LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 05-24-2010, 10:25 AM   #1
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Rep: Reputation: 15
drop packets (not iptables) in C / C++


Hi,


I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.


Any suggestions / ideas / examples are more them welcome


--regards
IdealVithVodka
 
Old 05-24-2010, 11:15 AM   #2
Sergei Steshenko
Senior Member
 
Registered: May 2005
Posts: 4,481

Rep: Reputation: 453Reputation: 453Reputation: 453Reputation: 453Reputation: 453
Quote:
Originally Posted by IdealVithVodka View Post
Hi,


I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.


Any suggestions / ideas / examples are more them welcome


--regards
IdealVithVodka
Maybe http://www.tcpdump.org/ -> libpcap ?
 
Old 05-24-2010, 01:39 PM   #3
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Sergei Steshenko View Post
Maybe http://www.tcpdump.org/ -> libpcap ?
I'm using that as a part of my application. But libpcap only can sniff packets and has no capabilities to actually drop a packet. Unless I'm wrong on this (what also could be the case), but as far as I know it can't drop any packets at all. I have found a question at jpcap website (java wrapper for libpcap) :


"Q: Can I block or modify the packets instead of just caputuring them?

No. Jpcap only allows you to capture packets. In other words, the packets you captured by Jpcap are also transmitted to the destination hosts, and Jpcap cannot interfere the transmission."
 
Old 05-24-2010, 09:58 PM   #4
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,485

Rep: Reputation: 66
This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.
 
Old 05-25-2010, 07:21 AM   #5
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by exvor View Post
This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.
Hmmmmm... I have found out that you can use netfilter_queue for this as it works at user space. But still, I couldn't find anything that could show how to use it - unless I'm looking at wrong places. On the website it says that you can use nfqueue to queue the packets and then process them - but still I'm unable to find any examples or documentation..... Any ideas ?
 
Old 05-25-2010, 07:49 AM   #6
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
http://gicl.cs.drexel.edu/people/tjk...lterQueueNotes

shows how to use a software program with nfqueue.

Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction.
 
Old 05-25-2010, 09:46 AM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,395
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
iptables is probably written in C, and the source code should be available. The same mechanisms used by iptables should work for your application(s).
--- rod.
 
Old 05-25-2010, 06:03 PM   #8
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by orgcandman View Post

Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction.
Thank you for the reply and the link - will have a look more into detail after my exam.

Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards :

eth0 : 192.168.1.1
eth1 : 192.168.1.2
eth2 : 192.168.1.3

All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ??

Last edited by IdealVithVodka; 05-25-2010 at 06:12 PM.
 
Old 05-25-2010, 06:36 PM   #9
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Quote:
Originally Posted by IdealVithVodka View Post
Thank you for the reply and the link - will have a look more into detail after my exam.

Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards :

eth0 : 192.168.1.1
eth1 : 192.168.1.2
eth2 : 192.168.1.3

All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ??
Logical? Only if you're worried about arp processing code being vulnerable to malformed packets. In your case, you're wanting to know about un-warranted gratuitous arp updates. There exists a tool called arpwatch which can report when arp entries change. This can be useful for detecting an attack. You can use the email output from that to have a fake-o sendmail account to revert the arp entry, or reset all the associated connections.

Alternatively, you can "prove" a protection from this type of arp attack by using iptables to block ALL arp messages, and statically enter arp entries with infinite lifetime on all the hosts (this is useful for a small number .. up to 3 .. of hosts). Then when your attacker tries to poison the arp cache, you can observe whether or not your system properly disregards and keeps on communicating as expected. Just a little fun experiment.
 
Old 05-25-2010, 09:52 PM   #10
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Original Poster
Rep: Reputation: 15
@orgcandman :


I'm familiar with arpwatch but it just reports about the actual attack - it can't protect against its effects. Also blocking arp traffic ain't a solution to my problem, as then I need to enter static entries on all of the 3 machines. Hence that is why I need to control the packets with a program of my own (I know iptables can block traffic but its about not using iptables) that can have a look at the arp packet. If it will be malicious then my program will drop it , otherwise it will allow it further to process by the main host kernel. Also I've been working on some techniques on detecting hosts with nics in promisc mode. Very interesting field that seems to be forgotten by people.
 
Old 05-30-2010, 05:37 PM   #11
IdealVithVodka
Member
 
Registered: Apr 2010
Posts: 32

Original Poster
Rep: Reputation: 15
If anyone is interested in promisc detection I have made a demonstration video.

http://www.youtube.com/watch?v=jlcqDCHDWYA
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables drop packets as invalid between 2 end-network connected through VPN nass Linux - Server 1 03-05-2010 09:56 AM
How to drop packets satya_seth Linux - Newbie 5 07-06-2009 04:30 AM
drop packets for specific port with iptables ohcarol Linux - Security 1 07-03-2005 10:48 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
drop incoming/outgoing packets using iptables doshiaj Linux - Security 1 06-08-2004 10:38 AM


All times are GMT -5. The time now is 12:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration