Re:Reading packets at the TCP Layer.

From: Ali Saifullah Khan (whipaz@gem.net.pk)
Date: 09/29/02 

Date: Sun, 29 Sep 2002 21:12:54 +0000 (/etc/localtime)
From: Ali Saifullah Khan <whipaz@gem.net.pk>
To: mb_lima <mb_lima@uol.com.br>

Yes Mr. Marcelo, I am using a linux machine ! :-)

But your suggestion is still pertaining to the Datalink.
The Netfilter framework API works at the datalink level..not at the TCP
Layer. The packet capture is performed by pcap...which also works at the
datalink :).

My question is can you, and how do you if possible, perform monitoring at
the TCP level, via incorporation of the quest-specific code into the
running network stack via a loadable shared object module ? is it possible
to cryptographically insert hashes into incoming packets for possible
tracking later on ? then again, this is only possible if we can actually
perform reads at the TCP layer, which is the original basis of my
question.

Ali Saifullah Khan,

Project Administrator,
ConnPROBE Intrusion Detection System,
http://sourceforge.net/projects/hack-probe,
*** IN DEVELOPMENT PHASE ALPHA ***

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services (Pvt) Ltd.

Asstt. Project Administrator,
Website Maintainer & Programmer,
GNU Pakistan,
http://www.gnu.org.pk

On Tue, 24 Sep 2002, mb_lima wrote:

> Hi,
>
> If you are using a linux machine (kernel 2.4 and later)
> this is possible. Use netfilter framework API. It´s very easy
> to create kernel modules to capture packets in some "hooks"
> pre-defined of the netfilter. Packets can be trated in
> wherever in the your trip in kernel. Best regards,
>
> Marcelo.
>
>
> ---
> UOL Eleições 2002 - Todos os lances da disputa política
> http://eleicoes.uol.com.br/

Quantcast