libpcap can only read the packets, how can I change it?
Basically I want to register a callback function that operates on all incoming packets,
how can this be done?
What kind of traffic is this? How do you want to modify it? What OS?
On linux, you may be able to use iptables to have the kernel modify the packets for you.
If that can't do what you want (i.e., you need to get the packets into user space), you could look at netfilter_queue. Or as a simpler alternative, use an iptables REDIRECT rule to send all the packets to a single port, and write an application to listen on that port.
Related
The project I am working has the requirement of dropping captured packets. I am successfully captuing packets with the use of libpcap like so,
pcap_loop(handle, num_packets, got_packet, NULL);
Where in the callback function I capture the given number of packets in the num_packets argument. My requirement is to drop the captured packets.
I tried checking for help and ended up empty handed. Any reference of code snippets to perform this requirement of dropping captured packets via libpcap is much appreciated. :)
EDIT
Alternative suggestions are welcome if this is not possible via libpcap.
NOTE that before dropping the packet I need to obtain the destination/ source ip address and payload of the packet to be dropped.
I don't know, if there's a library. Libpcap is for network packet capture only, AFAIK.
From my limited knowledge, I would say dropping a packet is just ignoring or not forwarding it. However this is not done in some program, but the kernel's network stack.
You can accomplish this, by defining appropriate rules in netfilter. There, you will also find libnftnl, which allows to communicate with the Linux netfilter subsystem. But as I read it, you can only define rules and not drop individual packets.
I'm using packet_mmap to capture all packets in the system, but there doesn't seem to be any way to interfere with the rest of the OS getting them as well. I want to be able to have exclusive control over packets coming into userland and decide whether they get to go onto other applications in the system or if they get dropped, so I can filter the packets based on criteria.
Is there any method of doing this? I can't seem to find any documentation on this particular subject. I guess what I want is to be able to remove all incoming packets from the IP stack so no other program gets them, and then be able to reinsert packets on a packet-by-packet basis.
You can't do what you want with PACKET sockets - they're not designed for that purpose.
What you need to use instead is libnetfilter_queue, together with an iptables rule that directs all incoming packets to your queue.
I have a scenario where multiple clients connect to a TCP server. When any of the clients sends a packet to the server, the server is supposed to have a retransmission timer and keep sending that packet to another server until it receives a reply. How do I go about setting up this retransmission mechanism? I'm doing this on Linux in C.
If you use a TCP socket, retransmit will happen automatically. Admittedly, if you want more control, you'll need to use UDP and handle the retransmit yourself.
I'm guessing this is an assignment. I had something similar where our channel was purposefully being corrupted.
I would suggest you follow something similar.
Send packet.
start a timer.
if an ACK (acknowledgment) is not received within a certain amount of time, then go back to step 1.
IIRC, the location of the files that contain these TCP config parameters are distro-dependent. They are in different folders on Red Hat and Ubuntu.
I'm doing an exercise ARP sniffing.
I want to simulate a attack like Man in The Middle.
I had been sending arp to change way packet to Attacker PC.
But I don't know How to forwarding this packet I receive from A to B.
How I do it? Can I do it with LibIPQ, or Libnet.
Recomend to read this post:
Spoofing the ARP Table of Remote Computers on a LAN
http://www.codeproject.com/KB/IP/winarpspoof.aspx
http://www.codeguru.com/cpp/i-n/network/basicnetworkoperations/article.php/c6861
and need view this proyect SharpPcap.
and not forget read: Can you use ARP-Poisoning (spoofing) to apply simulated external effects?
Salute.
I have an application bound to eth0, sending UDP packets on port A to 255.255.255.255. At the same time, I have a UDP server bound to eth0, 0.0.0.0 and port A.
What I want to do is to make sure that the server won't receive messages generated by the application (handled purely in software by the kernel) but it will receive messages generated by other hosts in the network.
I can't change the payload of UDP packets nor add any headers to it.
I've already implemented a solution using RTNETLINK to fetch all IP addresses of the machine I'm sitting on (and filter basing on address from recvfrom()), but I'm wondering if there might be a simpler and cleaner solution.
EDIT: I thought about something like tagging the skb - the tag would disappear after leaving a physical interface, but wouldn't if it's just routed in the software.
Any ideas?
If you can patch your Linux kernel, you could use a setsockopt() option for choosing if you want to loopback the broadcast packets you're sending or not.
This patch reuse the IP_MULTICAST_LOOP option exactly for this purpose.
Also, instead of "messing" with the IP_MULTICAST_LOOP option, you could easily add your own setsockopt() option, maybe called IP_BROADCAST_NO_LOOP. This would guarantee that you're not changing the behavior for any other application.
You can compute a checksum or CRC (better) over the payload and filter against this.
You can do this at the firewall level by dropping packets to broadcast address port A with source address of the eth0.