Homework Assignment
#1
Packet Capture & Analyze
Homework Assignment #1:
Packet Capture and Analyze
• Lots of tools or libraries exist for packet capture &
analyze
– Sniffer, Pcap,…
• However, in this homework, you are required to
directly utilize the operating system services
– Use ioctl function to change a NIC’s flag
• Capture all packets passing the NIC
– Use raw socket to obtain layer 2 & layer 3 information
• Analyze all captured packets
• Environment
– Linux
About ioctl
• A system call used by a process to access features
of a device that aren’t supported by the standard
system calls like read, write…
• int ioctl(int fd, unsigned long com, char *argp)
•
Command
Third argument
Description
SIOCGIFCONF
struct ifconf *
Retrieve list of interface configuration
SIOCGIFFLAGS
struct ifreq *
Get interface flags
SIOCGIFMETRIC
struct ifreq *
Get interface metric
SIOCSIFFLAGS
struct ifreq *
Set interface flags
SIOCSIFMETRIC
struct ifreq *
Set interface metric
Flowchart
Start
Setup
interface
Establish
socket
Get
interface
flag
struct ifreq ethreq; //ifreq in <net/if.h>
char interface[16];
memset(interface,0x00,sizeof(interface));
strcpy(interface,’eth0’);
strncpy(ethreq.ifr_name,interface,sizeof(ethreq.ifr_na
Header:
me));
#include <sys/types.h>
#include <sys/socket.h>
Define:
Header:
int socket(int domain,int type,int protocol)
#include <sys/ioctl.h>
Define:
You need defining a Raw Socket to get L2,L3
int ioctl(int fd, unsigned long com, char *argp)
information.
Using command SIOCGIFFLAGS to get the original
flag
Flowchart (cont.)
Set
promiscuous
mode
Receive
packets
Define in header file “if.h”
#define IFF_PROMISC
0x100
/*receive all packets */
You need to set NIC’s flag to IFF_PROMISC
IP
ARP
….
Others
TCP
UDP
….
ICMP
Analyzing
&
Filtering
Loop
receive
Data Structure
•
Define structure
–
#include <linux/if_ether.h> //for ethernet header
struct ethhdr
{
unsigned char h_dest[ETH_ALEN];
unsigned char h_source[ETH_ALEN];
unsigned short h_proto;
}
–
#include <linux/ip.h>
//for ip header
struct iphdr {
unsigned int version:4;
unsigned int h_len:4;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}
RAW Socket
• RAW socket enable you to establish the
protocol what you need
• Advantages:
– When you using RAW socket, the packets you
receiving are not modified
• Constrain
– No port number : system forward raw packets
to suitable raw socket.
– In linux , raw socket can only be used by root.
Executable Command
• Format: capture [options][filter]
• Default: no option and filter
– Capture 100 packets and print out a summary of the packets
#capture
------statistics-----IP
:75
ARP
:3
RARP
:3
TCP
:6
UDP
:60
ICMP
:0
IGMP
:0
-----finish-----
Option
• -n <maxcount>
– The number of packets to be captured
• -v
– Print out the information for each captured packet
– Format:
Source MAC address: 00:0E:6A:D3:B3:1E
Destination MAC address: 00:E0:18:ED:D7:13
IP->protocol = TCP
IP->src_ip = 220.130.208.127
IP->dst_ip = 220.130.208.129
Src_port =2345
Dst_port=64
Filter
• srcmac <MAC_ADDR>
– Specify the source MAC address
• destmac <MAC_ADDR>
– Specify the destination MAC address
• srcip <IP_ADDR>
– Specify the source IP address
• destip <IP_ADDR>
– Specify the destination IP address
• srcport <PORT_NUM>
– Specify the source port number
• destport <PORT_NUM>
– Specify the destination port number
• tcp
– Specify the layer 4 protocol as TCP
• udp
– Specify the layer 4 protocol as UDP
Filter (Cont)
• Example 1
– Finding out 10 UDP packets belongs to you and
printing out the information of packets (use v option)
• #capture –n 10 –v upd destip 140.120.15.1
• Example 2
– Finding out 10 TCP packets with source IP =
140.120.15.1 and destination MAC address =
4578CD4E and printing out the information of packets
(use v option)
• #capture –n 10 –v tcp srcip 140.120.15.1 destmac 4578CD4E
Turn In
1. Source code
2. Executing result (snapshot)
Turn In (cont.)
• Deadline
– 23:59, April 21, 2005
• Ftp
– IP:140.120.15.125
– Username/Password: comm93/comm93
• Filename
– HW1_ID.doc
eg.HW1_79356001.doc
• If you want to update
– HW1_ID_new1.doc, HW1_ID_new2.doc …etc
Turn In (cont.)
• No late work is acceptable
– You get zero if you miss the due day
• No cheat work is acceptable
– You get zero if you copy other people’s version
Reference
• TCP/IP Illustrated,Volume 2,Wright Stevens,
Addison Wesley
• Linux C/C++ 網路程式設計,金禾
• Linux C 函式庫參考手冊,旗標
• Linux Socket Programming,碁峰