Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Preetam Jinka
September 20, 2014
Programming
1
240
Packet Sniffing
Preetam Jinka
September 20, 2014
Tweet
Share
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
790
Siesta: RESTful Services Made Simple
preetamjinka
0
120
Time Series Storage @ Data Hackers
preetamjinka
1
180
Time Series Storage
preetamjinka
13
2.7k
Intro to (Relational) Databases 2015
preetamjinka
1
310
Intro to Databases
preetamjinka
0
190
Other Decks in Programming
See All in Programming
GUI操作LLMの最新動向: UI-TARSと関連論文紹介
kfujikawa
0
1k
Rancher と Terraform
fufuhu
1
120
SOCI Index Manifest v2が出たので調べてみた / Introduction to SOCI Index Manifest v2
tkikuc
1
110
Introduction to Git & GitHub
latte72
0
120
デザインシステムが必須の時代に
yosuke_furukawa
PRO
2
120
Microsoft Orleans, Daprのアクターモデルを使い効率的に開発、デプロイを行うためのSekibanの試行錯誤 / Sekiban: Exploring Efficient Development and Deployment with Microsoft Orleans and Dapr Actor Models
tomohisa
0
220
AIコーディングAgentとの向き合い方
eycjur
0
240
Google I/O recap web編 大分Web祭り2025
kponda
0
2.9k
未来を拓くAI技術〜エージェント開発とAI駆動開発〜
leveragestech
2
180
個人軟體時代
ethanhuang13
0
110
一人でAIプロダクトを作るための工夫 〜技術選定・開発プロセス編〜 / I want AI to work harder
rkaga
13
2.9k
TROCCO×dbtで実現する人にもAIにもやさしいデータ基盤
nealle
0
340
Featured
See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Mobile First: as difficult as doing things right
swwweet
223
9.9k
The Cult of Friendly URLs
andyhume
79
6.6k
What's in a price? How to price your products and services
michaelherold
246
12k
Rails Girls Zürich Keynote
gr2m
95
14k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
Visualization
eitanlees
147
16k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Writing Fast Ruby
sferik
628
62k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
Making Projects Easy
brettharned
117
6.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
185
54k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits