Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Preetam Jinka
September 20, 2014
Programming
1
240
Packet Sniffing
Preetam Jinka
September 20, 2014
Tweet
Share
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
800
Siesta: RESTful Services Made Simple
preetamjinka
0
120
Time Series Storage @ Data Hackers
preetamjinka
1
190
Time Series Storage
preetamjinka
13
2.7k
Intro to (Relational) Databases 2015
preetamjinka
1
310
Intro to Databases
preetamjinka
0
190
Other Decks in Programming
See All in Programming
プログラマのための作曲入門
cheebow
0
540
『毎日の移動』を支えるGoバックエンド内製開発
yutautsugi
2
190
CSC509 Lecture 04
javiergs
PRO
0
300
NetworkXとGNNで学ぶグラフデータ分析入門〜複雑な関係性を解き明かすPythonの力〜
mhrtech
3
1k
CSC509 Lecture 01
javiergs
PRO
1
430
Goで実践するドメイン駆動開発 AIと歩み始めた新規プロダクト開発の現在地
imkaoru
4
650
Model Pollution
hschwentner
1
180
どの様にAIエージェントと 協業すべきだったのか?
takefumiyoshii
2
610
AIで開発生産性を上げる個人とチームの取り組み
taniigo
0
130
メモリ不足との戦い〜大量データを扱うアプリでの実践例〜
kwzr
1
880
Le côté obscur des IA génératives
pascallemerrer
0
120
monorepo の Go テストをはやくした〜い!~最小の依存解決への道のり~ / faster-testing-of-monorepos
convto
2
400
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.6k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
51k
Context Engineering - Making Every Token Count
addyosmani
5
180
A Modern Web Designer's Workflow
chriscoyier
697
190k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Optimizing for Happiness
mojombo
379
70k
Producing Creativity
orderedlist
PRO
347
40k
Making Projects Easy
brettharned
119
6.4k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits