Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Preetam Jinka
September 20, 2014
Programming
260
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Packet Sniffing
Preetam Jinka
September 20, 2014
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
840
Siesta: RESTful Services Made Simple
preetamjinka
0
130
Time Series Storage @ Data Hackers
preetamjinka
1
210
Time Series Storage
preetamjinka
13
2.8k
Intro to (Relational) Databases 2015
preetamjinka
1
330
Intro to Databases
preetamjinka
0
200
Other Decks in Programming
See All in Programming
そのテスト、説明できますか?~LWテスト戦略FW~のご紹介
nakahara
0
160
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.4k
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
Creating Composable Callables in Contemporary C++
rollbear
0
160
代数的データ型って何が嬉しいの? #frontend_phpcon_do
kajitack
8
3.8k
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
210
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
210
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
12
6.2k
スマートグラスで並列バイブコーディング
hyshu
0
260
Agentic UI
manfredsteyer
PRO
0
190
Strategic Design in the Frontend: Moduliths & Micro Frontends @DDDEurope
manfredsteyer
PRO
0
130
ADKを使って簡単にAIエージェントを作ってみよう
k1mu21
0
280
Featured
See All Featured
Navigating Weather and Climate Data
rabernat
0
230
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
180
Faster Mobile Websites
deanohume
310
32k
Git: the NoSQL Database
bkeepers
PRO
432
67k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
For a Future-Friendly Web
brad_frost
183
10k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Facilitating Awesome Meetings
lara
57
7k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Making the Leap to Tech Lead
cromwellryan
135
9.9k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits