Packet Sniffing

Transcript

1. Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to

2. Code examples https://github.com/PreetamJinka/packet-sniffing

3. Background What’s a socket? What’s a packet?

4. Background What’s a socket? They’re basically channels for packets to

   travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
5. None

6. • Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw

   ◦ “It’s RAW!” Types of sockets

7. The socket() syscall “ socket() creates an endpoint for communication

   and returns a descriptor. int socket(int domain, int type, int protocol); ”

8. TCP and UDP are complicated, right? • TCP ◦ Stateful

   ◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
9. None

10. Abstractions make sockets simpler. Your programming environment takes care of

    setting up sockets. You just have to send data. The packets are constructed for you (by the OS).

11. TCP sockets in Node.js var net = require('net'); var server

    = net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');

12. When a socket is bound to an address:port, it only

    receives data sent to that address:port. The kernel manages that for you.

13. Let’s rip away the abstractions. Make things RAW!

14. Let’s make a RAW socket (in Go). Demo #1.

15. What are we seeing?

16. Protocol decoding It’s protocols all the way down! (Interesting computer

    science problems.)

17. Applications

18. Applications

19. Let’s decode ethernet (and others) Demo #2.

20. Issue #1 We see everything, but we don’t want to.

    Solution? Filter.

21. Filtering

22. Let’s filter by a port. Demo #3.

23. Payloads We’ve only been looking at headers. Let’s read the

    rest of the packet.

24. TCP Payloads Demo #4.

25. What else can we do? Look at TCP flags. SYN

    but not ACK => connection opened FIN and ACK => connection closed

26. Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how

    fast can we sniff?)

27. Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how

    fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.

28. Technique: sampling If you only want a representative sample, pick

    1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)

29. Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into

    a DDoS detector.

30. More fun ideas You can read from raw sockets, but

    you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!

31. Questions?

32. https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits