My Ubuntu virtual machine's IP address is 192.168.1.110. Everything else looks fine. I don't know what is wrong with the code. Maybe I'm using a wrong package header structure?
Below is my code and output. Again my host IP should be 192.168.1.110 and port for now is definitely wrong.
sudo ./sniffall 0
84.72.137.105:38055 192.168.1.105:56652
192.168.1.105:56652 174.141.213.124:28073
84.72.137.105:38055 192.168.1.105:56652
192.168.1.105:56652 174.141.213.124:28073
84.72.137.105:38055 192.168.1.105:56652
#include <pcap.h>
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ether.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
void getPacket(u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet){
struct ip *ip;
struct tcphdr *tcp;
ip = (struct ip*)(packet+sizeof(struct ether_header));
tcp = (struct tcphdr*)(packet+sizeof(struct ether_header)+sizeof(struct ip));
char* src = inet_ntoa(ip->ip_src);
printf("%s:%d ",src,tcp->source);
char* dst = inet_ntoa(ip->ip_dst);
printf(" %s:%d\n", dst, tcp->dest);
}
int main(int argc, char *argv[]){
char errbuf[PCAP_ERRBUF_SIZE], *device;
device = argv[1];
pcap_t *handle;
handle = pcap_open_live(device, BUFSIZ, 1, 1000, errbuf);
if(!handle){
device = pcap_lookupdev(errbuf);
handle = pcap_open_live(device, BUFSIZ, 1, 1000, errbuf);
if(!handle){
printf("Couldn't open device %s: %s\n", device, errbuf);
}
}
pcap_loop(handle, 5, getPacket, NULL);
return 0;
}
Pcap is going to show some other traffic other than your system's if you're in promiscuous mode. Why you're seeing specific packets that aren't being sent or received from your system is going to be dependent a bit on your network configuration. Some ethernet switches will occasionally leak packets destined to other systems if they're unsure where they should go, etc.
You also need to need to convert between byte orders. In most common cases now, "network byte order" is not the same as your machine's byte order. To print out the port number, you need to do something like:
printf("%s:%d ",src,ntohs(tcp->source));
Also, you may want to try struct iphdr instead of struct ip. I've seen instances before where there were multiple definitions of a struct named ip in headers, but iphdr was always right for me.
Remember that you can always run tcpdump in another window to see what packets are actually coming in, it's possible that you're receiving more traffic than you are expecting.
First, after calling pcap_open_live(), call pcap_datalink() on handle and, if it doesn't return DLT_EN10MB, either exit or rewrite your program so that it can handle the value it returns. See the tcpdump.org link-layer header types page for a description of the supported values from pcap_datalink().
Second, do NOT assume that the packet is an IPv4 packet unless you have either installed a filter of "ip" or have checked the packet type (e.g., the type field in an Ethernet header) to make sure the packet is an IPv4 packet.
Third, do NOT assume that the header of an IPv4 packet is exactly sizeof(struct ip) bytes long. I assume sizeof(struct ip) will be 20, which is the minimum length of an IPv4 header, but the header may include options - check the "header length" field of the IPv4 header (which is in units of 4-byte words, so a value of 5 means "20 bytes") and use that as the length of the header (make sure it's at least 5 - if it's less than 5, the packet is not valid - and then multiply by 4 to get the length of the header).
Fourth, do NOT assume that the packet is a TCP packet unless you have either installed a filter of "ip and tcp" or just "tcp" (with the latter, you'll still have to check yourself to see whether it's an IPv4 packet) or have checked the "protocol" field of the IPv4 header to make sure it has a value of 6 (for TCP).
Related
I don't understand why my following code doesn't work properly.
When I sniff ethernet the bytes that I receive are shifted by 2 bytes
I send use sudo sendip -p ipv4 -p udp 127.0.0.1 -d r8 to send packet to my computer
With the following code:
#include <pcap/pcap.h>
#define SIZE_ETHERNET 14
#define ETHER_ADDR_LEN 6
struct sniff_ethernet {
u_char ether_dhost[ETHER_ADDR_LEN];
u_char ether_shost[ETHER_ADDR_LEN];
u_short ether_type;
};
void packet_call_back(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) {
struct sniff_ethernet *ethernet = (struct sniff_ethernet*)(bytes);
printf("test = %#x\n", ethernet->ether_type); // print is 0x0
}
int main(void) {
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *handle = pcap_create("any", errbuf);
pcap_set_timeout(handle, -1);
pcap_loop(handle, 0, packet_call_back, NULL);
pcap_close(handle);
}
The ether_type that I receive is incorrect here 0x0000 instead of 0x0800
but if instead of: struct sniff_ethernet *ethernet = (struct sniff_ethernet*)(bytes);
I put struct sniff_ethernet *ethernet = (struct sniff_ethernet*)(bytes + 2);
here everything work fine and I can analyse my packet easily.
I compile with gcc test.c -l pcap
And I work on an Ubuntu VM with parallels
Thank's for reading
When I sniff ethernet the bytes that I receive are shifted by 2 bytes
You're not sniffing Ethernet, you're sniffing the "any" device. That will capture on all interfaces, whether they're Ethernet interfaces or not; even if they are all Ethernet interfaces, that doesn't make a difference.
In order to make this work, a link-layer header type other than Ethernet is used on the "any" device. On Linux, that's a special header; here's what that header looks like.
ALL programs that use libpcap to capture network traffic or to read a capture file must, after opening the capture device (pcap_activate(), pcap_open_live(), pcap_open()) or the capture file (pcap_open_offline()), call pcap_datalink() to determine the link-layer header type from the device or the file.
That function returns a value that can be found in the link-layer header types list; it will be one of the values with a name that begins with DLT_. Do not check for the numerical values given there; check for the DLT_ values.
According to Wikipedia, a traceroute program
Traceroute, by default, sends a sequence of User Datagram Protocol
(UDP) packets addressed to a destination host[...] The time-to-live
(TTL) value, also known as hop limit, is used in determining the
intermediate routers being traversed towards the destination. Routers
decrement packets' TTL value by 1 when routing and discard packets
whose TTL value has reached zero, returning the ICMP error message
ICMP Time Exceeded.[..]
I started writing a program (using an example UDP program as a guide) to adhere to this specification,
#include <sys/socket.h>
#include <assert.h>
#include <netinet/udp.h> //Provides declarations for udp header
#include <netinet/ip.h> //Provides declarations for ip header
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#define DATAGRAM_LEN sizeof(struct iphdr) + sizeof(struct iphdr)
unsigned short csum(unsigned short *ptr,int nbytes) {
register long sum;
unsigned short oddbyte;
register short answer;
sum=0;
while(nbytes>1) {
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1) {
oddbyte=0;
*((u_char*)&oddbyte)=*(u_char*)ptr;
sum+=oddbyte;
}
sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
return(answer);
}
char *new_packet(int ttl, struct sockaddr_in sin) {
static int id = 0;
char *datagram = malloc(DATAGRAM_LEN);
struct iphdr *iph = (struct iphdr*) datagram;
struct udphdr *udph = (struct udphdr*)(datagram + sizeof (struct iphdr));
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = DATAGRAM_LEN;
iph->id = htonl(++id); //Id of this packet
iph->frag_off = 0;
iph->ttl = ttl;
iph->protocol = IPPROTO_UDP;
iph->saddr = inet_addr("127.0.0.1");//Spoof the source ip address
iph->daddr = sin.sin_addr.s_addr;
iph->check = csum((unsigned short*)datagram, iph->tot_len);
udph->source = htons(6666);
udph->dest = htons(8622);
udph->len = htons(8); //udp header size
udph->check = csum((unsigned short*)datagram, DATAGRAM_LEN);
return datagram;
}
int main(int argc, char **argv) {
int s, ttl, repeat;
struct sockaddr_in sin;
char *data;
printf("\n");
if (argc != 3) {
printf("usage: %s <host> <port>", argv[0]);
return __LINE__;
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(atoi(argv[2]));
if ((s = socket(AF_PACKET, SOCK_RAW, 0)) < 0) {
printf("Failed to create socket.\n");
return __LINE__;
}
ttl = 1, repeat = 0;
while (ttl < 2) {
data = new_packet(ttl);
if (write(s, data, DATAGRAM_LEN) != DATAGRAM_LEN) {
printf("Socket failed to send packet.\n");
return __LINE__;
}
read(s, data, DATAGRAM_LEN);
free(data);
if (++repeat > 2) {
repeat = 0;
ttl++;
}
}
return 0;
}
... however at this point I have a few questions.
Is read(s, data, ... reading whole packets at a time, or do I need to parse the data read from the socket; seeking markers particular to IP packets?
What is the best way to uniquely mark my packets as they return to my box as expired?
Should I set up a second socket with the IPPROTO_ICMP flag, or is it easier to write a filter; accepting everything?
Do any other common mistakes exist; or are any common obstacles foreseeable?
Here are some of my suggestions (based on assumption it's a Linux machine).
read packets
You might want to read whole 1500 byte packets (entire Ethernet frame). Don't worry - smaller frames would still be read completely with read returning the length of data read.
Best way to add marker is to have some UDP payload (a simple unsigned int) should be good enough. Increase it on every packet sent. (I just did a tcpdump on traceroute - the ICMP error - does return an entire IP frame back - so you can look at the returned IP frame, parse the UDP payload and so on. Note your DATAGRAM_LEN would change accordingly. ) Of course you can use ID - but be careful that ID is mainly used by fragmentation. You should be okay with that - 'cos you'd not be approaching fragmentation limit on any intermediate routers with these packet sizes. Generally, not a good idea to 'steal' protocol fields that are meant for something else for our custom purpose.
A cleaner way could be to actually use IPPROTO_ICMP on raw sockets (if manuals are installed on your machine man 7 raw and man 7 icmp). You would not want to receive copy of all packets on your device and ignore those that are not ICMP.
If you are using type SOCKET_RAW on AF_PACKET, you will have to manually attach a link layer header or you can do SOCKET_DGRAM and check. Also man 7 packet for lot of subtleties.
Hope that helps or are you looking at some actual code?
A common pitfall is that programming at this level needs very careful use of the proper include files. For instance, your program as-is won't compile on NetBSD, which is typically quite strict in following relevant standards.
Even when I add some includes, there is no struct iphdr but there is a struct udpiphdr instead.
So for now the rest of my answer is not based on trying your program in practice.
read(2) can be used to read single packets at a time. For packet-oriented protocols, such as UDP, you'll never get more data from it than a single packet.
However you can also use recvfrom(2), recv(2) or recvmsg(2) to receive the packets.
If fildes refers to a socket, read() shall be equivalent to recv()
with no flags set.
To identify the packets, I believe using the id field is typically done, as you have already. I am not sure what you mean with "mark my packets as they return to my box as expired", since your packets don't return to you. What you may get back are ICMP Time Exceeded messages. These usually arrive within a few seconds, if they arrive at all. Sometimes they are not sent, sometimes they may be blocked by misconfigured routers between you and their sender.
Note that this assumes that the IP ID you set up in your packet is respected by the network stack you're using. It is possible that it doesn't, and replaces your chosen ID with a different one. Van Jacobson, the original author of the traceroute command as found in NetBSD therefore use a different method:
* The udp port usage may appear bizarre (well, ok, it is bizarre).
* The problem is that an icmp message only contains 8 bytes of
* data from the original datagram. 8 bytes is the size of a udp
* header so, if we want to associate replies with the original
* datagram, the necessary information must be encoded into the
* udp header (the ip id could be used but there's no way to
* interlock with the kernel's assignment of ip id's and, anyway,
* it would have taken a lot more kernel hacking to allow this
* code to set the ip id). So, to allow two or more users to
* use traceroute simultaneously, we use this task's pid as the
* source port (the high bit is set to move the port number out
* of the "likely" range). To keep track of which probe is being
* replied to (so times and/or hop counts don't get confused by a
* reply that was delayed in transit), we increment the destination
* port number before each probe.
Using a IPPROTO_ICMP socket for receiving the replies is more likely to be efficient than trying to receive all packets. It would also require fewer privileges to do so. Of course sending raw packets normally already requires root, but it could make a difference if a more fine-grained permission system is in use.
I need to write program using raw sockets in c language on proxy server between two hosts.
I've written some code for it (and set some rules for iptable to change destination address of packets to proxy's interfaces), where I am receiving packet, print data in this packet and then send the packet to receiver.
It's working on my simple client/server programs on raw sockets, but when I am trying to establish a connection through a proxy - it doesn't work.
Do you have any ideas on how I can write this program without using the kernel?
#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#define PCKT_LEN 8192
int main(void){
int s;
char buffer[PCKT_LEN];
struct sockaddr saddr;
struct sockaddr_in daddr;
memset(buffer, 0, PCKT_LEN);
s = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
if(s < 0){
printf("socket() error");
return -1;
}
int saddr_size = sizeof(saddr);
int header_size = sizeof(struct iphdr) + sizeof(struct tcphdr);
unsigned int count;
daddr.sin_family = AF_INET;
daddr.sin_port = htons(1234);
daddr.sin_addr.s_addr = inet_addr ("2.2.2.1");
while(1){
if(recvfrom(s, buffer, PCKT_LEN , 0, &saddr, &saddr_size) < 0){
printf("recvfrom() error");
return -1;
}
else{
int i = header_size;
for(; i < PCKT_LEN; i++)
printf("%c", buffer[i]);
if (sendto (s, buffer, PCKT_LEN, 0, &daddr, &saddr_size) < 0)
printf("sendto() error");
return -1;
}
}
}
close(s);
return 0;
}
(Your code has serious bugs. For example, the last argument to sendto(2) should not be a pointer. I'll assume it's not the real code and that the real code compiles without warnings.)
With the nagging out of the way, I think one problem is that you're accidentally including an extra IP header in the packets you send. raw(7) has the following:
The IPv4 layer generates an IP header when sending a packet unless the IP_HDRINCL socket option is enabled on the socket. When it is enabled, the packet must contain an IP header. For receiving the IP header is always included in the packet.
IP_HDRINCL is not enabled by default unless protocol is IPPROTO_RAW (see a bit further down in raw(7)), meaning it's disabled in your case. (I also checked with getsockopt(2).)
You will have to either enable IP_HDRINCL using setsockopt(2) to tell the kernel that you're supplying the header yourself, or not include the header in sendto().
It's better to look at the IHL field in the IP header than assume it has fixed size by the way. The IP header could include options.
There could be other issues as well depending on what you're trying to do, and details might vary for IPv6.
Whatever you are doing I don't think using raw sockets is the way. Those are used for network debugging only.
Fist of all, observe that basically you are copying content from an existing, stabilished connection, rather than tunneling it. You are not doing what is proposed.
If you want to capture connections to a given server:port, for instance, 2.2.2.1:1234, into your application so that you can tunnel it through a proxy, you can use iptables.
iptables -t nat -A OUTPUT -p tcp -d 2.2.2.1 --dport 1234 -j REDIRECT
Create an application bound to ip 0.0.0.0 listening to TCP port 1234 and every connection attempt to 2.2.2.1:1234 will connect to your application instead, and you can do whatever you please with it.
Following example code from the libpcap documentation yields the following code which should report the IP address of the given interface (eth0 in this case) [Error checking omitted for brevity]
#include <stdio.h>
#include <pcap.h>
#include <arpa/inet.h>
int main(int argc, char *argv[])
{
char errbuf[PCAP_ERRBUF_SIZE];
bpf_u_int32 mask;
bpf_u_int32 ip;
struct in_addr ip_addr;
/* Find the properties for the device */
pcap_lookupnet("eth0", &ip, &mask, errbuf);
ip_addr.s_addr = ip;
printf("IP Address: %s\n", inet_ntoa(ip_addr));
return 0;
}
However, this results in 192.168.1.0, rather than the correct 192.168.1.100. Running this on a different machine on a different subnet yields 10.0.0.0 rather than the correct 10.0.0.107 which leads me to believe libpcap is not copying the last octet correctly. I've manually converted the integer returned by pcap_lookupnet to ensure it's not an issue with the use of inet_ntoa (I've also tried inet_ntop, with identical results). Following the code from this question:
Get IP address of an interface on Linux
reports the correct IP address. Is this a bug in libpcap or am I doing something wrong?
Your statement "which should report the IP address of the given interface" is incorrect.
From the manpage:
pcap_lookupnet() is used to determine the IPv4 network number and
mask
associated with the network device device. Both netp and maskp are
bpf_u_int32 pointers.
are you sure you have a network number of 10.0.0.107 or 192.168.1.100 respectively? Sounds rather unusual.
Background:
I'm writing a daemon that makes outgoing TCP/IP connections. It will be running on machines with multiple (non-loopback) IP addresses. I'd like the users to be able to specify, in the daemon's config file, which IP address(es) to use for outgoing connections, or * to use all.
The addresses will be used in a rotation, each connection going out from the IP address used least recently. This behavior is important, as is * being a replacement for "all" so daemons running on multiple machines can point to the same config file on a fileshare, and have each use its own set of IP addresses.
Problem:
How do I get a list of all the IP addresses a machine can make outgoing (i.e. to any other computer) connections on? Given a list of all IP addresses, how would I filter out loopback addresses?
I'm in C, and if possible I'd like to use POSIX only, but the daemon will probably only ever run on Linux boxes, so I'd accept a Linux-centric answer.
Each IP address will be available on exactly one (possibly virtual) network device and vice versa, so a way to enumerate network devices and get associated IP addresses would also suffice, though I wouldn't really be happy about it. (Side questions: Is it even possible to associate multiple IP addresses with a single device? How 'bout the same IP under multiple devices? Not important.)
Insufficient Solutions:
gethostname()/gethostbyname() (as this question). Using that method, I only ever get 127.0.0.1 back (or .1.1 in Debian). I suspect this is because the hostname of the machine is in the hosts file, and that's as far as gethostbyname() checks. (I believe that's why in Debian I always get 127.0.1.1: Debian defaults to adding localhost as 127.0.0.1 and the machine's hostname as 127.0.1.1 to the hosts file, right?) I'd like a solution that ignores hosts and gives me everything actually there.
I've had no more luck with getaddrinfo() than gethostname()/gethostbyname(). It seems to be bound by the same problem. I tested this passing the machine's hostname and a NULL service (port) into it; the docs say passing a NULL hostname AND a NULL service is illegal, and this is backed up by testing. Not sure how else to ask it for everything on the machine, but I'm open to suggestions in this vein.
EDIT: this answer shows how to get the IP address from a device name, but doesn't show how to enumerate the device names. Any ideas?
FINAL EDIT: I've accepted caskey's answer to give him the credit for pointing me in the direction of how this needs to be done. I've posted my own answer listing the source code of how exactly to do it in case anyone else needs it.
Here's my proof of concept code using caskey's accepted answer, for posterity's sake:
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
static const char * flags(int sd, const char * name)
{
static char buf[1024];
static struct ifreq ifreq;
strcpy(ifreq.ifr_name, name);
int r = ioctl(sd, SIOCGIFFLAGS, (char *)&ifreq);
assert(r == 0);
int l = 0;
#define FLAG(b) if(ifreq.ifr_flags & b) l += snprintf(buf + l, sizeof(buf) - l, #b " ")
FLAG(IFF_UP);
FLAG(IFF_BROADCAST);
FLAG(IFF_DEBUG);
FLAG(IFF_LOOPBACK);
FLAG(IFF_POINTOPOINT);
FLAG(IFF_RUNNING);
FLAG(IFF_NOARP);
FLAG(IFF_PROMISC);
FLAG(IFF_NOTRAILERS);
FLAG(IFF_ALLMULTI);
FLAG(IFF_MASTER);
FLAG(IFF_SLAVE);
FLAG(IFF_MULTICAST);
FLAG(IFF_PORTSEL);
FLAG(IFF_AUTOMEDIA);
FLAG(IFF_DYNAMIC);
#undef FLAG
return buf;
}
int main(void)
{
static struct ifreq ifreqs[32];
struct ifconf ifconf;
memset(&ifconf, 0, sizeof(ifconf));
ifconf.ifc_req = ifreqs;
ifconf.ifc_len = sizeof(ifreqs);
int sd = socket(PF_INET, SOCK_STREAM, 0);
assert(sd >= 0);
int r = ioctl(sd, SIOCGIFCONF, (char *)&ifconf);
assert(r == 0);
for(int i = 0; i < ifconf.ifc_len/sizeof(struct ifreq); ++i)
{
printf("%s: %s\n", ifreqs[i].ifr_name, inet_ntoa(((struct sockaddr_in *)&ifreqs[i].ifr_addr)->sin_addr));
printf(" flags: %s\n", flags(sd, ifreqs[i].ifr_name));
}
close(sd);
return 0;
}
Works like a charm!
This can only be done in an operating system dependent fashion. You could try parsing the output of 'iptables', but the right answer for linux is to use ioctl.
SIOCGIFCONF takes a struct ifconf *. The ifc_buf field points to a
buffer of length ifc_len bytes, into which the kernel writes a list of
type struct ifreq [].
The struct ifreq is documented in linux/if.h:
struct ifreq
{
#define IFHWADDRLEN 6
union
{
char ifrn_name[IFNAMSIZ]; /* if name, e.g. "en0" */
} ifr_ifrn;
union {
struct sockaddr ifru_addr;
struct sockaddr ifru_dstaddr;
struct sockaddr ifru_broadaddr;
struct sockaddr ifru_netmask;
struct sockaddr ifru_hwaddr;
short ifru_flags;
int ifru_ivalue;
int ifru_mtu;
struct ifmap ifru_map;
char ifru_slave[IFNAMSIZ]; /* Just fits the size */
char ifru_newname[IFNAMSIZ];
void * ifru_data;
struct if_settings ifru_settings;
} ifr_ifru;
};
As you can see, it contains the address information you desire.
Some answers to side questions:
Adding multiple IPs to a device can be done with aliasing. Linux creates devices named like eth0:0 when you do this.
ifconfig eth0:0 10.0.0.1
Having the same IP under multiple devices can be done with channel bonding/link aggregation.
You can get the interface info required a couple of ways including calling ioctl() with the SIOCGIFCONF option and looping through the returned structures to get the interface address info.
Given a list of all IP addresses, how would I filter out loopback addresses?
See ifreq struct in caskey's answer. You can determine the loopback (properly) with:
if (ifru_flags & IFF_LOOPBACK)
Constants are in if.h
are you sure you are using gethostname()/gethostbyname() correctly? check out here, the only problem I see with doing this is that it's possible that a domain name has multiple ip addresses mapped to it. If that's the case then there's no way of knowing what the ip address belonging to the local machine is
How do I get a list of all the IP addresses a machine can make outgoing (i.e. to any other computer) connections on? Given a list of all IP addresses, how would I filter out loopback addresses?
Look at the source code of lsof and netstat. You'll see it involves traversing kernel memory structures, not just making system calls.