – Specify the destination MAC address • srcip <IP_ADDR> – Specify the source IP address • destip <IP_ADDR> – Specify the destination IP address • srcport <PORT_NUM> – Specify the source port number • destport <PORT_NUM> – Specify the destination port number • tcp – Specify the layer 4 protocol as TCP • udp – Specify the layer 4 protocol as UDP

Filter (Cont) • Example 1 – Finding out 10 UDP packets belongs to you and printing out the information of packets (use v option) • #capture –n 10 –v upd destip 140. 120. 15. 1 • Example 2 – Finding out 10 TCP packets with source IP = 140. 120. 15. 1 and destination MAC address = 4578 CD 4 E and printing out the information of packets (use v option) • #capture –n 10 –v tcp srcip 140. 120. 15. 1 destmac 4578 CD 4 E

Turn In 1. Source code 2. Executing result (snapshot)

Turn In (cont. ) • Deadline – 23: 59, Nov 24, 2005 • Ftp – IP: 140. 120. 15. 123 2222 – Username/Password: comm 94/comm 94 • Filename – HW 1_ID. doc eg. HW 1_79356001. doc • If you want to update – HW 1_ID_new 1. doc, HW 1_ID_new 2. doc …etc

Turn In (cont. ) • No late work is acceptable – You get zero if you miss the due day • No cheat work is acceptable – You get zero if you copy other people’s version

Reference • TCP/IP Illustrated, Volume 2, Wright Stevens, Addison Wesley • Linux C/C++ 網路程式設計, 金禾 • Linux C 函式庫參考手冊, 旗標 • Linux Socket Programming, 碁峰