重建一个包通过PCAP注入 [英] Rebuilding a packet to inject via pcap

问题描述

这里的情况是：在我的情况我有，3台电脑，A，B和C

Here is the situation: in my scenario I have, 3 computers, A, B and C.

计算机A发送数据到计算机B.计算机B捕获这些数据包PCAP，追加头，重做校验，并注入它另一个以太网接口，计算机C.所以基本上A发送给C，虽然到C的角度图，该数据从计算机B来

Computer A sends data to computer B. Computer B captures these packets with pcap, appends the headers, redoes the checksums, and injects it out another ethernet interface to computer C. So basically A sends to C, though through C's point of view, the data is coming from computer B.

我的问题是这样的：以下TCPDUMP的解剖上捕获数据包的教程，我已经学会了计算偏移和使用类型转换，以获得以太网，IP和TCP报头结构。这样做的方法如下所示：

My problem is this: following TCPDUMP's tutorial on dissecting a captured packet, I've learned to calculate offsets and using typecasting to obtain ethernet, ip, and tcp header structures. The method of doing so is shown below:

ethernet = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
    printf("   * Invalid IP header length: %u bytes\n", size_ip);
    return;
}
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {
    printf("   * Invalid TCP header length: %u bytes\n", size_tcp);
    return;
}
payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);

由于我要注入捕获的数据包从计算机B发送到电脑C，我必须修改一些源/目标信息，并重新计算校验和，当我完成了。不过，我的问题是，因为这个数据现在分为以太网帧头，IP头和TCP头的结构，我怎么把它重新走到一起成为一个 u_char 的 pcap_inject 可以使用？

Because I want to inject the captured packet to send it from computer B to computer C, I must modify some of the source/destination information and recalculate the checksum when I'm done. However, my issue is, since this data is now separated into structures of ethernet header, IP header, and TCP headers, how do I put it back together into a u_char that pcap_inject can use?

是否有可能在这里做一些串联的？

Is it possible to do some sort of concatenation here?

推荐答案

从code我看到这里，你是不是真正解剖内存的libpcap 捕捉你。每次铸造操作简单地告诉你打算如何处理从一个指针开始字节编译器 - 这些对象是什么尺寸，要查找偏移数据的哪件多久他们

From the code I see here, you're not actually dissecting the memory that libpcap captured for you. Each of the casting operations simply tells the compiler how you intend to treat the bytes starting from a pointer -- what size those objects are, what offsets to find which pieces of data and how long they are.

如果您通过修改这些指针这种记忆，你已经修改了它的唯一副本进程内存 - 而且可以使用一些更基本的指针手的全部内存块 SENDMSG（2）或什么，而无需重新组合数据 - 你永远不会把它拆开

If you modify this memory through those pointers, you've modified the one and only copy of it in the process memory -- and can use some of the "more basic" pointers to hand the entire block of memory to sendmsg(2) or whatever without needing to reassemble the data -- you never took it apart.

更新

要注入数据包传回，你需要使用原材料（7）套接字类型在网络上;在 IPPROTO_RAW 套接字选项需要通过原材料（7）套接字发送TCP数据包 - 否则的所有的TCP数据包将被引导到你打开原材料（7）插座，使得机器难以用网络上

To inject the packets back on the network you need to use the raw(7) socket type; the IPPROTO_RAW socket option is required to send TCP packets through a raw(7) socket -- otherwise, all TCP packets would be directed to the raw(7) socket you open, making networking on the machine difficult to use.

的原材料（7）插座将执行一些重新计算任务给你：

The raw(7) sockets will perform some re-calculation tasks for you:

   A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is
   able to send any IP protocol that is specified in the passed
   header.  Receiving of all IP protocols via IPPROTO_RAW is not
   possible using raw sockets.

          ┌───────────────────────────────────────────────────┐
          │IP Header fields modified on sending by IP_HDRINCL │
          ├──────────────────────┬────────────────────────────┤
          │IP Checksum           │Always filled in.           │
          ├──────────────────────┼────────────────────────────┤
          │Source Address        │Filled in when zero.        │
          ├──────────────────────┼────────────────────────────┤
          │Packet Id             │Filled in when zero.        │
          ├──────────────────────┼────────────────────────────┤
          │Total Length          │Always filled in.           │
          └──────────────────────+────────────────────────────┘

   If IP_HDRINCL is specified and the IP header has a nonzero
   destination address then the destination address of the
   socket is used to route the packet.  When MSG_DONTROUTE is
   specified, the destination address should refer to a local
   interface, otherwise a routing table lookup is done anyway
   but gatewayed routes are ignored.

   If IP_HDRINCL isn't set, then IP header options can be set on
   raw sockets with setsockopt(2); see ip(7) for more
   information.

让内核重新计算不管它是愿意为你做的。

Let the kernel re-calculate whatever it is willing to do for you.

这篇关于重建一个包通过PCAP注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！