Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Preetam Jinka
September 20, 2014
Programming
1
230
Packet Sniffing
Preetam Jinka
September 20, 2014
Tweet
Share
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
720
Siesta: RESTful Services Made Simple
preetamjinka
0
110
Time Series Storage @ Data Hackers
preetamjinka
1
180
Time Series Storage
preetamjinka
13
2.6k
Intro to (Relational) Databases 2015
preetamjinka
1
280
Intro to Databases
preetamjinka
0
180
Other Decks in Programming
See All in Programming
私のEbitengineの第一歩
qt_luigi
0
450
A New Era of Testing
mannodermaus
2
510
Google Sign-inの移行から始めるCredential Manager活用
clockvoid
0
310
あなたのアプリ、ログはでてますか?あるいはログをだしてますか? (Funabashi.dev用 軽量版)
uzulla
2
120
『ドメイン駆動設計をはじめよう』中核の業務領域
masuda220
PRO
5
1k
Understand the mechanism! Let's do screenshots tests of Compose Previews with various variations / 仕組みから理解する!Composeプレビューを様々なバリエーションでスクリーンショットテストしよう
sumio
3
790
今インフラ技術をイチから学び直すなら
yuhta28
1
140
LangChainの現在とv0.3にむけて
os1ma
4
920
XStateでReactに秩序を与えたい
gizm000
0
730
Go1.23で入った errorsパッケージの小さなアプデ
kuro_kurorrr
2
390
unique パッケージから学ぶ interning と weak reference @ Asakusa.go#3
karamaru
2
810
仮想ファイルシステムを導入して開発環境のストレージ課題を解消する
segadevtech
2
550
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
Fantastic passwords and where to find them - at NoRuKo
philnash
48
2.8k
RailsConf 2023
tenderlove
28
810
Product Roadmaps are Hard
iamctodd
PRO
48
10k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.4k
Making the Leap to Tech Lead
cromwellryan
128
8.8k
[RailsConf 2023] Rails as a piece of cake
palkan
48
4.6k
The Art of Programming - Codeland 2020
erikaheidi
48
13k
Navigating Team Friction
lara
183
13k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Designing for humans not robots
tammielis
248
25k
The Brand Is Dead. Long Live the Brand.
mthomps
53
38k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits