Hijacking/stealing packets

eddchr · 10-06-2008, 05:07 AM

According to a document at linuxjournal (see below) it should be possible to receive packets at a very low level.

Quote:

"In recent versions of the Linux kernel (post-2.0 releases) a new protocol family has been introduced, named PF_PACKET. This family allows an application to send and receive packets dealing directly with the network card driver, thus avoiding the usual protocol stack-handling (e.g., IP/TCP or IP/UDP processing). That is, any packet sent through the socket will be directly passed to the Ethernet interface, and any packet received through the interface will be directly passed to the application." http://www.linuxjournal.com/article/4659

Our question is now if it could be possible to hijack the packets that matches our filter. The packets should NOT be processed further by the stack in Linux.

Possible?

David1357 · 10-06-2008, 08:23 AM

Quote:

Originally Posted by eddchr

Our question is now, is it possible to hijack the packets that matches our filter. The packets should NOT be processed further by the stack in Linux.

Yes, it is possible.

eddchr · 10-06-2008, 02:04 PM

Quote:

Originally Posted by David1357

Yes, it is possible.

Great! Any hint/idea on how to do this, without modifying the kernel?

David1357 · 10-06-2008, 02:44 PM

Quote:

Originally Posted by eddchr

Great! Any hint/idea on how to do this, without modifying the kernel?

You really need to get a copy of "Understanding Linux Network Internals". It will explain what you need to do.

Your other option is to look at the code for tcpdump or wireshark, and the corresponding code in the Linux network stack.

eddchr · 10-06-2008, 03:13 PM

Quote:

Originally Posted by David1357

You really need to get a copy of "Understanding Linux Network Internals". It will explain what you need to do.

Your other option is to look at the code for tcpdump or wireshark, and the corresponding code in the Linux network stack.

Ok, does that mean that tcpdump/wireshark has such functionality ?

Either way, we'll look in to that tomorrow. Thank you for the sources!

Hok · 10-08-2008, 01:32 AM

Quote:

Our question is now if it could be possible to hijack the packets that matches our filter. The packets should NOT be processed further by the stack in Linux.

I think the key issue there is the last bit, not being processed further by the stack. You can use PF_PACKET to read inbound packets as they fly by, and inject packets for output, (see the pcap(3) man page), but as far as I know there is no mechanism within that protocol to halt further processing of inbound packets. You're getting a copy of the data, rather than the one and only instance.

If you want complete control, I think what you'll need to look at instead is the iptables NFQUEUE target. This causes matching packets to be sent to a userspace daemon, which can then do whatever it wants and send back a DROP. Alternatively, I think if you have no daemon registered, the packet will just vanish into the void, but you should test that.