Design and Implementation of Sniffer Based on Linux environment

Source: Internet
Author: User

I. Sniffer Principle Analysis
Before implementing the sniffer, We need to master the TCP/IP protocol. TCP and IP protocols refer to two network protocols or data transmission methods used on the Internet ). They are transmission control protocol and Internet connection protocol. These two protocols are part of many TCP/IP protocol groups.
The protocols in TCP/IP protocol groups ensure data transmission over the Internet and provide almost all services used for Internet access. These services include email transmission, file transmission, publishing of newsgroups, and accessing the World Wide Web.
The TCP protocol is based on the IP protocol. Different from the unreliable transmission service provided by the IP protocol, the TCP protocol provides a reliable transmission service for the application layer on it. This service features reliability, full duplex, streaming, and unstructured transmission. TCP transmission principle:
TCP uses a positive acknowledgement with retransmission Technology for reliable transmission. After receiving the data sent by the sender, the receiver must send a corresponding ACK message, indicating that the sender has received the data. The sender stores the records of the sent data and waits for the confirmation message before sending the next data. When it sends this data, it also starts a notebook. If no confirmation message is received within a certain period of time, it is deemed that the data is lost during transmission, and then the data will be resent.
This method also produces a problem, that is, repeated packets. If the network transmission speed is relatively low and the message is returned to the sender after the wait time is over, duplicate data will appear because of the sending method adopted by the sender. One solution is to give each data a serial number, and the sender needs to remember the data with which the serial number has been confirmed. To prevent delay or repeated validation, the validation message must also contain the validation serial number. Then the sender can know which package has been confirmed. There is also a plaque in the TCP protocol, the mother shot Rui, the ring of the bell, the nealway, the troughs, the system?
As described above, the sender must wait for confirmation after sending a data packet. The period before it receives the confirmation message is idle. If the network latency is long, this problem will be quite obvious. The sliding window is used to send multiple packets before it receives the confirmation message. As you can imagine, there is a window moving on a sequence. If a package has not been confirmed after it is sent, it is called an unconfirmed package. The number of unconfirmed packages is usually the size of the window. At the receiving end, there is also a sliding window to receive and confirm a package.
TCP transmission is used to establish a connection. In TCP transmission, a connection consists of two endpoints. In fact, a connection represents a communication between sending and receiving applications at both ends. We can think of them as building a circuit. Generally, a connection is represented by the following formula: (host, port), host is host, and port is port. The TCP port can be shared by several applications. For programmers, we can understand that an application can provide services for different connections. The unit of TCP transmission is the segment. When a connection is established, data is transmitted, and the window for confirmation message and notice is large, the segment is exchanged.
TCP uses a three-way handshake to establish a TCP connection. The code bit in the first segment of the handshake is set to SYN, and the serial number is x, which indicates that a handshake is started. After receiving this segment, the receiver sends it back to the sender. Set the code bit to SYN and ACK, set the serial number to y, and confirm that the serial number is set to x + 1. After receiving this segment, the sender knows that TCP data can be sent. Therefore, the sender sends an ACK segment to the receiver, indicating that the connection between the two parties has been established. After the handshake is completed, data transmission is started. The serial numbers in the above handshake segment are all randomly generated.
After learning about the TCP/IP protocol, you must master network programming. In LINUX network programming, we can think that sockets promote file operations on Unix systems to provide point-to-point communication. If you want to operate files, the application will create a socket for the application according to its needs. The operating system returns an integer. The application uses this socket by referencing this positive number. The difference between a file descriptor and a socket descriptor is that when a program calls open (), the operating system binds a file descriptor to a file or device, but when creating a socket, you can not bind it to a destination address. The program can specify the target address when it wants to use this socket. In point-to-point communication programs, we call a request service or data program a client program, and the software that provides data or services is called a server program. The following explains a basic Socket System Call function, which is also a function used in the sniffer:
Socket ()
# Include <sys/types. h>
# Include <sys/socket. h>
Int socket (int family, int type, int protocol );
The int family parameter specifies the communication protocol to be used. The following values are used:
AF_UNIX internal protocol
AF_INET Internet Protocol
AF_NS Xerox NS Protocol
AF_IMPLINK IMP connection Layer
Int type specifies the socket type. The following values are used:
SOCK_STREAM stream socket
SOCK_DGRAM datagram socket
SOCK_RAW unprocessed socket
SOCK_SEQPACKET sequential PACKET socket
The int protocol parameter is usually set to 0.
A socket () system call returns an integer called socket description sockfd, which works the same way as a file descriptor. The first step of network I/O is to call this function.
II. Implementation of Sniffer
This section describes the implementation of the sniffer. The sniffer is written in C language in Red Hat LINUX6.2, for debugging and compilation.
Sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. Sniffer is a common method for collecting useful data, which can be user accounts and passwords, or commercial confidential data.
Ethernet sniffing refers to listening for packets transmitted on an Ethernet device to discover packets of interest. If a qualified package is found, store it in a log file. These conditions are usually set to include a package with the word "username" or "password. It aims to put the network layer in the promiscuous mode to do something. The Promiscuous mode means that all devices on the network listen to the data transmitted on the bus, not just their own data. According to the working principle of Ethernet, we can know that when a device sends data to a certain target, it broadcasts data over Ethernet. A device connected to the Ethernet BUS receives data at any time. However, it only transmits its own data to applications on the computer. With this, you can set the network connection of a computer to accept data on all Ethernet buses to implement sniffer.
Sniffer usually runs on a vro or a host with the vro function. In this way, you can monitor a large amount of data. Sniffer is a second-level attack. Generally, attackers have already entered the target system and then use sniffer to obtain more information. In addition to passwords or user names, sniffer can also obtain more information, such as other important information and financial information sent online. Sniffer can get almost any packets transmitted over Ethernet. Generally, the sniffer program only looks at the First-bytes of data in a data packet and can find information such as the password and user name.
Next we will introduce the implementation of this program. The structure etherpacket defines a data packet. Ethhdr, iphdr, and tcphdr are three structures used to define the formats of Ethernet frames, IP data headers, and TCP Data headers.
They are defined in the header file as follows:
Struct ethhdr
{
Unsigned char h_dest [ETH_ALEN];/* destination eth addr */
Unsigned char h_source [ETH_ALEN];/* source ether addr */
Unsigned short h_proto;/* packet type ID field */
};
Struct iphdr
{
# If _ BYTE_ORDER = _ LITTLE_ENDIAN
U_int8_t ihl: 4;
U_int8_t version: 4;
# Elif _ BYTE_ORDER = _ BIG_ENDIAN
U_int8_t version: 4;
U_int8_t ihl: 4;
# Else
# Error "Please fix <bytesex. h>"
# Endif
U_int8_t tos;
U_int16_t tot_len;
U_int16_t id;
U_int16_t frag_off;
U_int8_t ttl;
U_int8_t protocol;
U_int16_t check;
U_int32_t saddr;
U_int32_t daddr;
/* The options start here .*/
};
Struct tcphdr
{
U_int16_t source;
U_int16_t dest;
U_int32_t seq;
U_int32_t ack_seq;
# If _ BYTE_ORDER = _ LITTLE_ENDIAN
U_int16_t res1: 4;
U_int16_t doff: 4;
U_int16_t fin: 1;
U_int16_t syn: 1;
U_int16_t rst: 1;
U_int16_t psh: 1;
U_int16_t ack: 1;
U_int16_t urg: 1;
U_int16_t res2: 2;
# Elif _ BYTE_ORDER = _ BIG_ENDIAN
U_int16_t doff: 4;
U_int16_t res1: 4;
U_int16_t res2: 2;
U_int16_t urg: 1;
U_int16_t ack: 1;
U_int16_t psh: 1;
U_int16_t rst: 1;
U_int16_t syn: 1;
U_int16_t fin: 1;
# Else
# Error "Adjust your <bits/endian. h> defines"
# Endif
U_int16_t window;
U_int16_t check;
U_int16_t urg_ptr;
};
Next, a structure variable victim is defined. Next, let's take a look at the int openintf (char * d) function, which is used to open a network interface. In main, eth0 is used as the parameter to call this function. The following structure is used in this function:
Struct ifreq
{
# Define IFHWADDRLEN 6
# Define IFNAMSIZ 16
Union
{
Char ifrn_name [IFNAMSIZ];/* Interface name, e.g. "en0 ".*/
} Ifr_ifrn;
Union
{
Struct sockaddr ifru_addr;
Struct sockaddr ifru_dstaddr;
Struct sockaddr ifru_broadaddr;
Struct sockaddr ifru_netmask;
Struct sockaddr ifru_hwaddr;
Short int ifru_flags;
Int ifru_ivalue;
Int ifru_mtu;
Struct ifmap ifru_map;
Char ifru_slave [IFNAMSIZ];/* Just fits the size */
_ Caddr_t ifru_data;
} Ifr_ifru;
};
This structure is called the Interface request structure, which is used for calling I/O input and output. All interface I/O outputs must have a parameter. This parameter starts with ifr_name, and the following parameters vary depending on the network interface used.
If you want to see which network interfaces your computer has, use the ifconfig command. The lo0 and eth0 interfaces are usually displayed. The domain meanings in the ifreq structure correspond to the ifconfig output one by one. Here, the program uses eth0 as ifr_name. Then, this function sets this network interface to the promiscuous mode. Remember that sniffer works in this mode.
Let's look at the read_tcp function, which is used to read TCP data packets and send them to the filter for processing. The Filter function processes the data packets read above. The next program is to output data to the file. The function clearup is used to make a record in the file when the program exits and close the file. Otherwise, the record you just made is gone.
Iii. Operation Results and Conclusions
As a result of running this program, my computer is in a LAN environment consisting of more than 30 hosts. All Hosts in this LAN can access the Internet through the Proxy gateway. After testing, during peak hours at night, you can detect the mailbox usernames and passwords of more than five different IP addresses within a few minutes. Of course, you can also detect other information, for example, useful information such as the webpage content, telnet login name, and password browsed by a user using a Web browser. If the program runs on the gateway, more information is intercepted.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.