Hi,


I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.


Any suggestions / ideas / examples are more them welcome


--regards
IdealVithVodka

Maybe http://www.tcpdump.org/ -> libpcap ?

I'm using that as a part of my application. But libpcap only can sniff packets and has no capabilities to actually drop a packet. Unless I'm wrong on this (what also could be the case), but as far as I know it can't drop any packets at all. I have found a question at jpcap website (java wrapper for libpcap) :


"Q: Can I block or modify the packets instead of just caputuring them?

No. Jpcap only allows you to capture packets. In other words, the packets you captured by Jpcap are also transmitted to the destination hosts, and Jpcap cannot interfere the transmission."

This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.

Hmmmmm... I have found out that you can use netfilter_queue for this as it works at user space. But still, I couldn't find anything that could show how to use it - unless I'm looking at wrong places. On the website it says that you can use nfqueue to queue the packets and then process them - but still I'm unable to find any examples or documentation..... Any ideas ?

http://gicl.cs.drexel.edu/people/tjk...lterQueueNotes

shows how to use a software program with nfqueue.

Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction.

iptables is probably written in C, and the source code should be available. The same mechanisms used by iptables should work for your application(s).
--- rod.

Thank you for the reply and the link - will have a look more into detail after my exam.

Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards :

eth0 : 192.168.1.1
eth1 : 192.168.1.2
eth2 : 192.168.1.3

All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ??

Logical? Only if you're worried about arp processing code being vulnerable to malformed packets. In your case, you're wanting to know about un-warranted gratuitous arp updates. There exists a tool called arpwatch which can report when arp entries change. This can be useful for detecting an attack. You can use the email output from that to have a fake-o sendmail account to revert the arp entry, or reset all the associated connections.

Alternatively, you can "prove" a protection from this type of arp attack by using iptables to block ALL arp messages, and statically enter arp entries with infinite lifetime on all the hosts (this is useful for a small number .. up to 3 .. of hosts). Then when your attacker tries to poison the arp cache, you can observe whether or not your system properly disregards and keeps on communicating as expected. Just a little fun experiment.

@orgcandman :


I'm familiar with arpwatch but it just reports about the actual attack - it can't protect against its effects. Also blocking arp traffic ain't a solution to my problem, as then I need to enter static entries on all of the 3 machines. Hence that is why I need to control the packets with a program of my own (I know iptables can block traffic but its about not using iptables) that can have a look at the arp packet. If it will be malicious then my program will drop it , otherwise it will allow it further to process by the main host kernel. Also I've been working on some techniques on detecting hosts with nics in promisc mode. Very interesting field that seems to be forgotten by people.

If anyone is interested in promisc detection I have made a demonstration video.

http://www.youtube.com/watch?v=jlcqDCHDWYA