1 / 11

Process 1@host1 Read & Send

dump file. socket. Process 1@host1 Read & Send. Legge pacchetti dal pcap dump file (utilizzando libpcap facilities) Utilizza un socket UDP per inviarli ad un indirizzo di rete. new dump file. capture. Process 2@host2 Capture & write.

santos
Download Presentation

Process 1@host1 Read & Send

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. dump file socket Process 1@host1Read & Send • Legge pacchetti dal pcap dump file (utilizzando libpcap facilities) • Utilizza un socket UDP per inviarli ad un indirizzo di rete

  2. new dump file capture Process 2@host2Capture & write • Cattura i pacchetti che corrispondono a regole di filtering • Scrive i pacchetti in un dump file dump file socket

  3. sockaddr / sockaddr_in / in_addr struct sockaddr { unsigned short sa_family; // e.g. AF_INET char sa_data[14]; // protocol address (14 bytes) }; // 2 + 14 = 16 bytes struct sockaddr_in { short int sin_family; // Address family unsigned short int sin_port; // Port number struct in_addr sin_addr; // Internet address unsigned char sin_zero[8]; // Padding bytes }; // 2 + 2 + sizeof(struct in_addr) + 8 = 2 + 14 !! struct in_addr {unsigned long s_addr; // 4 bytes};

  4. Strutture /usr/include/net/ethernet.h struct ether_header { u_int8_t ether_dhost[ETH_ALEN]; u_int8_t ether_shost[ETH_ALEN]; u_int16_t ether_type; // packet type ID } #define ETHERTYPE_IP 0x0800 /*IP*/ #define ETHERTYPE_ARP 0x0806 /*ARP*/

  5. Strutture /usr/include/netinet/ip.h struct ipheader { uchar ip_hl:4; // ip_hl: # of 32bit words (4bytes) uchar ip_v:4; uchar ip_tos; ushort ip_len; ushort ip_id; ushort ip_off; uchar ip_ttl; uchar ip_p; ushort ip_sum; uint ip_src; uint ip_dst; }; // total iphdr len 20 bytes

  6. Strutture /usr/include/netinet/udp.h struct udpheader { ushort uh_sport; ushort uh_dport; ushort uh_len; ushort uh_check; }; // udp hdr len 8 bytes

  7. Inizializzare una sessione (1) • Scelta dell’interfaccia dev = pcap_lookupdev(errbuf) • Ottenimento configurazione di rete result = pcap_lookupnet(dev, &net, &mask, errbuf) • Apertura della sessione handle = pcap_open_live(dev, snaplen, promisc, timeout, errbuf)

  8. Inizializzare una sessione (2) • Compilazione del filtro… result = pcap_compile(handle, &filter, filter_exp, optimize, net) • …e applicazione del filtro stesso result = pcap_setfilter(handle, &filter) • Predisposizione del file di cattura dumper = pcap_dump_open(handle, filename)

  9. Cattura • result = pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) result -2: Interrotto da pcap_breakloop() -1: Errore! 0: Interrotto perché “sniffati” cnt pacchetti • In alternativa: pcap_next(): “sniffa” un solo pacchetto pcap_dispatch(): “sniffa” un solo ‘burst’ di pacchetti

  10. pcap_handler Callback • void packet_handler( u_char *user, const struct pcap_pkthdr *header, const u_char *packet ) Scrittura pacchetto: void pcap_dump(u_char *user, struct pcap_pkthdr *header, u_char *packet) Interruzione del loop di cattura: void pcap_breakloop(pcap_t *)

  11. Chiusura sessione • Ottenimento statistiche sulla sessione pcap_stats(handle, *stats) • Chiusura della sessione di cattura pcap_close(handle) • Flushing dei dati e chiusura del file di dump pcap_dump_flush(dumper) pcap_dump_close(dumper)

More Related