Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Packet Sniffing
Search
Preetam Jinka
September 20, 2014
Programming
1
230
Packet Sniffing
Preetam Jinka
September 20, 2014
Tweet
Share
More Decks by Preetam Jinka
See All by Preetam Jinka
Downsampling, Time Series, and PostgreSQL
preetamjinka
1
750
Siesta: RESTful Services Made Simple
preetamjinka
0
110
Time Series Storage @ Data Hackers
preetamjinka
1
180
Time Series Storage
preetamjinka
13
2.7k
Intro to (Relational) Databases 2015
preetamjinka
1
280
Intro to Databases
preetamjinka
0
180
Other Decks in Programming
See All in Programming
これでLambdaが不要に?!Step FunctionsのJSONata対応について
iwatatomoya
2
3.7k
Keeping it Ruby: Why Your Product Needs a Ruby SDK - RubyWorld 2024
envek
0
190
17年周年のWebアプリケーションにTanStack Queryを導入する / Implementing TanStack Query in a 17th Anniversary Web Application
saitolume
0
250
Security_for_introducing_eBPF
kentatada
0
110
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
170
Recoilを剥がしている話
kirik
5
6.8k
rails statsで大解剖 🔍 “B/43流” のRailsの育て方を歴史とともに振り返ります
shoheimitani
2
940
testcontainers のススメ
sgash708
1
120
StarlingMonkeyを触ってみた話 - 2024冬
syumai
3
270
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
830
Jakarta EE meets AI
ivargrimstad
0
260
Beyond ORM
77web
7
930
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Cost Of JavaScript in 2023
addyosmani
45
7k
Mobile First: as difficult as doing things right
swwweet
222
9k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
170
How to train your dragon (web standard)
notwaldorf
88
5.7k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
Music & Morning Musume
bryan
46
6.2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Transcript
Packet Sniffing Preetam Jinka (@preetamjinka) beCamp 2014 Intro to
Code examples https://github.com/PreetamJinka/packet-sniffing
Background What’s a socket? What’s a packet?
Background What’s a socket? They’re basically channels for packets to
travel across. What’s a packet? The fundamental unit of data in networking. A chunk of bytes, perhaps.
None
• Datagram (e.g. UDP) • Stream (e.g. TCP) • Raw
◦ “It’s RAW!” Types of sockets
The socket() syscall “ socket() creates an endpoint for communication
and returns a descriptor. int socket(int domain, int type, int protocol); ”
TCP and UDP are complicated, right? • TCP ◦ Stateful
◦ Connections ◦ Ports • UDP ◦ Stateless ◦ Ports
None
Abstractions make sockets simpler. Your programming environment takes care of
setting up sockets. You just have to send data. The packets are constructed for you (by the OS).
TCP sockets in Node.js var net = require('net'); var server
= net.createServer(function (socket) { socket.write('Echo server\r\n'); socket.pipe(socket); }); server.listen(1337, '127.0.0.1');
When a socket is bound to an address:port, it only
receives data sent to that address:port. The kernel manages that for you.
Let’s rip away the abstractions. Make things RAW!
Let’s make a RAW socket (in Go). Demo #1.
What are we seeing?
Protocol decoding It’s protocols all the way down! (Interesting computer
science problems.)
Applications
Applications
Let’s decode ethernet (and others) Demo #2.
Issue #1 We see everything, but we don’t want to.
Solution? Filter.
Filtering
Let’s filter by a port. Demo #3.
Payloads We’ve only been looking at headers. Let’s read the
rest of the packet.
TCP Payloads Demo #4.
What else can we do? Look at TCP flags. SYN
but not ACK => connection opened FIN and ACK => connection closed
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?)
Caveats We’re not considering connection states. SSL/TLS? Resource utilization (how
fast can we sniff?) If you’re not reading from the socket fast enough, the kernel buffer fills up and it will drop packets.
Technique: sampling If you only want a representative sample, pick
1 in N packets. Ignore the rest. Upside: monitor lots of network traffic Downside: not accurate (See me if you want to learn about sFlow)
Sampling demo “topflows” https://github.com/PreetamJinka/flowtools/tree/master/topflows Very easy to turn this into
a DDoS detector.
More fun ideas You can read from raw sockets, but
you can also write to raw sockets. Construct your own Ethernet, IP, and TCP/UDP packets! Write your own protocol on top of IPv4/IPv6!
Questions?
https://www.flickr.com/photos/qwrrty/2791283248/ https://vividcortex.com/blog/2014/07/25/prepared-statement-samples/ http://snmp.co.uk/scrutinizer/main.htm Wikipedia for the diagrams Photo credits