Raw Socket -1
2010-05-20 00:13:16| Category: Computers and interne | Font size Subscription
The socket (socket) that most programmers are exposed to is two types:
(1) streaming sockets (SOCK_STREAM): A connection-oriented socket for connection-oriented TCP service applications;
(2) Datagram Socket (SOCK_DGRAM): a non-connected socket that corresponds to a non-connected UDP service application.
From the user's point of view, Sock_stream, sock_dgram These two types of sockets do not seem to cover all the TCP/IP applications, because TCP/IP-based applications, from the protocol stack level, the transport layer is really only possible on the TCP or UDP protocol (Figure 1), Sock_stream and Sock_dgram, respectively, correspond to TCP and UDP, so almost all applications can be implemented with these two types of sockets.
Figure 1 TCP/IP protocol stack |
However, when we face the following problems, Sock_stream, Sock_dgram will appear helpless:
(1) How to send a custom IP packet?
(2) How do I send an ICMP protocol packet?
(3) How to make the machine into a blending mode, so as to be able to network sniffer?
(4) How to analyze all the packets passing through the network, regardless of whether the package is sent to itself?
(5) How to disguise the local IP address?
This allows us to face another profound theme-the original socket (raw socket). Raw sockets are widely used in advanced network programming and are a widespread hacker approach. The famous network sniffer, denial of service attack (DOS), IP spoofing and so on can all be implemented with raw sockets.
The difference between a RAW socket and a standard socket (Sock_stream, SOCK_DGRAM) is that the former directly resets "root" to the operating system network core, while Sock_stream, sock_dgram "hover" On the periphery of the TCP and UDP protocols, 2 shows:
Figure 2 Raw socket and standard socket |
When we use raw sockets, we can fully customize the IP packet, all forms of the package can be "made" out. Therefore, this paper must be in advance of TCP/IP packet structure involved in the necessary explanation.
Currently, the header structure of the IPV4 is:
| Version number (4) |
Baotou Long (4) |
Service Type (8) |
Packet Length (16) |
| Logo (16) |
Offset (16) |
| Survival Time (8) |
Transport Protocol (8) |
Checksum (16) |
| Source Address (32) |
|
| Destination Address (32) |
|
| Options (8) |
......... |
Fill |
To encapsulate it in a data structure:
typedef struct _IPHDR//define IP header { unsigned char h_lenver; 4-Bit header length + 4-bit IP version number unsigned char tos; 8-bit Service type TOS unsigned short total_len; 16 bits total length (bytes) unsigned short ident; 16-bit identification unsigned short frag_and_flags; 3-bit flag bit unsigned char ttl; 8-bit time-to-live TTL unsigned char proto; 8-bit protocol (TCP, UDP, or other) unsigned short checksum; 16-bit IP header checksum unsigned int sourceIP; 32-bit Source IP address unsigned int destip; 32-bit Destination IP address } Ip_header; |
Or, the first byte in the definition above is split by bit:
typedef struct _IPHDR//define IP header { unsigned char h_len:4; 4-Bit header length unsigned char ver:4; 4-bit IP version number unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destip; } Ip_header; |
More strictly speaking, the memory order of the H_len and Ver fields in the above definition is also related to the endian of the specific CPU, so the stricter ip_header can be defined as:
typedef struct _IPHDR//define IP header { #if defined (__little_endian_bitfield) unsigned char h_len:4; 4-Bit header length unsigned char ver:4; 4-bit IP version number #elif defined (__big_endian_bitfield) unsigned char ver:4; 4-bit IP version number unsigned char h_len:4; 4-Bit header length #endif unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destip; } Ip_header; |
The TCP header structure is:
| Source Port (16) |
Destination Port (16) |
| Serial Number (32) |
| Confirmation Number (32) |
| TCP Offset (4) |
Reserved (6) |
Logo (6) |
Windows (16) |
| Checksum (16) |
Emergency (16) |
| Options (0 or 32) |
| Data (variable) |
corresponding data structure:
typedef struct PSD_HDR//define TCP pseudo-header { unsigned long saddr; Source Address unsigned long daddr; Destination Address Char Mbz; Char PTCL; Protocol type unsigned short tcpl; TCP length }psd_header; typedef struct _TCPHDR//define TCP header { unsigned short th_sport; 16-bit Source port unsigned short th_dport; 16-bit Destination port unsigned int th_seq; 32-bit serial number unsigned int th_ack; 32 Digit Confirmation Number unsigned char th_lenres; 4-bit header length/4-bit reserved word unsigned char th_flag; 6-bit flag bit unsigned short th_win; 16-bit window size unsigned short th_sum; 16-bit Checksum unsigned short th_urp; 16-bit emergency data offset } Tcp_header; |
Similarly, the definition of a TCP header can also split a bit field:
typedef struct _TCPHDR { unsigned short th_sport; unsigned short th_dport; unsigned int th_seq; unsigned int th_ack; /*little-endian*/ unsigned short tcp_res1:4, Tcp_hlen:4, Tcp_fin:1, Tcp_syn:1, Tcp_rst:1, Tcp_psh:1, Tcp_ack:1, Tcp_urg:1, Tcp_res2: 2; unsigned short th_win; unsigned short th_sum; unsigned short th_urp; } Tcp_header; |
The UDP header is:
| Source Port (16) |
Destination Port (16) |
| Message Length (16) |
Checksum (16) |
The corresponding data structure is:
typedef struct _UDPHDR//define UDP header { Unsigned short uh_sport;//16 bit source port Unsigned short uh_dport;//16 bit destination port Unsigned short uh_len;//16 bit length Unsigned short uh_sum;//16 bit checksum } Udp_header; |
The ICMP protocol is a very important protocol in the network layer, which is all called Internet Control message Protocol (Internet Controlling Message Protocol), and the ICMP protocol makes up the limitation of IP, it uses IP protocol to transmit information. Provides error information feedback that occurs at the network layer to the source-side node in the packet. The ICMP header is:
| Type (8) |
Code (8) |
Checksum (16) |
| Message content |
The commonly used loopback and or echo response ICMP messages correspond to the data structure:
typedef struct _ICMPHDR//define ICMP header (loopback and or echo response) { unsigned char i_type;//8 bit type unsigned char i_code; 8-bit Code unsigned short i_cksum; 16-bit Checksum unsigned short i_id; Identification number (usually with process number as identification number) unsigned short i_seq; Message serial Number unsigned int timestamp;//timestamp } Icmp_header; |
Common ICMP packets include echo-request (response request message), Echo-reply (response reply message), Destination unreachable (Destination Unreachable message), Time exceeded (timeout message), Parameter problems (parameter error message), source Quenchs (source suppress message), redirects (redirected message), timestamps (timestamp message), Timestamp replies (timestamp response message), Addresses masks (Address mask Request messages), address mask replies, and so on, are important messages on the Internet. The ping commands, ICMP denial of service attacks, and route spoofing that are involved in the later chapters are all related to the ICMP protocol.
In addition, some of the source code in this series refer to the open source projects of some good programmers, and we would like to express our thanks for the length of the relationship we cannot enumerate.
So, let's go.
Source: >
Original Socket-1