Part I Packet capture

whooploafSoftware and s/w Development

Dec 13, 2013 (3 years and 6 months ago)

81 views

Network packet capture and dissecting in Perl 101
Jos´e Pedro Oliveira
( jpo@di.uminho.pt )
Portuguese Perl Workshop 2012
September 28th,2012
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Overview
1
Packet capture
libpcap library overview
Net::Pcap perl module
2
Packet dissecting
Protocols hierarchy overview
NetPacket perl module
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
Part I
Packet capture
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
Contents
1
Background
libcap library
libpcap file format
Global file header
Record header
libpcap API
2
Net::Pcap
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Contents
1
Background
libcap library
libpcap file format
Global file header
Record header
libpcap API
2
Net::Pcap
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
libpcap library overview
Overview
libpcap is the standard API and capture file format used
by many network tools to capture and store network
data.
pcap is an application programming interface (API) for
capturing network traffic.This API is provided by the
libpcap library
a
in Unix systems and by the
WinPcap library
b
in Windows systems.
a
http://www.tcpdump.org/
b
http://www.winpcap.org/
Recommended file name extension
.pcap
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Pcap libraries
Pcap libraries
The libpcap and WinPcap libraries provide the packet-capture and
filtering engines of many open source and commercial network
tools,including:
protocol analyzers (aka packet sniffers)
(e.g.tcpdump/windump,wireshark/tshark/dumpcap),
network monitors (e.g.ntop),
network intrusion detection systems (e.g.snort),
traffic-generators,
traffic-replayers (e.g.tcpreplay) and
network-testers.
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Libpcap file format
A libpcap file is composed by a fixed size global header followed by
zero or more records.
Global
header
Record 1
Record 2
Record 3
...
Packet
header
Packet
data
Each record is composed by a fixed size header (packet header)
followed by the captured data (packet data).
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Libpcap file format:global file header
0 15 16 31
magic number
major version number
minor version number
GMT to local timezone correction
accuracy of timestamps
max length of captured packets
data link type



























24 bytes
1 s t r uc t p c a p
f i l e
h e a d e r {
2 bpf
u
i nt 32 magi c;/∗ t y p i c a l l y:0xa1b2c3d4 or 0xd4c3b2a1 ∗/
3 u
s hor t v e r s i on
maj or;/∗ t y p i c a l l y:2 ∗/
4 u
s hor t v e r s i on
mi nor;/∗ t y p i c a l l y:4 ∗/
5 bpf
i nt 32 t hi s z one;/∗ gmt to l o c a l c o r r e c t i o n ∗/
6 bpf
u
i nt 32 s i g f i g s;/∗ accur acy of ti mestamps ∗/
7 bpf
u
i nt 32 s napl en;/∗ max l engt h saved por t i on of each pkt ∗/
8 bpf
u
i nt 32 l i nk t y pe;/∗ data l i n k t ype (LINKTYPE
∗) ∗/
9 };
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Libpcap file format:global file header fields
magic
number - used to detect the libpcap file format and its byte
ordering.The expected values are 0xa1b2c3d4 (reader and writer
with identical byte order) or 0xd4c3b2a1 (the reader needs to swap
the byte order of the remaining struct fields).
version
major,version
minor - the version number of the libpcap
file format (the current version is 2.4).
thiszone - the correction time in seconds between GMT (UTC) and
the local timezone of the packet header timestamps.In practice,
time stamps are always in GMT,so thiszone is always 0
.
sigfigs - in theory,the accuracy of time stamps in the capture;in
practice,all tools set it to 0
.
snaplen - the “snapshot length” for the capture;the default is
65535 bytes but can be overridden by the user.
linktype - data link layer type
(see http://www.tcpdump.org/linktypes.html).
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Libpcap file format:record (or packet) header
0 15 16 31
time stamp
(seconds,microseconds)
number of octets of packet saved
actual length of packet















16 bytes
1 s t r uc t pcap
pkt hdr {
2 s t r uc t t i me val t s;/∗ ti me stamp ( t v
s ec,t v
us e c ) ∗/
3 bpf
u
i nt 32 capl en;/∗ l engt h of por t i on pr e s e nt ∗/
4 bpf
u
i nt 32 l e n;/∗ packet l engt h as seen on the wi r e ∗/
5 };
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
Libpcap file format:packet header fields
ts - packet capture timestamp represented as the number of
seconds since January 1,1970 00:00:00 GMT (tv
sec) and the
number of microseconds (ts
usec) as an offset to ts
sec.
The ts
usec value should never reach 1 000 000 (1 second).
caplen - the number of bytes of packet data actually captured and
saved in the file.This value should never become larger than len or
the snaplen value of the global header.
len - the length of the packet as it appeared on the network when it
was captured.
If caplen and len differ,the actually saved packet size was limited by
snaplen.
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
libcap library
libpcap file format
libpcap API
libpcap application programming interface (API)
Pcap - Packet Capture library
The Packet Capture library provides a high level interface to packet
capture systems.All packets on the network,even those destined
for other hosts,are accessible through this mechanism.It also
supports saving captured packets to a file,and reading packets
from a file.
libpcap wrappers
Perl - Net::Pcap
Python - pcapy,python-libpcap,pypcap,pycap
Ruby - ruby-pcap
...-...
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
Contents
1
Background
libcap library
libpcap file format
Global file header
Record header
libpcap API
2
Net::Pcap
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
Net::Pcap
Net::Pcap perl module
Net::Pcap
Interface to the pcap library
CPAN homepage
http://search.cpan.org/dist/Net-Pcap/
Simple examples
create a { live,offline } capture
create and apply a filter
access the packet metadata
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Net::Pcap - live capture
1#!/us r/bi n/pe r l −w
2 use s t r i c t;
3 use Net::Pcap;
4
5 my ( $pcap,$er r,$maxpkts,$count ) = ( undef,’ ’,10,0);
6 my ( $dev,$snap,$promi sc,$ti meout ) = ( ’ eth0 ’,65535,1,0);
7
8 sub pr oc e s s
pac ke t {
9 $count++;
10 }
11
12 $pcap = Net::Pcap::o pe n
l i v e ( $dev,$snap,$promi sc,
13 $ti meout,\$e r r ) or di e ”Can ’ t open ’ $dev ’:$e r r\n”;
14
15 Net::Pcap::l oop ( $pcap,$maxpkts,\&pr oces s
packet,’ ’ );
16
17 Net::Pcap::c l os e ( $pcap );
18
19 pr i nt ”Number of packet s = $count\n”;
Background
Net::Pcap
Net::Pcap - open
live,loop parameters
open
live/pcap
open
live parameters
$dev - network interface
$snaplen - maximum number of bytes to capture
$promisc - promiscuous mode
$to
ms - read timeout in milliseconds
\$err - error message (out)
loop/pcap
loop parameters
$pcap - packet capture descriptor
$count - number of packets to capture (if negative loops forever)
\&callback - perl function to be used as a callback
$user
data - callback argument
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Net::Pcap - offline capture (pcap file)
1#!/us r/bi n/pe r l −w
2 use s t r i c t;
3 use Net::Pcap;
4
5 my ( $pcap,$er r,$maxpkts,$count ) = ( undef,’ ’,−1,0);
6 my $ f i l e = ’ f i l e.pcap ’;
7
8 sub pr oc e s s
pac ke t {
9 $count++;
10 }
11
12 $pcap = Net::Pcap::o p e n
o f f l i n e ( $ f i l e,\$e r r )
13 or di e ”Can ’ t r ead ’ $ f i l e ’:$e r r\n”;
14
15 Net::Pcap::l oop ( $pcap,$maxpkts,\&pr oces s
packet,’ ’ );
16
17 Net::Pcap::c l os e ( $pcap );
18
19 pr i nt ”Number of packet s = $count\n”;
Net::Pcap - create and apply a capture filter
1#!/us r/bi n/pe r l −w
2 use s t r i c t;
3 use Net::Pcap qw(:f unc t i ons );
4
5 my ( $pcap,$er r,$maxpkts,$count ) = ( undef,’ ’,10,0);
6 my ( $dev,$snap,$promi sc,$ti meout ) = ( ’ eth0 ’,65535,1,0);
7 my ( $ f i l t e r,$ f i l t e r
s t r ) = ( undef,’ tcp ds t por t 80 ’ );
8
9 sub pr oc e s s
pac ke t {
10 $count++;
11 }
12
13 $pcap = pc ap
ope n
l i v e ( $dev,$snap,$promi sc,
14 $ti meout,\$e r r ) or di e ”Can ’ t open ’ $dev ’:$e r r\n”;
15 pcap
compi l e ( $pcap,\$ f i l t e r,$ f i l t e r
s t r,1,0)
16 and di e ” e r r o r:f i l t e r <$ f i l t e r
s t r >\n”;
17 p c a p
s e t f i l t e r ( $pcap,$ f i l t e r );
18 pcap
l oop ( $pcap,$maxpkts,\&pr oces s
packet,’ ’ );
19 pc ap
c l os e ( $pcap );
Net::Pcap - access the packet metadata
1#!/us r/bi n/pe r l −w
2 use s t r i c t;
3 use Net::Pcap;
4
5 my ( $pcap,$er r,$maxpkts,$count ) = ( undef,’ ’,−1,0);
6 my $ f i l e = ’ f i l e.pcap ’;
7
8 sub pr oc e s s
pac ke t {
9 my( $us er
dat a,$header,$packet ) = @
;
10
11#$header == l i bpc ap r ecor d header
12
13 pr i nt f ”%012d.%06d %5d %5d\n”,
14 $header −>{t v
s e c },$header −>{t v
us e c },
15 $header −>{l e n },$header −>{capl en };
16 }
17
18 $pcap = Net::Pcap::o p e n
o f f l i n e ( $ f i l e,\$e r r )
19 or di e ”Can ’ t r ead ’ $ f i l e ’:$e r r\n”;
20 Net::Pcap::l oop ( $pcap,$maxpkts,\&pr oces s
packet,’ ’ );
21 Net::Pcap::c l os e ( $pcap );
Background
NetPacket perl module
Part II
Packet dissecting
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Contents
3
Background
Protocols hierarchy overview
Protocols headers of the IP stack
4
NetPacket perl module
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Contents
3
Background
Protocols hierarchy overview
Protocols headers of the IP stack
4
NetPacket perl module
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Background
understand the protocol hierarchy
know the protocols used
(read the protocol specfication if available)
know how to use the pack/unpack perl functions
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Ethernet Frames
802.3 Ethernet frame structure
Dest.
Address
Src.
Address
Type
Frame
Data
FCS
6
6
2
46-1500
4
Dest.
Address
Src.
Address
Type
FCS
6
6
2
4
VLAN
Tag
4
Preamble
8
Interframe gap
12
Frame
64 b
yte minimum fr
ame siz
e
1518 b
yte maximum fr
ame siz
e
1522 b
yte maximum fr
ame siz
e with 802.1q VLAN T
ag
Frame
Data
46-1500
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
Protocol hierarchy
Ethernet - IPv4 - UDP
Dest
Addr
Src
Addr
T
Frame
Data
FCS
6
6
2
46-1500
4
IPv4
Hdr
20
IP
Data
26-1480
UDP
Hdr
8
UDP
Data
18-1472
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
IPv4 Header - 20 bytes
0 3 4 7 8 15 16 23 24 31
Ver
IHL
Diff.Serv.
Total Length
Identifier
Flags
Fragment Offset
TTL
Protocol
Header Checksum
Source Address
Destination Address





















20 bytes
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
IPv6 Header - 40 bytes
0 3 4 7 8 15 16 23 24 31
Ver
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit
Source Address
Destination Address





















































40 bytes
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
TCP Header - 20+ bytes
0 3 4 7 8 15 16 23 24 31
Source Port
Destination Port
Sequence Number
Acknowledgment Number
Offset
Reserved
Flags
Window
Checksum
Urgent Pointer





















20 bytes
Options (Optional)
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Protocols hierarchy overview
Protocols headers of the IP stack
UDP Header - 8 bytes
0 15 16 31
Source Port
Destination Port
Length
Checksum



8 bytes
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
Contents
3
Background
Protocols hierarchy overview
Protocols headers of the IP stack
4
NetPacket perl module
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Background
NetPacket perl module
NetPacket perl module
NetPacket
Base class for assembling/disassemble network protocols
Available NetPacket subclasses
NetPacket::ARP - ARP (Address Resolution Protocol) packets
NetPacket::Ethernet - Ethernet packets
NetPacket::ICMP - ICMP (Internet Control Message Protocol) packets
NetPacket::IGMP - IGMP (Internet Group Mangement Protocol) packets
NetPacket::IP - IP (Internet Protocol) packets
NetPacket::TCP - TCP (Transmission Control Protocol) packets
NetPacket::UDP - UDP (User Datagram Protocol) packets
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
Packet decoding with NetPacket (1/2)
1...
2 use NetPacket::Et her net qw(:t ypes );
3...
4 sub pr oc e s s
pac ke t {
5 my( $us er
dat a,$header,$packet ) = @
;
6
7#$packet == l i bpc ap r ecor d data
8
9 my $eth = NetPacket::Et her net −>decode ( $packet );
10
11#Et her net obj e c t data f i e l d s:
12#dest
mac,src
mac,type,data
13#
14#EtherType:
15#ht t p://www.i ana.or g/as s i gnment s/et her net −numbers
16#...
17#2048 0800 513 1001 I nt e r ne t I P ( I Pv4 ) [ IANA]
18#...
19
20 i f ( $eth−>{t ype } == ETH
TYPE
IP) {...}
21 }
22...
Packet decoding with NetPacket (2/2)
1...
2 use NetPacket::Et her net qw(:t ypes );
3 use NetPacket::I P qw(:pr ot os );
4 use NetPacket::ICMP;
5 use NetPacket::TCP;
6 use NetPacket::UDP;
7...
8 sub pr oc e s s
pac ke t {
9 my( $us er
dat a,$header,$packet ) = @
;
10
11 my $eth = NetPacket::Et her net −>decode ( $packet );
12 i f ( $eth−>{t ype } == ETH
TYPE
IP) {
13 my $i p = NetPacket::IP−>decode ( $eth−>{data });
14
15 i f ( $i p−>{pr ot o } == IP
PROTO
ICMP) {
16 my $i cmp = NetPacket::ICMP−>decode ( $i p−>{data });
17
18 } e l s i f ( $i p−>{pr ot o } == IP
PROTO
TCP) {
19 my $tcp = NetPacket::TCP−>decode ( $i p−>{data });
20
21 } e l s i f ( $i p−>{pr ot o } == IP
PROTO
UDP) {
22 my $udp = NetPacket::UDP−>decode ( $i p−>{data });
23 }
24 }
25 }
26...
Background
NetPacket perl module
Extending NetPacket
There isn’t a NetPacket package for my protocol.What do I do?
read the protocol specification
create a NetPacket subclass
implement the encode and decode methods
(with the pack and unpack perl functions)
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
Part III
References
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
Contents
5
References
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
Contents
5
References
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101
References
References
Libpcap library
http://www.tcpdump.org/
PCAP
http://en.wikipedia.org/wiki/Pcap
http://wiki.wireshark.org/Development/LibpcapFileFormat
Packet filter syntax
man 7 pcap-filter
Net::Pcap perl module
http://search.cpan.org/dist/Net-Pcap/
NetPacket perl module
http://search.cpan.org/dist/NetPacket/
Jos´e Pedro Oliveira
Network packet capture and dissecting in Perl 101