Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Preetam Jinka
September 20, 2014
Programming
1
220
Packet Sniffing
Preetam Jinka
September 20, 2014
Tweet
Share
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
690
Siesta: RESTful Services Made Simple
preetamjinka
0
110
Time Series Storage @ Data Hackers
preetamjinka
1
180
Time Series Storage
preetamjinka
13
2.6k
Intro to (Relational) Databases 2015
preetamjinka
1
280
Intro to Databases
preetamjinka
0
160
Other Decks in Programming
See All in Programming
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
180
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
350
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
Semantic search with Django and pgvector
pauloxnet
0
240
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
0
580
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
Ruby Pattern Matching
bkuhlmann
0
920
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
160
What We Can Learn From OSS
inouehi
0
420
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
480
Featured
See All Featured
Web development in the modern age
philhawksworth
202
10k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
How to name files
jennybc
65
93k
Raft: Consensus for Rubyists
vanstee
132
6.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
The Invisible Side of Design
smashingmag
294
49k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits