libipq_example/0000755000175000017500000000000010754574321014025 5ustar sjscottsjscottlibipq_example/packet_engine.c0000700000175000017500000000715510754573211016763 0ustar sjscottsjscott/* * packet_engine.c * * compile: gcc -Wall tcp_udp_parse.c packet_engine.c -o libipq_example -lipq * * Description: Frame work for trapping packets from libipq for processing. You need the ip_queue module * for this example to work: * * # modprobe ip_queue * * Before you run this you need to direct packets to the libipq queue: * * # iptables -A INPUT -p tcp -j QUEUE * # iptables -A INPUT -p udp -j QUEUE * * These will direct all tcp or udp packets respectively. Other iptable filters * can be crafted to redirect specfic packets to the queue. If you dont redirect any * packets to the queue your program won't see any packets. * * to remove the filter: # iptables --flush * * Must execute as root: #lipipq_example * * Author: Steve Scott #include #include #include #include #include #include #include "tcp_udp_parse.h" #define BUFSIZE 2048 /* Identifies the source interface(e.g. eth0, eth1, etc) that the packet came from */ void identify_incomimg_interface(ipq_packet_msg_t *msg, char *interface) { // just copy the interface name! strcpy(interface, msg->indev_name); } static void die(struct ipq_handle *h) { ipq_perror("passer"); ipq_destroy_handle(h); } void start_packet_engine() { int status; unsigned char buf[BUFSIZE]; struct ipq_handle *h; printf("\nWaiting for packets\n"); h = ipq_create_handle(0, PF_INET); if (!h) die(h); status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE); if (status < 0) die(h); do { status = ipq_read(h, buf, BUFSIZE, 0); if (status < 0) die(h); switch (ipq_message_type(buf)) { case NLMSG_ERROR: { fprintf(stderr, "Received error message %d\n", ipq_get_msgerr(buf)); break; } case IPQM_PACKET: /* got a packet */ { char interface[10]; /* get the packet from libipq */ ipq_packet_msg_t *msg = ipq_get_packet(buf); identify_incomimg_interface(msg, interface); printf("Got packet from %s interface\n ", interface ); printf("APP PROTOCOL: %d\n", identify_ip_protocol(msg)); printf("SRC ADDR: %u\n", get_src_ip(msg)); printf("DST ADDR: %u\n", get_dst_ip(msg)); if(identify_ip_protocol(msg) == 6) /* its a tcp packet */ { printf("SRC PORT: %d\n", get_tcp_src_port(msg)); printf("DST PORT: %d\n", get_tcp_dst_port(msg)); } /* there are more functions in tcp_udp_parse.c that can be used.. look there and add them to the example if you would like. */ /* once your done examing the packets you need make a decison on what to do with it in this example will let it continue on. NF_DROP will drop the packet */ status = ipq_set_verdict(h, msg->packet_id, NF_ACCEPT, 0, NULL); break; } default: { fprintf(stderr, "Unknown message type!\n"); break; } } } while (1); printf("Engine Stopped...\n"); ipq_destroy_handle(h); } int main() { start_packet_engine(); return 0; } libipq_example/tcp_udp_parse.c0000700000175000017500000001434510754573116017022 0ustar sjscottsjscott/* * tcp_udp_parse.c * * Description: Handles the TCP/UDP header parseing of raw IP packets from libipq * * Author: Steve Scott #include #include #include #include #include /* This fuction identifies if the captured packet is TCP or UDP. Fuction will return: Protocol code e.g. 6 for TCP and 17 UDP.*/ int identify_ip_protocol(ipq_packet_msg_t *msg) { int protocol=0; /* 6 = TCP, 16 = UDP */ /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* get the protocol identifier from the ip header */ protocol = iph->protocol; return(protocol); } /* This function gets src IP from captured packet. Returns source IP in inet_addr form */ unsigned int get_src_ip(ipq_packet_msg_t *msg) { unsigned int src_ip_addr; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* get src address from iphdr */ src_ip_addr = iph->saddr; return(src_ip_addr); } /* This function gets dst IP from captured packet. Returns destination IP in inet_addr form */ unsigned int get_dst_ip(ipq_packet_msg_t *msg) { unsigned int dst_ip_addr; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* get dst address from iphdr */ dst_ip_addr = iph->daddr; return(dst_ip_addr); } int get_tcp_src_port(ipq_packet_msg_t *msg) { int src_port=0; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get the destination port of the packet */ src_port = ntohs(tcp->source); return(src_port); } /* This function returns the destination port of the captured packet. returns destination port */ int get_tcp_dst_port(ipq_packet_msg_t *msg) { int dst_port=0; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get the destination port of the packet */ dst_port = ntohs(tcp->dest); return(dst_port); } int get_udp_dst_port(ipq_packet_msg_t *msg) { int dst_port=0; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the UDP Header from the raw packet */ struct udphdr *udp = (struct udphdr *) (msg->payload + (iph->ihl << 2)); /* get the destination port of the packet */ dst_port = ntohs(udp->dest); return(dst_port); } /* This fuction checks if the captured packet is a tcp conection request. It checks for SYN flag within the tcp header. returns 0 for no, 1 for yes */ int tcp_connection_request_check(ipq_packet_msg_t *msg) { /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get syn flag and return it */ return (tcp->syn); } /* This fuction checks if the captured packet is a tcp termination request. It checks for FIN flag within the tcp header. returns 0 for no, 1 for yes */ int tcp_connection_termination_check(ipq_packet_msg_t *msg) { /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get syn flag and return it */ return (tcp->fin); } int tcp_connection_ack_check(ipq_packet_msg_t *msg) { /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get syn flag and return it */ return (tcp->ack); } int tcp_get_payload_size(ipq_packet_msg_t *msg) { /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* calculate the length of the payload */ int unsigned payload_length = (unsigned int) ntohs(iph->tot_len) - ((iph->ihl << 2) + (tcp->doff << 2)); return(payload_length); } void get_tcp_connection_id(ipq_packet_msg_t *msg, char *connectid) { unsigned int src_ip; unsigned int src_port; char str_ip[25]; char str_port[15]; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); src_ip = get_src_ip(msg); src_port = ntohs(tcp->source); sprintf(str_ip, "%d", src_ip); strcat(connectid, str_ip ); strcat(connectid, ":"); sprintf(str_port, "%d", src_port); strcat(connectid, str_port); } void tcp_get_payload(ipq_packet_msg_t *msg, char *buffer) { int unsigned payload_length=0; /* Cast the IP Header from the raw packet */ struct iphdr *iph = ((struct iphdr *) msg->payload); /* Cast the TCP Header from the raw packet */ struct tcphdr *tcp = (struct tcphdr *) (msg->payload + (iph->ihl << 2)); /* get the payload offset from within the raw packet */ int unsigned payload_offset = ((iph->ihl << 2) + (tcp->doff << 2)); /* calculate the length of the payload */ payload_length = (unsigned int) ntohs(iph->tot_len) - ((iph->ihl << 2) + (tcp->doff << 2)); if(payload_length) { memcpy(buffer, msg->payload + payload_offset, payload_length); } else printf("ERROR: tcp_udp_parse->tcp_get_payload [payload is zero....]\n"); } libipq_example/tcp_udp_parse.h0000644000175000017500000000136010754567152017032 0ustar sjscottsjscott/* function prototypes */ extern int identify_ip_protocol (ipq_packet_msg_t *msg); extern unsigned int get_src_ip (ipq_packet_msg_t *msg); extern unsigned int get_dst_ip (ipq_packet_msg_t *msg); extern int get_tcp_src_port (ipq_packet_msg_t *msg); extern int get_tcp_dst_port (ipq_packet_msg_t *msg); extern int get_udp_dst_port (ipq_packet_msg_t *msg); extern int tcp_connection_request_check (ipq_packet_msg_t *msg); extern int tcp_connection_termination_check (ipq_packet_msg_t *msg); extern int tcp_connection_ack_check (ipq_packet_msg_t *msg); extern int tcp_get_payload_size(ipq_packet_msg_t *msg); extern void get_tcp_connection_id(ipq_packet_msg_t *msg, char *connectid); extern void tcp_get_payload(ipq_packet_msg_t *msg, char *buffer); libipq_example/libipq_example0000755000175000017500000003341310754573464016761 0ustar sjscottsjscottELF4"4 ($!444hhhhh |||((( Qtd/lib/ld-linux.so.2GNU      "K9zI^74W1 rr)=0"9o=Pk_$?Ft{rh__gmon_start__libc.so.6_IO_stdin_usedsocketstrcpysprintf__stack_chk_failselectgetpid__errno_locationbindfputcfputsmallocstrcatrecvfromstderrsendmsgfwriteclosefprintfsendtostrerror__libc_start_mainntohsfreeGLIBC_2.4GLIBC_2.0ii ii Lh\`dhlptx|     U,5T%X%\h%`h%dh%hh%lh %ph(%th0%xh8p%|h@`%hHP%hP@%hX0%h` %hh%hp%hx%h%h%h%h%h%h%h%hp%h`1^PTRhЕhQVh_US[@"tvX[ÐU=lt ȪҡȪulÐUxtt $xÐUEEHEE@ EEUEHEE@ EEUEHEE@EEUEEHEUHEEE$EEUEEHEUHEEE@$EEUEEHEUHEEE@$8EEUEHEUHEEE@ UEHEUHEEE@ UEHEUHEEE@ UEHEUHEEE@$AȋEE@ )‰ЉEEUXEEE EeE1EHE̋UHEEЋE$nEċE$EȋEĉD$D$Eԉ$EԉD$E$(D$E$EȉD$D$E$ED$E$Ee3tUWV EEHEUHEEEE@ EE@$ȋEE@ )‰ЉE}tUHE‹E Mlj $ ^_]ÐUED$E $EU$E$*U8eE1$D$$$u$D$D$$)y$UD$ D$D$$y$$tt2O$hD$D$$^c$ED$$pED$$$'D$$7$1D$$I$0D$$Ws$u<$D$$eB$KD$$s$D$D$ D$D$$AhD$ D$D$$L$qUQsY]aÐUE]@Ít&UE]@ÍvUE]Ðt&U]ÍpUv]Ðt&UUh$D$:puE<t!$^D$D$h$%h$ D$@fkD$D$h$뛡hD$D$$D$ hUWVS\uE]MEU}EF fEfEEE]MEEE UE EttK}Љ]FEEEEE UEEMD$D$E$;y p \[^_]É'UWVS]}u ME 1KȺC)‰Ui@B)щM썕h1 ׉`ƒhED$hD$ D$D$$ ȉʃhtrED$CD$D$ Ut$ $T$2xg} KF u9vp Ĭ[^_]pĬ1[^_]Ít& jpĬ[^_]fEE$1҃8tp놺prp^&U8UMEEEEE,B fEfEEE EEEBD$ D$D$ D$,L$$xp Ít&US]t$$$1[]Ð&UWVS] $ $E1 D$ D$$MU>^FCCfFFF D$ \$$<FF@@fFFFE[^_]ËEp$EE[^_]D$'pEp$4$GE뇋p$4$"E_U]Ít&'UWVS^e+E)E}Ut+1ƍED$E D$E$9}u߃[^_]Ë$ÐUShht Ћu[]US[Y[%d:ERROR: tcp_udp_parse->tcp_get_payload [payload is zero....]passer Waiting for packetsReceived error message %d Got packet from %s interface APP PROTOCOL: %d SRC ADDR: %u DST ADDR: %u SRC PORT: %d DST PORT: %d Unknown message type! ERROR: %sUnknown errorImplementation errorUnable to bind netlink socketUnable to allocate bufferInvalid peer address lengthSent message truncatedReceived message truncatedReceived error from netlinkOperation not supportedReceive buffer size invalidTimeoutInvalid protocol specifiedUnable to create netlink handleUnable to create netlink socketFailed to receive netlink messageReceived EOF on netlink socketFailed to send netlink message $ xHo( P\Looo|Rbr†҆"2BRbr‡҇tƗ$  1 L D hGCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)GCC: (GNU) 4.1.2 (Ubuntu 4.1.2-0ubuntu4),&$ x$9!y_IO_stdin_used{[ChVEint5Q:[LOB'/build/buildd/glibc-2.5/build-tree/i386-libc/csu/crti.S/build/buildd/glibc-2.5/build-tree/glibc-2.5/csuGNU AS 2.17.50T(/build/buildd/glibc-2.5/build-tree/i386-libc/csu/crtn.S/build/buildd/glibc-2.5/build-tree/glibc-2.5/csuGNU AS 2.17.50% $ > $ > 4: ; I?  &IU%U%# init.cN /build/buildd/glibc-2.5/build-tree/i386-libc/csucrti.S !/!=Z!gg//Z!!!$#!/=x3!/!=Z!vN /build/buildd/glibc-2.5/build-tree/i386-libc/csucrtn.S9 !!!!init.cshort intGNU C 4.1.2 (Ubuntu 4.1.2-0ubuntu4)long long intunsigned charlong long unsigned intshort unsigned int/build/buildd/glibc-2.5/build-tree/glibc-2.5/csu_IO_stdin_used*$/x9;.symtab.strtab.shstrtab.interp.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame.ctors.dtors.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_pubnames.debug_info.debug_abbrev.debug_line.debug_str.debug_ranges#(( 5HH1o$; ((CKo8Xo0g LLp \\ y$$t<<xxddhhppxx||LLPPp hh hzX@%efx= 0 +p!H!9(0#? 0G(H(L \ $ <  xdhpx|LPh  (/:r hpxlȪ0 ` ltdx"P /8pɌ pPhh| IɈ $@ 6  G4Z p1Е    (  9 xN $r6֋ FrY d w Џ  =h& 3  ;ĪH"Zi j9|=  k_$hC< F6M GXcu( t3N  h   ω; rI '_$ ,$ 2s abi-note.S../sysdeps/i386/elf/start.Sinit.cinitfini.c/build/buildd/glibc-2.5/build-tree/i386-libc/csu/crti.Scall_gmon_startcrtstuff.c__CTOR_LIST____DTOR_LIST____JCR_LIST__completed.5758p.5756__do_global_dtors_auxframe_dummy__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_aux/build/buildd/glibc-2.5/build-tree/i386-libc/csu/crtn.Stcp_udp_parse.cpacket_engine.cdieipq_errno_GLOBAL_OFFSET_TABLE___init_array_end__init_array_start_DYNAMICdata_startfputs@@GLIBC_2.0__errno_location@@GLIBC_2.0get_dst_ipipq_create_handleipq_message_typesprintf@@GLIBC_2.0get_tcp_connection_idgetpid@@GLIBC_2.0strerror@@GLIBC_2.0__libc_csu_fini_start__gmon_start___Jv_RegisterClasses_fp_hwidentify_ip_protocoltcp_connection_termination_check_finiget_udp_dst_portsendto@@GLIBC_2.0tcp_get_payloadsendmsg@@GLIBC_2.0get_src_ip__libc_start_main@@GLIBC_2.0ipq_readstart_packet_engineipq_errstr_IO_stdin_usedfree@@GLIBC_2.0__data_startidentify_incomimg_interfacesocket@@GLIBC_2.0ntohs@@GLIBC_2.0stderr@@GLIBC_2.0ipq_set_modeipq_ctl__dso_handlestrcpy@@GLIBC_2.0__libc_csu_initprintf@@GLIBC_2.0bind@@GLIBC_2.0ipq_get_msgerrselect@@GLIBC_2.0close@@GLIBC_2.0fwrite@@GLIBC_2.0fprintf@@GLIBC_2.0__bss_startmalloc@@GLIBC_2.0tcp_connection_ack_check__stack_chk_fail@@GLIBC_2.4get_tcp_src_portfputc@@GLIBC_2.0ipq_errmapstrcat@@GLIBC_2.0ipq_destroy_handle_endputs@@GLIBC_2.0get_tcp_dst_portipq_set_verdict_edataipq_get_packetipq_perrortcp_connection_request_checkrecvfrom@@GLIBC_2.0__i686.get_pc_thunk.bxmain_inittcp_get_payload_sizelibipq_example/README0000644000175000017500000000126110754573443014711 0ustar sjscottsjscottto compile: gcc -Wall tcp_udp_parse.c packet_engine.c -o libipq_example -lipq You need the ip_queue module for this example to work: # modprobe ip_queue Before you run this you need to direct packets to the libipq queue: # iptables -A INPUT -p tcp -j QUEUE # iptables -A INPUT -p udp -j QUEUE These will direct all tcp or udp packets respectively. Other iptable filters can be crafted to redirect specfic packets to the queue. If you dont redirect any packets to the queue your program won't see any packets. to remove the filter: # iptables --flush Must execute as root: #lipipq_example Steve Scott