LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   drop packets (not iptables) in C / C++ (http://www.linuxquestions.org/questions/programming-9/drop-packets-not-iptables-in-c-c-809806/)

IdealVithVodka 05-24-2010 11:25 AM

drop packets (not iptables) in C / C++
 
Hi,


I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.


Any suggestions / ideas / examples are more them welcome


--regards
IdealVithVodka

Sergei Steshenko 05-24-2010 12:15 PM

Quote:

Originally Posted by IdealVithVodka (Post 3979519)
Hi,


I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.


Any suggestions / ideas / examples are more them welcome


--regards
IdealVithVodka

Maybe http://www.tcpdump.org/ -> libpcap ?

IdealVithVodka 05-24-2010 02:39 PM

Quote:

Originally Posted by Sergei Steshenko (Post 3979572)
Maybe http://www.tcpdump.org/ -> libpcap ?

I'm using that as a part of my application. But libpcap only can sniff packets and has no capabilities to actually drop a packet. Unless I'm wrong on this (what also could be the case), but as far as I know it can't drop any packets at all. I have found a question at jpcap website (java wrapper for libpcap) :


"Q: Can I block or modify the packets instead of just caputuring them?

No. Jpcap only allows you to capture packets. In other words, the packets you captured by Jpcap are also transmitted to the destination hosts, and Jpcap cannot interfere the transmission."

exvor 05-24-2010 10:58 PM

This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.

IdealVithVodka 05-25-2010 08:21 AM

Quote:

Originally Posted by exvor (Post 3980113)
This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.

Hmmmmm... I have found out that you can use netfilter_queue for this as it works at user space. But still, I couldn't find anything that could show how to use it - unless I'm looking at wrong places. On the website it says that you can use nfqueue to queue the packets and then process them - but still I'm unable to find any examples or documentation..... Any ideas ?

orgcandman 05-25-2010 08:49 AM

http://gicl.cs.drexel.edu/people/tjk...lterQueueNotes

shows how to use a software program with nfqueue.

Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction.

theNbomr 05-25-2010 10:46 AM

iptables is probably written in C, and the source code should be available. The same mechanisms used by iptables should work for your application(s).
--- rod.

IdealVithVodka 05-25-2010 07:03 PM

Quote:

Originally Posted by orgcandman (Post 3980552)

Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction.

Thank you for the reply and the link - will have a look more into detail after my exam.

Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards :

eth0 : 192.168.1.1
eth1 : 192.168.1.2
eth2 : 192.168.1.3

All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ??

orgcandman 05-25-2010 07:36 PM

Quote:

Originally Posted by IdealVithVodka (Post 3981172)
Thank you for the reply and the link - will have a look more into detail after my exam.

Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards :

eth0 : 192.168.1.1
eth1 : 192.168.1.2
eth2 : 192.168.1.3

All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ??

Logical? Only if you're worried about arp processing code being vulnerable to malformed packets. In your case, you're wanting to know about un-warranted gratuitous arp updates. There exists a tool called arpwatch which can report when arp entries change. This can be useful for detecting an attack. You can use the email output from that to have a fake-o sendmail account to revert the arp entry, or reset all the associated connections.

Alternatively, you can "prove" a protection from this type of arp attack by using iptables to block ALL arp messages, and statically enter arp entries with infinite lifetime on all the hosts (this is useful for a small number .. up to 3 .. of hosts). Then when your attacker tries to poison the arp cache, you can observe whether or not your system properly disregards and keeps on communicating as expected. Just a little fun experiment.

IdealVithVodka 05-25-2010 10:52 PM

@orgcandman :


I'm familiar with arpwatch but it just reports about the actual attack - it can't protect against its effects. Also blocking arp traffic ain't a solution to my problem, as then I need to enter static entries on all of the 3 machines. Hence that is why I need to control the packets with a program of my own (I know iptables can block traffic but its about not using iptables) that can have a look at the arp packet. If it will be malicious then my program will drop it , otherwise it will allow it further to process by the main host kernel. Also I've been working on some techniques on detecting hosts with nics in promisc mode. Very interesting field that seems to be forgotten by people.

IdealVithVodka 05-30-2010 06:37 PM

If anyone is interested in promisc detection I have made a demonstration video.

http://www.youtube.com/watch?v=jlcqDCHDWYA


All times are GMT -5. The time now is 04:07 PM.