如何拦截tcp数据包并即时修改? [英] Howto intercept tcp packet and modify in the fly?

问题描述

如何在 Linux (Ubuntu) 中拦截 tcp 数据包并在没有代理的情况下即时修改?例如，将数据包捕获为wireshark，但修改数据包.

Howto intercept tcp packet and modify in the fly without proxy in Linux (Ubuntu)? by example, capture packet as wireshark but modify the packets.

需要捕获、搜索和替换数据包，但示例:

Need capture, search and replace packets, but example:

搜索正则表达式"/()/i"，替换为"$1\n"

Search regex "/(<form\s+.*?>)/i", replace by "$1\n<input name=\"newinput\">"

仅适用于使用 ftp、smtp、http 等的本地数据包.如何制作?

Only for local packets using ftp, smtp, http, etc. Howto made this?

推荐答案

根据您的示例，您不想只更改数据包中的单个字节，而是希望更改可能跨越多个数据包的字符串.此外，您的替换字符串的长度可能与原始字符串的长度不同.如果您在数据包级别执行此操作(因为您不想使用代理)，则需要:

Given your example you do not want to change only single bytes in a packet but a string which might span multiple packets. Also, your replacement might have a different length than the original string. If you do this at the packet level (since you don't want to use a proxy) you would need to:

• 可能会延迟数据包的转发，以防根据后续数据包的内容需要更改数据包
• 不仅要重写您更改负载的少数数据包，还要重写所有后续数据包，因为由于数据大小的变化，所有序列号都需要调整
• 还重写您从对等方收到的所有未来数据包，因为需要调整 ACK 中的序列号，以便原始发送方可以将 ACK 与原始数据包关联

除了实现这一点的复杂性之外，延迟数据包的第一点还可能与 TCP 流量控制有关，这可能会导致您的连接变慢甚至停止.

Apart from the complexity to implement this the first point of delaying a packet could also infer with the TCP flow control which might your connection to slow down or even to stall.

因此，实现这种深度数据包修改的常用方法是使用代理，其中客户端和代理之间有一个 TCP 连接，代理和服务器之间有另一个 TCP 连接.这样你就有了两个独立的 TCP 连接，它们都有自己独立的 TCP 流量控制.此外，内核会自动处理正确的序列号等，因此无需手动调整.

Thus the usual approach to implement such deep packet modifications is to use a proxy where there is one TCP connection between client and proxy and another between proxy and server. This way you have two independent TCP connections which both have their own independent TCP flow control. Also, the kernel automatically deals with the correct sequence numbers etc so no manual adjustments are needed.

我不知道您对没有代理的要求有多不可改变.可能只是您不想拥有需要在客户端配置的显式代理.但是，代理也可以透明的方式使用，不需要在客户端进行显式配置.

I don't know how unalterable your requirement of not having a proxy is. It might be that you only don't want to have an explicit proxy which needs to be configured at the client. But, proxies can also be used in a transparent way which don't need explicit configuration in the client.

因此，您最好使用透明代理来实现您的实际需求.例如，请参阅此 mitmproxy 文档，了解如何针对 HTTP 执行此操作.也可以以类似的方式为与 HTTP 不同的协议实现这一点.

Thus, you might better implement your actual requirement with a transparent proxy. See for example this documentation for mitmproxy on how to do this for HTTP. One can implement this also for different protocols than HTTP in a similar way.

这篇关于如何拦截tcp数据包并即时修改?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！