ohrwurm 如何使用 libpcap 和 arpspoof 破坏 RTP 流量? [英] How does ohrwurm use libpcap and arpspoof to corrupt RTP traffic?

问题描述

我正在尝试评估一个名为 ohrwurm 的工具，该工具声称能够破坏 RTP 流量两个 SIP 端点之间.通过阅读其源代码，我不相信它有效，并且会在我尝试之前喜欢其他人的意见.

I'm trying to evaluate a tool called ohrwurm, which claims to be able to corrupt RTP traffic between two SIP endpoints. By reading its source code I don't believe it works, and would like other's opinions before I try it out.

前提很简单:

• 假设端点 A 的 IP 地址为 192.168.0.11，端点 B 的 IP 地址为 192.168.0.22.
• 在与 A 和 B 位于同一子网上的第三个机器 C 上，在两个 SSH 会话中执行以下命令:
  • arpspoof 192.168.0.11
  • arpspoof 192.168.0.22

  查看 ohrwurm 的源代码，它执行以下操作:

  Taking a look at ohrwurm's source code it does the following:

  • 将/proc/sys/net/ipv4/ip_forward 设置为 1.
  • 在混杂模式下使用 libpcap 拦截上述两个盒子之间的所有 IP 数据包.
  • 对于那些 SIP 数据包，获取 RTP 端口号.
  • 对于之前抓取的两个 RTP 端口之间的 UDP 数据包，对 RTP 内容进行模糊测试.

  这是我不明白的.我接受 arpspoof'ing 将导致 A 和 B 之间的所有 IP 流量通过 C.此外，通过将/proc/sys/net/ipv4/ip_forward 设置为 1，我们正在让内核正确转发此 IP 流量我们.

  Here's what I don't get though. I accept that the arpspoof'ing will cause all IP traffic between A and B to travel through C. Moreover, by setting /proc/sys/net/ipv4/ip_forward to 1 we're getting the kernel to forward this IP traffic correctly for us.

  但我认为 libpcap 是只读的?如何在原地修改我们在混杂模式下嗅探到的数据包?您会在 ohrwurm.c 第 401 行中注意到我们'甚至试图丢弃 RTCP 数据包！这可能吗?

  But I thought libpcap was read-only? How is it possible to modify packets we've sniffed in promiscuous mode in-situ? You'll notice in ohrwurm.c line 401 that we're even trying to drop RTCP packets! Is this possible?

  我对 libpcap 一无所知，很想知道更多！请教育我.谢谢.

  I know nothing about libpcap, and am curious to know more! Please educate me. Thanks.

  推荐答案

  Libpcap 无法修改数据包.它只能用于审计它们.您可以将其视为从接口到内核获取数据包的基础.

  Libpcap is not able to modify the packets. It can be only used to audit them. You can think of it as the basis to get the packets from the interface to the kernel.

  Arpspoof 需要其他库(例如Libnet")来执行 ARP 欺骗.http://arpspoof.sourceforge.net/(请参阅与 arpspoof 相关的链接"部分)

  Arpspoof requires other libraries such as "Libnet" to perform ARP spoofing. http://arpspoof.sourceforge.net/ (see the section "Links Related to arpspoof")

  Libnet 引入了一个 API，可提供对多种协议的访问.它可用于创建任意数据包或动态修改数据包.http://libnet.sourceforge.net/

  Libnet introduces an API that provides access to several protocols. It can be used to create arbitrary packets or modify the ones on the fly. http://libnet.sourceforge.net/

  可以在以下位置找到一个不错的教程:http://networksecurity.org.ua/0596007949/networkst-chp-11-sect-4.html

  A nice tutorial can be found in: http://networksecurity.org.ua/0596007949/networkst-chp-11-sect-4.html

  这篇关于ohrwurm 如何使用 libpcap 和 arpspoof 破坏 RTP 流量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！