I want to capture packets whoes has a special target ip, then forward these packets by UDP. Does Ruby can do this ? thanks
Packet, you mean? If you want see packets in userspace, not kernel-level then you can use several ways.
libpcap: libpcap is packet capture library used in tcpdump/wireshark
libipq: iptables packet queueing library. http://rubyipq.rubyforge.org/
for libipq, there is also ruby binding but it doesn't seems to be in activated.
Actually libipq is deprecated by libnetfilter_queue
You can make ruby binding of libnetfilter_queue.
Related
In want to modify the TCP/IP portion of the Linux kernel where i can to intercept every packet going out to each interface. I need to intercept them and modify the IPv6 destination Options header. I am not sure how to start with this. Any pointers would be greatly appreciated.
Regards,
N
You can modify packets using a Python library called scapy. It is not necessary to modify kernel code in order to do so. However, keep in mind that you must set up a Man-in-the-middle in order to sniff a communication.
http://www.secdev.org/projects/scapy/
I am using a filter string to catch only the probe-request frames from my wifi router working in monitor/Promisc mode.
the same string i.e. "type mgt subtype probe-req" is working when i am running my code on a laptop but on my linksys WRT54g its giving error that
cannot pcap_compile() function is not working.
To be more explanatory, I am using OpenWRT White Russian 0.9 firmware on my router and its equivalent SDK to build package for it. The program uses Libpcap library to capture raw packets from the network.
So I want to know that is there any change in the string format while working on embedded devices like a router. If yes can you suggest me where I can find the documentation for it.
If no that what's wrong I am doing.
The filter strings that are allowed depend on:
the version of libpcap/WinPcap in use;
the link-layer header type being captured on the device.
That particular filter would be allowed if libpcap 1.0 or later is being used and if the adapter is supplying packets with 802.11 headers. Note that, on most OSes, an 802.11 adapter will supply packets with 802.11 headers only if the adapter is running in monitor mode; otherwise, it'll supply packets with Ethernet headers, and will only supply data frames, not management or control frames.
The program uses Libpcap library to capture raw packets from the network.
Whatever the program is, it should be doing a better job of reporting errors from pcap_compile(). It should include, in the error message, the text returned by pcap_geterr() when pcap_geterr() is handed the pcap_t * that you passed to pcap_compile(); that way, you will know more information about why the error occurred, and therefore will know more information about what you need to do to fix it.
I like to send packet to a device with only MAC address associated to it and also connecting to my local LAN.
Is there anything in ruby / gem library that I can use to perform such task?
I want to do something like tcpreplay but in ruby instead. Thanks!
MACs are the addresses used on OSI layer 2, the package type you are using on this layer are e.g Ethernet frames. IP Sockets live on layer 3/4, thus if you are using an IP socket, you are sending IP packet.
So if you want to send something "to a MAC address", you need to send raw Ethernet frames which need to be understood on the other side. Given the really low level of this stuff, this is rarely what you really want to do.
Instead, you should try to get the proper IP addresses of the remote device in your local network (technically the broadcast domain) with either a broadcast/reply mechanism or with multicast (which is used e.g. by Bonjour). That way you can always use the much more supported IP layer. For that, your device needs to have an IP address of course. You can establish those with mechanisms like DHCP or address auto configuration for IPv6.
As for your question, I'm not aware of any library for Ruby to send raw Ethernet frames. But given you would need to invent a new protocol besides IP anyway (which is hard, really hard), sending the package is probably the least of your concerns.
I suppose there are a couple of approaches. You didn't say whether you wanted to send an IP packet of some kind, and if so you didn't say which IP protocol. (I can tell you want to send an ethernet frame but ... what encapsulated protocol?)
Anyway, you can open a SOCK_RAW with Ruby, something like:
Socket.open(Socket::PF_INET, Socket::SOCK_RAW, Socket::IPPROTO_RAW)
Another approach might be to just pick a link-local IP and then establish an IP/MAC mapping in your local ARP cache with something like:
system "arp -s host hw_addr"
Then you could communicate with it using more familiar socket ops using the link-local IP address.
You need to be root for all of these things.
I'm a beginner to ethernet programming, I want to access the ethernet port and send/recieve packets to/from it. I thought of using the CIM_EthernetPort class, but don't know how to do it. please help. I have to write a program to send data to an embedded system.
I don't think you quite understand what sockets are.
What protocol does your embedded device use? If it's TCP or UDP (or even a raw link protocol) it's pretty much using a socket by definition.
The only reason you might need to talk to an ethernet adapter without using sockets is if you want to write something like a wire level monitor or packet sniffer.
ps -------------------------------------------------------------
Sockets are just an abstraction of a network connection, since a UDP connection has an endpoint and a port it's a bit philosophical wether you are using sockets if you talk directly to the network card hardware.
You don't specify a baud rate as such on ethernet, the card hw will negotiate a speed.
There is very little overhead in sending data by UDP using sockets and it's usually a very efficent way of receiving data. Do you have an RTOS on the embedded device or were you trying to talk to the network adaptor directly with some sort of polling?
pps ------------------------------------------------------------------
If it is at all possible to use UDP on the embedded device - DO SO.
If you start with, I just need to send a few numbers, you ultimately end up re-inventing and re-solving all the things UDP was invented to do.
By using standard protocols you also get tools to let you test each end of the connection (there are UDP equivalents of hyperterm for free).
Also there is no need for multiple devices now, but there may be in the future. I argued for using UDP on a previous product I worked on - where the designers were thinking of ethernet as just a faster serial link. Being able to network many units of this product together has created a huge new market.
i have rule set up to drop udp/tcp packets with matching strings. however, my program which captures packet using libpcap, is still able to see this packet.
Why is this/, what should be the iptable rules to drop packets before it is seen by libpcap?
Is there anyway,perhaps other than iptables rules, to drop this packet before it is seen by libpcap/tcpdump?
Yes, libpcap sees all the packets..
They are being captured before being processed by the netfilter.
Did you try to change the priority of the netfilter hook you use? if you try hooking with the highest priority for incoming packets, it will get the packet before the packet socket kernel code, which is the way libpcap uses to capture packets.
* I assume you are using linux *
EDIT:
Libpcap uses different ways to capture packets - according to the OS. on linux it uses packet socket which is implemented in kernel code using the netfilter framework.
Theres no way for libpcap to see the packets before netfilter, netfilter is a kernel module, and processes all packets before they hit user mode, it can even see the packets before the kernel sees it.
Could you explain further explain ?
Its possible that libpcap is also setting hooks on netfilter that overwrite the one in iptables. The real issue is that looking and what hooks are set on netfilter is far from trivial, and can only be done in kernel mode. Investigate how libpcap gets the packets.