Re: Reading packets at the TCP Layer.

From: Crist J. Clark (crist.clark@attbi.com)
Date: 09/25/02

Previous message: Muhammad Faisal Rauf Danka: "Re: Attack datasets?"
In reply to: Clint Byrum: "Re: Reading packets at the TCP Layer."
Next in thread: Ali Saifullah Khan: "Re:Reading packets at the TCP Layer."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 Sep 2002 22:10:40 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Clint Byrum <cbyrum@spamaps.org>

On Tue, Sep 24, 2002 at 09:58:13PM -0700, Clint Byrum wrote:
> On Tue, 2002-09-24 at 12:41, Crist J. Clark wrote:
> > On Tue, Sep 24, 2002 at 09:03:46PM +0000, Ali Saifullah Khan wrote:
> > [snip]
> >
> > > What i had in mind was coding a shared object, ".so" , which in effect
> > > loads to be a part of the TCP stack, and carry out this function of
> > > reading the packets....!! Quite some severe coding involved, but can be
> > > done. My question is, is its implementation even practical ?? .. i mean,
> > > is it right to think that you can code a shared object to load and be a part of
> > > TCP stack operations and possibly modify procedures ... ??? or at the end
> > > of it all, this whole idea doesn't make any sense ?
> >
> > Not really. For every OS I've ever heard of the data layer, network
> > layer (IP), and transport layer (TCP) are all implemented within the
> > kernel. An application usually sends "data" to the kernel via a system
> > call, and all of the networking encapsulation takes place out of sight
> > of userland (where any .so will live).
> >
>
> What about Linux/Netfilter's QUEUE target? In fact, ironically... I
> found this project while poking around:
>
> http://www.speakeasy.org/~roux/dmn/
>
> It basically uses the -j QUEUE target to save packets in ... you guessed
> it! libpcap format(aka tcpdump format).
>
> That said... netfilter works at the network layer.. not the transport
> layer. :-P
>
> Ali.. I get the idea you're aiming for... but is there any background
> for this... or are you just doing some research?

But these aren't dynamic libraries in userland, these are kernel
facilities. In FreeBSD, you can use divert(4) sockets to access the
packets at the network layer. The tun(4) device is another way to get
link-layer data, that's how ppp(8) and pppoe(8) run in userland.

But all of these facilities, your examples and mine, are much more
like bpf(4), which the original poster does not seem to want, than
what he is asking for.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Previous message: Muhammad Faisal Rauf Danka: "Re: Attack datasets?"
In reply to: Clint Byrum: "Re: Reading packets at the TCP Layer."
Next in thread: Ali Saifullah Khan: "Re:Reading packets at the TCP Layer."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]