I am using a socket to receive alert information from snort packets.
I am using the readme-unsock file as a base. I cant extract the IP addresses from the packet. I get the wrong data structure from the packet. is there a way of changing this? (Apologies i'm new)
case IPPROTO_TCP:
inet_ntoa (p->iph->ip_dst);
Error message received
inet_ntoa() is deprected - https://beej.us/guide/bgnet/output/html/multipage/inet_ntoaman.html
use inet_ntop() instead - http://man7.org/linux/man-pages/man3/inet_ntop.3.html
Related
I want to transmit an skb that contains a valid tcp and ip header in the linux kernel. It should go out a specific interface without being routed.
My problem is, that I cannot use dev_queue_xmit because I dont know the destination mac-address.
My attempts to find out the mac-address with arp_find failed:
...
mh = (struct ethhdr *) skb_push(skb, sizeof(struct ethhdr));
...
arp_find(mh->h_dest, skb); //this or the next line
val = dev_queue_xmit(skb); //crashes kernel
Experiments with ip_local_out also failed. I set the ip header information and call ip_local_out which also results in a kernel crash.
I could not use ip_queue_xmit because I was not able to find out, what data to provide in the struct flowi *fl field.
So my questions:
How can I send out an skb on a device with ip information and no knowledge about lower levels?
If there is no answer to the first question: How can I find out the destination mac/trigger an arp request for the destination ip?
Remark:
I would like to avoid using (raw) sockets.
I have successfully
transmitted self-made skbs via dev_queue_xmit if I had the
destination mac address. So the code building the skb is not an
issue.
If you still want to use ip_local_out or ip_queue_xmit, then you can create your flowinfo like this.
struct flowi4 fl4 = {
.flowi4_oif = skb->dev->ifindex,
.daddr = iph->daddr,
.saddr = iph->saddr,
};
then create dst(rtable) with
ip_route_output_key
set to skb_buff with
skb_dst_set
I think it's a cleaner solution to use socket programming in kernel to send it as RAW IP packet.
You can create socket like this.
sock_create_kern(&sk, AF_INET,
SOCK_RAW, IPPROTO_RAW,
net);
then call
kernel_sendmsg
to let your packet going through the protocol stack.
When receiving a UDP packet, where I do not know neither content nor structure, how can I find out what the content is? Is that possible somehow? Wireshark tells me the data is:
12:03:01:00:00:00:00:00:1f:44:fe:a2:07:e2:4c:28:00:15:e1:e0:00:80:12:61
The question is just about the data itself, not header of lower layers.
Thanks in advance for your help.
Wireshark shows UDP header. There is 2 port numbers. Usually another port number is reserved for the used protocol (not always).
You may look from the port reservation table which is the used protocol.
And if you are lucky, you find the protocol specification from Web and you can open the content of the packet.
I know you can get the destination address for messages coming into a SOCK_DGRAM socket by using recvmsg. I would like to know how to get the destination address (from peer perspective) for a socket created by calling the accept function on a socket of type SOCK_STREAM. In other words, how can I get the destination address of the SYN packet that caused accept to return?
Perhaps with getpeername system call?
The function you look for is getpeername.
The question is almost all in the title.
I was wondering, given that:
- I use a raw socket (on GNU/Linux);
- the option IP_HDRINCL is set so that I craft the IP headers by myself.
As the dest IP addr is provided in the crafted IP header, does the dst_addr argument still plays a role or is it totally useless & only here cause that's how the function prototype is ?
The destination address is used to route the packet - it'll be the key that's used for a routing table lookup to determine the next hop address to send it to. It should usually be the same as the destination address you set in the header.
No it does not matter.
What you enter in the headers is where the packet would go.
The socket is created and bound, then the program receives data with recv(). The question is: How do I now determine from which host + port the packet originates so that I can send data back?
Note: C and Winsock is used.
Use recvfrom instead, it can return the source port and address