I'm trying to create and send my own ETH packets from inside the kernel.My objective to send the packages from layer 2 by building my own skbuffand sending itusingdev_queue_xmit().anyone did it or have examples of how to do it ?I tried to build my own skbuff without success.
View 1 Repliesi need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do
View 9 Replies View RelatedI am not a networking expert by any means (in fact I have never taken a networking course), but I have taken several security courses, and generally we wind up discussing replay attacks. For example, the Needham-Schroeder protocol (using symmetric-key cryptography anyway) is flawed because it allows for replay attacks, and I understand why.
I guess my question is actually how someone would perform a replay attack. I know I can sniff network traffic by downloading wireshark. I also have downloaded winpcap and npg on my WinXP virtual machine. I'm trying to use this guide to help me, but I'm quite lost:[URL]What I did was to post a "link" to my facebook profile and I sniffed the traffic using wireshark. What I would ultimately like to accomplish is to copy that packet out of the wireshark output, and then use a tool like npg to transfer the raw packet back to facebook, which should result in a second, redundant post. I just can't figure out how to do that.
I'm pretty sure this should be possible. Facebook only uses an SSL session for authentication during login. After that, the information is just sent in the clear, so I'm pretty sure this should be possible.Can anyone explain how to do such a thing? It would really help my research paper that I'm working on this semester if you can. As of right now the attack we are trying to demonstrate/defend against is using a Windows VM, which is why I'm using winpcap/npg. The attack is actually possible using just about any OS (depending on the exploit used), but our POC is Windows only at the moment
Suppose I have computer A with ip address on eth0 of 192.168.0.1 and ip address on eth1 of 192.168.1.1. If I send packets to 192.168.1.1 from computer A, it automatically uses the loopback interface. Is it possible to modify the routing table some how to send these packets out on eth0 instead and have them route around the network and come back on eth1.I've tried 'route add -host 192.168.1.1 dev eth0' but it seems to completely ignore this entry.
View 5 Replies View RelatedI want to build a topology of this kind:
|eth0 (a.a.a.a) |
Linux PC |<----------------> | ROUTER
|eth1 (b.b.b.b) |
|<----------------->|
the linux machine has two interfaces eth0 (a.a.a.a) and eth1 (b.b.b.b) connnected to two interfaces of a router. Now that if I send any packet destined to b.b.b.b from a.a.a.a interface on the linux machine, it should take the folowing path: eth0->router->eth1 . and it should be the same for vice versa.
I have a hardware device with two ethernet ports, eth0 and eth1 running Centos 5. Basically my goal is to forward packets from eth0->eth1 and eth1->eth0 as well as get a copy of these packets for analysis. If I set IP routing to do the forwarding then I won't get a copy of the packets for analysis.
View 3 Replies View RelatedI'm looking for a way how to send an arp request / reply packet using C or C++. I've written an application that can send different crafted packages using jpcap (java), but I'm not a C expert (trying to learn). The reason for this is that I would like to port my java program to C to use it on a less powerful system that can't fully cope with the resource hungry VM
View 3 Replies View Related(Let me first of all state that I am a newbie to any form of programming.) I have been trying to create an IP header + TCP header and send this to another machine on my network.using C)I used the normal stuff: two structures for the headers, a sockaddr_in structure, call to function socket with SOCK_RAW, setsockopt with HDRINCL and call to sendto.All functions seem to return fine (values other then -1) the function that I have used to calculate the checksum for the IPheader matches the value that I manually calculated. I just don?t see the anything coming out of the interface on whireshark.I assumed that it had something do with my piece of code so I used two examples (including mixter void ru rawip html A brief programming tutorial in C for raw sockets[/url]). They show exactly the same thing functions return fine but no packets being send.I use Ubuntu 9.04 2.6.28-14-genericThe machine has two interfaces one with an ip address the other interface is in promiscuous mode. (both interfaces connected to a switch with port mirroring) I can see all normal traffic in/out.
View 2 Replies View RelatedWe have a high speed udp multicast connection. There are about 37 multicast groups and average incoming rate via the connection is about 20000 pkt/sec and peak 40000+ pkt/sec. Each packet is about 100-300 bytes. And there are 6 busiest multicast groups generating 80% of the traffic. No significant outgoing traffic via that interface. The problem is that, if our heavy-weight application create 37 sockets for all the groups, the packet loss become quite frequent. but if we create the 6 sockets for the busiest groups, the packet loss drops to 1/10 of the original level. We can confirm that the lost packets DO arrive in our box because a light-weight recorder on another box on the same ethernet segment can see the lost packets when listening to the same groups. If we start another heavy-weight application for the rest groups (31 groups ) on the same box, the packet loss just come back to the original level.
The packet loss happens not only to the heavy-weight application but also the light-weight recorder running on the same system. that is, the loss is system wide. The socket kernel buffer are all 4MB max and did not observe system buffer overflow. It seems the number of sockets listening to the same multicast group have the most negative impact on packet loss. And the higher traffic have a far less impact on packet loss than the number of sockets. It also seems that there is some limit in the kernel that when socket number are reduced under, the packet loss can significantly ease. How can I further diagnose the problem? Our system is RHEL 5.3 32bit i386, Xeon 2.9GHZ 16 Processors, 32GB memory. Two broadcom giga netowrk card and 6 Intel GIGA NIC, and only one interface card has so much traffic.
The following piece of code is suppose to send a UDP packet.but inside function udpsocketinit , i get a segmentation fault and i can not understand why
Code:
#include <arpa/inet.h>
#include <netinet/in.h>
[code]...
In my network I have 25 workstations and some serves. Everything working in local LAN with firewall. The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actually I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet. The half speed of my network connection is used by this infected machine. How can I detect which machine it is? How can I listen/capture some traffic and analyze from which machine I have more connections.
Please take a look on this time. Instead of 141-150ms should be 4-5ms.
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms
How can I detect which machine is infected using only linux and keyboard ?
As is known, there is a queue lies between the kernel subsystem and the network driver for incoming data. And if data come when this queue has no space for it, the data got dropped by kernel. Is there some way to see how many packets are dropped due to this buff penury? I tried netstat -s but could not find something useful. On the other hand, I found this 12176 packets collapsed in receive queue due to low socket buffer from netstat -s. I think this is something related to the per-socket buffer, but not the incoming queue between the network driver and kernel. Is this right?
View 1 Replies View Relatedi have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
I have proxy running. I have seen LAN machines sending packets by iftop -P -F 192.168.10./24
[Code]....
How do i set my iptables so that I can only send and recieve http,smtp,ssh,dns,dhcp request in and out of the proxy
[Code]...
I've got Tyan S4989 with gigabit ethernet controller Intel Corporation 82571EB. Sometimes server starts drop packets and doesn't respond to any connections and all logs doesn't contain any errors. iptables and SELinux switched off on CentOS 5.3(2.6.18-128.1.6).
View 3 Replies View RelatedI updated to the latest available kernel for Kubuntu 10.04 today (2.6.32-24). When the system rebooted, it refused to connect to my wireless network. So far I have been unsuccessful in persuading it to connect. ifconfig shows the existence of the ethernet connection as eth0, and Network Manager also seems to accept the existence of the ethernet port - so why has it suddenly chosen now to stop connecting to the wired network?
View 8 Replies View RelatedHow can I send already encapsulated Ethernet frame payload to server? Basically what I would like to do is to is route Ethernet packages I get from other peripherals to their needed destinations and packets I receive send to requested device on peripheral. Program will be running on BeagleBone Black with Debian OS. Steps program should do from my point of view:
# <IPv6<UDP<DATA>>> packet received on some peripheral (UART in exact case) sent to server requested by <IPv6> destination address field# <IPv6<UDP<DATA>>> packet need to be sent to server that server application would receive <DATA> extracted from IPv6 and UDP encapsulation# <IPv6<UDP<DATA>>> packet need to be sent to server that server would know that device which is requested is available in BBB local network# <IPv6<UDP<DATA>>> packet received from server would be sent to requested device
From what I already found out I need to add routing header to packet I want to send and pass it to MAC encapsulation layer, or there is service which can add routing header and pass to other layers for me?
Also how can I get data sent from server, since if I'm not very wrong, system should receive them also encapsulated in Routing header, not as RAW data payload.
I'm attempting to install the driver for my atheros AR8131 PCI-E Gigabit Ethernet adapter (in my Lenovo laptop) on my newly installed RHEL5 system (it's not currently being recognized).
I tried using: 'make install' but hit an error "Makefile:61: *** Linux kernel source not found."
After this, I tried: 'sudo yum install kernel-devel kernel-headers'
To rectify this, but hit this error "No package kernel-devel available" (and the same for the headers). What should I do?
I write the network driver. Transmission of packets in user space I do through netlink socket`s. In user space there is a handling of packets and their transmission on other device (however, it isn't important).
Problem in that any time, packets through the driver in system, and is reverse, are transferred normally. But then there comes the moment when the kernel crash. If to look in syslog it seems to me that comes deadlock. Also I think that it is related with netlink socket`s.
I can't find the information on that anywhere how correctly to use netlink socket`s in kernel space. Can at you will any a reason into the account of synchronization of sockets and the driver in kernel space?
I can give the driver code if it is necessary.
My laptop was working fine on wireless till the userinterface changed and it defaulted to ethernet and now it won't let me go back on wireless How do i disable ethernet?
View 4 Replies View RelatedMy setup is...I have a wireless access point using laptop as a gateway. The AP is also connected to a switch as is the laptop. So the laptop has two interfaces one wireless and one wired. A third device is using the AP to connect to a server on the internet. The AP sends the packets to my laptop where they are dropped. I've been looking for a solution to this problem without success. Basically is there a way for my laptop to forward all packets it sees from a certain IP address to whatever destination address they have?To clarify, my laptop is just the gateway of the AP and none of the packets are addressed to it at all, it just picks them up using a sniffer or similar tool.
View 1 Replies View Relatedusing layer 7 filtering how to block the ftp packets?..
In My router i am going to add a below rule.... iptables -A OUTPUT -m layer7 --l7proto tcp --dport 20 -j DROP
above statement will it work in my router?.
1) i have to find the source and destination address in the ip and ethernet headers of a packet that go from my machine to the router.2) Then i have to do the same for the packet that goes from the router to my partner's machine.Then I have to answer the above questions but now for the echo replay.How could i see these address?The result could be found in the output of a tcpdump?
[guest@shakti guest]$ sudo tcpdump -en host 128.238.62.101 and 128.238.61.101
tcpdump: listening on eth0
20:27:36.662737 0:4:75:b5:20:bc 0:3:e3:2a:4a:60 ip 42: 128.238.61.101 > 128.238.62.101: icmp: echo request
[code]....
I've a ssh server on FEDORA 12. It was going well but now it's overloaded with ARP traffic and is unable to run ssh. normally i'm getting about 150 packets in just 3 second
View 1 Replies View RelatedI just updated my Squeeze install now the current kernel version is now 3.0.0-1-686-pae. I now no longer have any internet connection.I have tried the failsafe boots with no luck. I have tried the 2.6 kernels and have had no luck.I have tried to manually start the connections with no luck.I have booted off of a Squeeze Live CD and the connection works just fine.
View 4 Replies View Relatedwe are using Red hat enterprise 5.4 for our internet connection with following ip's
eth0: 192.168.1.2 (local lan)
eth1: 114.143.28.240 (static ip address for 1st isp)
eth2: 192.168.100.149 (2nd isp modem connected with lan cable)
first isp i.e tata internet connected to the internet and working very well
now i want 2nd isp to work when the first isp goes down, i had configured all dns in the resolve.conf and squid.conf, when i switch off the 1st isp for checking that failover is working or not i cannot get internet packets from the second isp.
my Linux does not workDoes not accept incoming connectionsiptable disabledping is a network but cannot nor at 22 nor at any other connectsHow do I check what is blocking the connection
thnx alot.OS Ubuntu 9.4
One of our RHEL 5.3 servers has trouble about 30% of the time with TCP-based communications, but it does not seem to be firewall issues. From another computer on the same switch, you can SSH to the server sometimes and other times the SSH command will just hang. When it hangs, you can often just Ctrl+C and try it again and it works. Same with HTTP connections. You'll get part of a web page and then FireFox will just hang waiting for the rest and eventually time out. Same goes for communication initiated FROM the server. SSH'ing from the server to any outside server or connecting to any web site works sometimes, but most times not. iptables if off. No other firewalls are running. Tcpdump shows communication gets so far and then stops. It does not matter whether tou run tcpdump on that server or the client connecting to it. Either way you see the connection stops working. MEANWHILE, pinging with small or large packets works flawlessly. 10,000 packets, zero drops.
View 5 Replies View RelatedI've recently installed Ubunter 9.10 Server Edition to use as a NAT firewall for the lab I run. I'm using iptables to do NAT forwarding and everything works great except that, occasionally, connections seem to break. Ssh connections close with "Connection reset by peer" and HTTP connections just stall out.I believe this has to do with the firewall's internal network interface occasionally dropping packets.
View 2 Replies View Related