在嗅探Linux上的数据包时过滤网络堆栈中的数据包? [英] Filter packets in network stack while sniffing packets on Linux?

问题描述

我对底层网络/Linux专家有疑问，

I have a question for the Low-level networking/Linux gurus,

我必须为大学的安全项目构建两个工具.第一个工具是ARP Poisonning攻击者，它将攻击远程主机的ARP缓存，以便检索他发送给另一主机的数据.我使用RAW套接字在C中编写了此工具，并且效果很好，我能够拦截从主机A传输到主机B以及从主机B传输回主机A的数据.

I have to build two tools for a security project at my university. The first tool is an ARP Poisonning attacker which will poison the ARP cache from a remote host in order to retrieve the data he is sending to another host. I wrote this tool in C using RAW sockets and it works perfectly, i am able to intercept the data transmitted from a host A to a host B and from the host B back to the host A.

编写第二个工具(嗅探器)时会出现问题，该工具的目的是读取/编辑/丢弃来自主机A或主机B的数据包.我想象一个系统，当我发现来自这些主机之一的数据包时，我的程序将询问我是否要让此数据包通过，是否要修改它，或者只是要丢弃它.我使用

The problem comes when writing the second tool which is a sniffer whose purpose is to read/edit/drop packets coming from host A or host B. I imagined a system where when I spot a packet coming from one of those hosts, my program will ask me if I want to let this packet pass, if I want to modify it or if I simply want to drop it. I activated the IP forwarding in linux using

sysctl -w net.ipv4.ip_forward=1

，我能够读取两个主机之间传输的所有数据.但是我不知道如何编辑/删除这些数据包，因为这是linux网络堆栈的作用，用于管理来自我的网络接口的数据包的输入和输出.如果您愿意，我只是充当被动攻击者.

and i am able to read all the data travelling between the two hosts. But i don't know how to edit/drop those packets since it is the role of linux's network stack to manage the input and the output of the packets coming from my network interface. I'm acting only as a passive attacker if you want.

我的第一个想法是禁用ip转发并自己管理数据包的路由.但是，当我禁用ip转发时，我根本无法从A或B获取任何数据，这是因为linux的网络堆栈会自动以内核模式丢弃IP地址不是发往我的计算机的数据包.

My first idea was to disable the ip forwarding and manage the routing of the packets myself. But when I disable the ip forwarding, I am simply not able to get any data coming from A or B, this is because the linux's network stack drops automatically the packets in kernel mode which IP address is not destined to my computer.

然后我尝试激活混杂模式，但这是不必要的，因为该模式仅在物理层上运行(查看以太网接收的数据包中的目标MAC地址是否与本地接口上的MAC地址匹配).因此，基本上，混杂模式可帮助我们避免linux堆栈的物理过滤器，而不是逻辑(包中的目标IP地址).我收到的是B的IP地址，而不是我的IP地址，因此linux的网络堆栈只是丢弃了该数据包.

I tried then to activate the promiscuous mode, but this was unecessary since this mode only operates on the physical layer (sees if the target MAC address in the Ethernet received packet matches the MAC address on the local interface). So basically, promiscuous mode helps us to avoid the physical filter of the linux's stack but not the logical one (the target IP address in the packet I am receiving is B's IP address and not mine, so linux's network stack simply drops the packet).

所以我的问题是，我如何才能编辑正在接收的数据包并将其发送回去，或者如果需要的话可以直接丢弃它们.我知道这是一个棘手的问题，我进行了一些研究以自行找到解决方案，但没有找到满意的答案.

So my question is, how can I manage to edit the packets I am receiving and send them back or simply dropping them if I want to. I know this is a tricky question, I have made some research to find the solution on my own but I didn't find a satisfying answer.

我知道有一个 iptables 解决方案，我们可以要求他让某些IP地址的数据包通过，但是我不希望有涉及第三方工具的解决方案，我希望将所有内容封装在我的程序中.

I know there is a solution with iptables, we can ask him to let pass some packets from a certain IP address, but I don't want a solution involving a third-party tool, I want to encapsulate everything in my program.

有关信息，开发环境为Linux/Ubuntu Kernel 3.0.0-16，所有内容均使用C语言编写.

For information, the development environment is Linux/Ubuntu Kernel 3.0.0-16, and everything is made using the C language.

推荐答案

我弄清楚了为什么禁用ip_forwarding时没有收到任何数据包.在将问题发布到此处后，我进行了许多测试，并且我意识到，禁用ip_forwarding时，远程主机每隔约10秒就会向我发送一次非常奇怪的TCP数据包.

I figured out why I wasn't receiving any packets when i disabled ip_forwarding. I ran many tests after posting my question here and I realized that when ip_forwarding was disabled, the remote host was sending me very strange TCP packets about every ~10 secs.

实际上，wireshark将那些TCP数据包标记为"TCP retransmission" 数据包，这是因为远程主机向我发送了一个初始TCP数据包，而我没有将其重新路由到正确的网关，所以他没有得到任何回应.

In fact, those TCP packets were flagged by wireshark as "TCP retransmission" packets, this is because the remote host was sending me an initial TCP packet and i didn't re-route it to the proper gateway so he didn't get any response.

在这种情况下，远程主机的默认行为是在不同的时间间隔重新发送此数据包，这实际上是TCP堆栈应正常运行的方式.但是我不知道的是，直到远程主机没有收到对其初始TCP数据包的响应，他才不会发送其他任何消息(仅适用于同一应用程序).因此，当我在远程主机的浏览器中点击"F5"时，我以为他会生成TCP流量，尽管他不会得到任何响应，而且我也不知道TCP堆栈的这种特殊行为，所以我只是以为自己没有得到任何答案.另一个主机(网关)的行为完全相同，因此我可以认为Linux的堆栈阻止了远程主机数据包是错误的.

The default behavior in this case for the remote host was to resend this packet at different time interval, this is actually the normal way a TCP stack should behave. But what I didn't know is that until the remote host doesn't get a response to his initial TCP packet, he will not send any others (for the same application only). So when i was hitting "F5" in the remote host's browser I thought he would generate TCP traffic although he will not get any response and I wasn't aware of this particular behavior of the TCP stack so I simply thought I wasn't getting any answer. The other host (the gateway) was acting exactly the same way, so I can tell that I was wrong thinking Linux's stack was blocking the remote host packets.

我现在要做的只是将要传递的数据正确地重新路由到网关，而忽略其他数据.谢谢您的帮助，希望有一天能对您有所帮助.

What I have to do now is simply re-route properly to the gateway the data I want to let pass and ignore the others. Thank you for your help, hope this might help someone someday.

这篇关于在嗅探Linux上的数据包时过滤网络堆栈中的数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！