In want to modify the TCP/IP portion of the Linux kernel where i can to intercept every packet going out to each interface. I need to intercept them and modify the IPv6 destination Options header. I am not sure how to start with this. Any pointers would be greatly appreciated.
Regards,
N
You can modify packets using a Python library called scapy. It is not necessary to modify kernel code in order to do so. However, keep in mind that you must set up a Man-in-the-middle in order to sniff a communication.
http://www.secdev.org/projects/scapy/
Related
I'm thinking about writing an anti-keylogger/anti RAT application. Basically, what I want it to do is this:
Monitor outgoing ftp traffic (maybe monitor all outgoing traffic and have an option to filter by ftp)
Analyze headers to find potential keyloggers/RATs
Sniff out the FTP address for any such connections
Block (or give user the option to block) connections to these addresses
I think I can handle steps 1-3, and I know I could block all FTP traffic, but how could I go about blocking specific addresses?
On a side note, can anyone suggest some libraries that might make steps 1-3 easier? Or libaries that'll do step 4, if they exist. I don't mind writing code to target multiple OS.
Snort allows you to monitor incoming/outgoing traffic and works based on a set of rules specified in a file. Once you've detected traffic going out that has a certain IP/port/body using snort, use SnortSAM in conjunction with a firewall to block traffic to that IP/port.
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b to enumerate all ports along with the process names.
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
I have one question about IP packet trace: is it possible to watch an IP-packet trace in my Windows 7 system? I recieve IP-packets and I want to know - where do this data move: which DLLs do they use, which functions do they call and etc.
Thanks.
Well the most likely solution would be a packetsniffer tool of some kind.
Simply a packet sniffer captures all of the packets of data that pass through a network. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed different modes, the packet sniffer is also capable of capturing ALL packets travelling over the network regardless of destination.
Hope this helps
Dan
http://www.visualiptrace.com
I am trying to find the most used Network card on windows 200 or XP. I planned to obtain the number of packets sent trough each NIC to determine the main NIC.
I thought IP Helper might give me this information but also it looks like the functions in IP helper only give stats for all interfaces. I know this can be done. Any ideas?
Many Thanks...
Have you looked at WMI ? Here's an example of interrogating the set of network adaptors. Note that it includes stats such as the number of forwarded packets for each adaptor.
You could use from any number of available packet sniffer programs out there: Top Packet Sniffers
Also look here: wiki
i have rule set up to drop udp/tcp packets with matching strings. however, my program which captures packet using libpcap, is still able to see this packet.
Why is this/, what should be the iptable rules to drop packets before it is seen by libpcap?
Is there anyway,perhaps other than iptables rules, to drop this packet before it is seen by libpcap/tcpdump?
Yes, libpcap sees all the packets..
They are being captured before being processed by the netfilter.
Did you try to change the priority of the netfilter hook you use? if you try hooking with the highest priority for incoming packets, it will get the packet before the packet socket kernel code, which is the way libpcap uses to capture packets.
* I assume you are using linux *
EDIT:
Libpcap uses different ways to capture packets - according to the OS. on linux it uses packet socket which is implemented in kernel code using the netfilter framework.
Theres no way for libpcap to see the packets before netfilter, netfilter is a kernel module, and processes all packets before they hit user mode, it can even see the packets before the kernel sees it.
Could you explain further explain ?
Its possible that libpcap is also setting hooks on netfilter that overwrite the one in iptables. The real issue is that looking and what hooks are set on netfilter is far from trivial, and can only be done in kernel mode. Investigate how libpcap gets the packets.