drop packets (not iptables) in C / C++
Hi,
I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore. Any suggestions / ideas / examples are more them welcome --regards IdealVithVodka |
Quote:
|
Quote:
"Q: Can I block or modify the packets instead of just caputuring them? No. Jpcap only allows you to capture packets. In other words, the packets you captured by Jpcap are also transmitted to the destination hosts, and Jpcap cannot interfere the transmission." |
This may not be possible to do since iptables interfaces with the kernels netfilter interface and most programs do not have access to kernel level stuff. You may wanna investigate if its possible to redirect a packet using the netfilter interface.
|
Quote:
|
http://gicl.cs.drexel.edu/people/tjk...lterQueueNotes
shows how to use a software program with nfqueue. Additionally, keep in mind that you are now potentially adding huge slowdowns to your data path (for one, I believe that nfqueue interface is NOT zero copy, meaning you have 2 copies made, as well as the original packet). Also, the more time you spend in that function, the more latency you introduce - and eventually you might add enough latency to cause throughput reduction. |
iptables is probably written in C, and the source code should be available. The same mechanisms used by iptables should work for your application(s).
--- rod. |
Quote:
Well, I'm working on a uni project. It should be an application that could work in a computer that has for example 3 network cards : eth0 : 192.168.1.1 eth1 : 192.168.1.2 eth2 : 192.168.1.3 All of them have a connected host to them. So the problem would be if one of them decides to perform an ARP poisoning attack. So the idea of the program would be to inspect the ARP packets that come in - check if they comply with the standard and if they do then let them thought, if not then just DROP the packet. Sounds logical ?? |
Quote:
Alternatively, you can "prove" a protection from this type of arp attack by using iptables to block ALL arp messages, and statically enter arp entries with infinite lifetime on all the hosts (this is useful for a small number .. up to 3 .. of hosts). Then when your attacker tries to poison the arp cache, you can observe whether or not your system properly disregards and keeps on communicating as expected. Just a little fun experiment. |
@orgcandman :
I'm familiar with arpwatch but it just reports about the actual attack - it can't protect against its effects. Also blocking arp traffic ain't a solution to my problem, as then I need to enter static entries on all of the 3 machines. Hence that is why I need to control the packets with a program of my own (I know iptables can block traffic but its about not using iptables) that can have a look at the arp packet. If it will be malicious then my program will drop it , otherwise it will allow it further to process by the main host kernel. Also I've been working on some techniques on detecting hosts with nics in promisc mode. Very interesting field that seems to be forgotten by people. |
If anyone is interested in promisc detection I have made a demonstration video.
http://www.youtube.com/watch?v=jlcqDCHDWYA |
All times are GMT -5. The time now is 07:31 AM. |