Network Programming RAW Socket SOCKET_RAW

Socket_stream Streaming sockets

Socket_dgram

Socket_raw RAW sockets

IPPROTO_IP IP Protocol

IPPROTO_ICMP Internet Control Message Protocol, with the original socket can realize the function of ping

IPPROTO_IGMP INTERNET Gateway Service protocol, used in multicast

Under the Af_inet address family, there are three types of sockets for Sock_stream, Sock_dgram, and Sock_raw. Sock_stream is commonly referred to as TCP, while Sock_dgram is commonly referred to as UDP, while Sock_raw is used to provide some lower-level control; The 3rd parameter is dependent on the 2nd parameter, which specifies the specific protocol used by the socket. Set to 0 to use the default protocol.

I hope you will participate in the next up.

RAW sockets have direct access to lower-level protocols, and network monitoring technology relies heavily on it. This paper introduces the steps and methods of capturing network underlying packets with raw socket, and develops a program model to further explore the method of capturing packets with raw socket.

"keywords" RAW SOCKET; capture; packet

1 Introduction

With the rapid development of information technology, the network has become the main means of information exchange, some network new services in the rising, such as e-commerce, mobile payment, these are the network security has put forward a high demand. At the same time, hackers ' attacks on the internet have never stopped, and the security of the network has become increasingly serious.

Many network attacks start from listening, the most important step of network monitoring is to capture the data frames in the LAN, so the research of data capture technology is of great significance to ensure the network security.

2 RAW Socket Introduction

Different processes of the same host can be uniquely identified with a process number, but in a network environment the process number does not uniquely identify the process. TCP/IP mainly introduces the concepts of network address, port and connection to solve the problem of process identity between networks. A socket is a handle to a transport provider, and the TCP/IP protocol supports 3 types of sockets, namely, streaming sockets, datagram sockets, and raw sockets.

The flow socket (Socket_stream) provides a connection-oriented, bidirectional and reliable data flow transport service. Datagram Sockets (socket_ Dgram) provide no-connection services and do not provide error-free guarantees. Raw Sockets (Socket_raw) allow direct access to lower-level protocols, such as IP, ICMP protocol, which is often used to verify new protocol implementations, or to access new devices configured in existing services, because RAW sockets have the freedom to control multiple protocols under Windows. can control the transmission mechanism of the network bottom, so the original socket could be applied to manipulate the network layer and the Transport layer application. For example, we can use raw sockets to receive ICMP, IGMP protocol packets that are sent to the native, or to receive IP packets that the TCP/IP stack is not capable of processing, or to send some custom packet headers or custom protocol IP packets. Network monitoring technology relies heavily on Socket_raw.

3 RAW Socket Programming

To use the original socket, you must go through the three steps of creating the original socket, setting the socket options, and creating and populating the corresponding protocol header, and then sending the assembled data with the send and WSASend functions. The process of receiving is similar, except that you need to receive data with the recv or WSARecv function. Here are a few steps to programming with raw sockets.

3.1 Creating the original socket

We can use the socket or WSASocket function to create the original socket, because the original socket has direct control of the underlying protocol, so only members belonging to the Administrators group have permission to create the original socket. The following is the code that creates the original socket with the socket function.

SOCKET sock;

Sock=socket (Af_inet, Sock_raw, IPPROTO_UDP);

The code above to create the original socket uses the UDP protocol, if you want to use other protocols, such as ICMP, IGMP, IP and other protocols, only need to change the corresponding parameters to IPPROTO_ICM, Ipproto_ IGMP, ipproto_ip can be. In addition, IPPROTO_UDP, IPPROTO_IP, ipproto_raw These protocol flags require the use of socket options IP_HDRINCL, and currently only Windows 2000 and Windows XP provide support for IP_HDRINCL, This means that the IP, UDP, TCP protocol cannot be used when creating the original socket on Windows 2000 platforms.

3.2 Setting Socket options

After the original socket is created, the socket option is set, which is implemented by the SETSOCKETOPT function, and the SETSOCKETOPT function is declared as follows:

int setsocketopt (

SOCKET S,

int level,

int optname,

const char FAR *optval,

int Optlen

)；

In this declaration, the parameter S is the descriptor of the identity socket interface, and note that the option must be valid for the socket. The parameter level indicates the hierarchy of option definitions, and supports Sol_socket, IPPROTO_IP, and IPPROTO_CP levels for the TCP/IP protocol family. The parameter optname is the option name that needs to be set, which is a constant value defined within the Winsock header file. The parameter optval is a pointer to the buffer that holds the option value. Parameter Optlen indicates the length of the optval buffer

3.3 Creating and populating the corresponding protocol header

This step is to create the IP and TCP protocol header data structure, according to the definition of the relevant protocol to write, the following is a TCP protocol header data structure.

struct TCP

{

unsigned short tcp_sport;

unsigned short tcp_dport;

unsigned int tcp_seq;

unsigned int tcp_ack;

unsigned char tcp_lenres;

unsigned char tcp_flag;

unsigned short tcp_win;

unsigned short tcp_sum;

unsigned short tcp_urp;

}；

41 Program models for capturing network packets using raw sockets

The following describes a program model that captures network packets using raw sockets. This program model demonstrates how to capture packets from a local area network using raw sockets, which completes the reception of the underlying data in the net, and displays information such as source address, destination address, source port, destination port, and number of bytes received. This program model also illustrates the basic principle of network monitoring, which provides a method for capturing packets in a local area network, that is, the network card is set to promiscuous mode, then the raw socket is used to receive the data of the IP layer.

The program is debugged and compiled in Visual C++.net 2003, the running environment is Ethernet, the program code can be compiled and run in both Linux and Windows, and of course, different header files are required at compile time and the code needs to be changed accordingly. The program model can be run directly under Windows, if running under Linux, you need to manually set the network card to promiscuous mode, under root authority with the following command set: Ifconfig eth0 promisc.

Under Unix/linux The program will contain the following several header files that make calls to the system and network functions:

#include 〈stdio.h〉

#include 〈sys/socket.h〉

#include 〈netinet/in.h〉

#include 〈arpa/inet.h〉

#include "Headers.h"

To facilitate the migration of existing source programs based on the Berkeley socket interface, Windows sockets supports many Berkeley header files. These Berkeley header files are included in the WINSOCK2.H, so it is sufficient for a Windows Sockets application to include only the WINSOCK2.H header file, which is one of the recommended methods for use today. Under Windows platform, programs use the following header files instead:

#include "stdafx.h"

#include <stdio.h>

#include <Winsock2.h>

#include "Headers.h"

Headers.h is a header file that is written by itself, and its role is to define the header structure of the IP and TCP packets. In the program first define several variables and structures, and then call the function socket () to establish a socket connection, the main code is as follows:

int _tmain (int argc, _tchar* argv[])

{

int Sock,bytes_recieved,fromlen;

Char buffer[65535];

struct sockaddr_in from;

struct IP *ip;

struct TCP *tcp;

Sock=socket (AF_INET,SOCK_RAW,IPPROTO_TCP);

......

return 0;

}

The second step of the program uses a while (1) statement to create a dead loop that is used to continuously receive network information. First, use the function sizeof () to take out the length of a socket structure, which is required by the recvfrom () function. Receiving data from the established socket connection is achieved through the function recvfrom (), because the Recvfrom () function requires a SOCKADDR data type, so a coercion type conversion is used, the code is as follows: Fromlen=sizeof (from);

Bytes_recieved=recvfrom (sock,buffer,sizeof (buffer), 0, (struct sockaddr*) &from,&fromlen);

Next, we use a single statement to translate the received data into our pre-defined structure for easy viewing with the following code:

ip= (struct IP *) buffer

Also use a statement to point to the TCP header, because the data received, the size of the IP header is a fixed 4 bytes, so the IP length multiplied by 4 can point to the TCP header section, the code is:

tcp= (struct TCP *) (buffer+ (4*ip->ip_length))

Finally, the number of bytes received, the source address of the data, the destination address, the source port, the destination port, the IP header length, and the type of protocol can be output by the print statement.

Go from: http://www.cnblogs.com/hnrainll/archive/2011/09/20/2182423.html