Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Packet Sniffing

Avatar for Preetam Jinka Preetam Jinka
September 20, 2014
Programming
260
1

Packet Sniffing

Avatar for Preetam Jinka

Preetam Jinka

September 20, 2014

More Decks by Preetam Jinka

See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
Avatar for Preetam Jinka preetamjinka
1
840
Siesta: RESTful Services Made Simple
Avatar for Preetam Jinka preetamjinka
0
130
Time Series Storage @ Data Hackers
Avatar for Preetam Jinka preetamjinka
1
210
Time Series Storage
Avatar for Preetam Jinka preetamjinka
13
2.8k
Intro to (Relational) Databases 2015
Avatar for Preetam Jinka preetamjinka
1
320
Intro to Databases
Avatar for Preetam Jinka preetamjinka
0
200

Other Decks in Programming

See All in Programming
Inspired By RubyKaigi (EN)
Avatar for Atsushi Kawamura (atzz/a2c) atzzcokek
0
500
RTSPクライアントを自作してみた話
Avatar for simotin13 simotin13
0
440
権限チェックの一貫性を型で守る TypeScript による多層防御
Avatar for aster-mnch (kitagawa) mnch
4
1.1k
Datadog × OpenTelemetry 入門と実践のあいだ
Avatar for Max Kento kn_to_maxpno
1
130
プラグインで拡張される Context をtype-safe にする難しさと設計判断
Avatar for kazupon kazupon
2
550
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
Avatar for terry-u16 terryu16
0
230
The Arts and Crafts of Work in the AI Era — Toward Mastery in Software Development
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
700
「エンジニアインターン、どうやって取った?」準備のリアルを語るLT会 Progate BAR
Avatar for akio akiomatic
0
120
セキュリティの専門家じゃなくてもできる。「セキュリティ意識」をアップデートして サプライチェーン攻撃への耐性を高めよう。
Avatar for tk3fftk tk3fftk
5
550
ユニットテストの先へ:テスト技法で要求・仕様を整理するJava開発実践 / Beyond_Unit_Testing_Practical_Java_Development_Techniques_for_Organizing_Requirements_and_Specifications
Avatar for SHIMANE, Yoshikazu shimashima35
0
340
3Dシーンの圧縮
Avatar for Fadis fadis
1
590
Lessons from Spec-Driven Development
Avatar for Simon Martinelli simas
PRO
0
120

Featured

See All Featured
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
310
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
830
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
260
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.2k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.6k
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
200
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
2
1.5k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
1k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
58k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
7.1k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
120
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k

Transcript

  1. Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to

  2. Code examples https://github.com/PreetamJinka/packet-sniffing

  3. Background What’s a socket? What’s a packet?

  4. Background What’s a socket? They’re basically channels for packets to

    travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
  5. None

  6. • Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw

    ◦ “It’s RAW!” Types of sockets

  7. The socket() syscall “ socket() creates an endpoint for communication

    and returns a descriptor. int socket(int domain, int type, int protocol); ”

  8. TCP and UDP are complicated, right? • TCP ◦ Stateful

    ◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
  9. None

  10. Abstractions make sockets simpler. Your programming environment takes care of

    setting up sockets. You just have to send data. The packets are constructed for you (by the OS).

  11. TCP sockets in Node.js var net = require('net'); var server

    = net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');

  12. When a socket is bound to an address:port, it only

    receives data sent to that address:port. The kernel manages that for you.

  13. Let’s rip away the abstractions. Make things RAW!

  14. Let’s make a RAW socket (in Go). Demo #1.

  15. What are we seeing?

  16. Protocol decoding It’s protocols all the way down! (Interesting computer

    science problems.)

  17. Applications

  18. Applications

  19. Let’s decode ethernet (and others) Demo #2.

  20. Issue #1 We see everything, but we don’t want to.

    Solution? Filter.

  21. Filtering

  22. Let’s filter by a port. Demo #3.

  23. Payloads We’ve only been looking at headers. Let’s read the

    rest of the packet.

  24. TCP Payloads Demo #4.

  25. What else can we do? Look at TCP flags. SYN

    but not ACK => connection opened FIN and ACK => connection closed

  26. Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how

    fast can we sniff?)

  27. Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how

    fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.

  28. Technique: sampling If you only want a representative sample, pick

    1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)

  29. Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into

    a DDoS detector.

  30. More fun ideas You can read from raw sockets, but

    you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!

  31. Questions?

  32. https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits