libipq/payload doubt

libipq/payload doubt

[Ulysses Almeida]

  First, thanks to all, for last answers, I think I am starting to
understand how I can handle with libipq.

  But yet, I have some doubts:

  What I could see from ip_queue.c, ipq_packet_msg->payload, comes
from skb->data. Where can i find (which files) where skb->data is
filled. 'Cose till now, I don't know what info I can get from
ipq_packet_msg->payload.

  I alredy create my first daemon with libipq, I mixed libipq man
example, intercept.c (from netfilter cvs), and get some ideas from
tcp_ipv4.c (kernel). This daemon, just look for tcp packges, and print
some infos on stdout. It's printing IP src and dst address, and now
i'm trying to print src and dst TCP port address, but, I don't know
why, when I print those info, I can't get expected ports. port 80 is
showed as 20480.

  Do I have to convert something before printing in human readable
format?

  The source is on http://www.glug.ucdb.br/~ulysses/first.c

  Thanks in advance (again).

  []s

-- 
    .~.  Ulysses Almeida
   / V \  munky@maluco.com.br
 / (   ) \  Seja livre, use GNU/Linux! 
   ^^-^^

Re: libipq/payload doubt

[Mike-Ro-Chanel]

Ulysses Almeida wrote:
  >   I alredy create my first daemon with libipq, I mixed libipq man
> example, intercept.c (from netfilter cvs), and get some ideas from
> tcp_ipv4.c (kernel). This daemon, just look for tcp packges, and print
> some infos on stdout. It's printing IP src and dst address, and now
> i'm trying to print src and dst TCP port address, but, I don't know
> why, when I print those info, I can't get expected ports. port 80 is
> showed as 20480.
> 
>   Do I have to convert something before printing in human readable
> format?
> 

Try to use ---> ntohs(port);

Bye.

Re: libipq/payload doubt

[Chandrakanth Chereddi]

On 19/05/04 02:20 -0400, Ulysses Almeida wrote:
>   What I could see from ip_queue.c, ipq_packet_msg->payload, comes
> from skb->data. Where can i find (which files) where skb->data is
> filled. 'Cose till now, I don't know what info I can get from
> ipq_packet_msg->payload.

Please have a look at the linux/net/iptv4/netfilter/ip_queue.c source
file. It contains the routines for building the structure from the skb
to be sent to userspace via NETLINK sockets.

> why, when I print those info, I can't get expected ports. port 80 is
> showed as 20480.
> 
>   Do I have to convert something before printing in human readable
> format?

You need to convert from network byte order to host byte order (guessing
that you are using a x86 processor), please use the ntohs() call.

-- 
CCK./	kanth@hserus.net
"Passion and gradualness"	-- Pavlov.

Re: libipq/payload doubt

[Richard Bishop]

[-- Attachment #1: Type: text/plain, Size: 881 bytes --]


Hi,

Quoting Ulysses Almeida <munky@maluco.com.br>:

> This daemon, just look for tcp packges, and print
> some infos on stdout. It's printing IP src and dst address, and now
> i'm trying to print src and dst TCP port address, but, I don't know
> why, when I print those info, I can't get expected ports. port 80 is
> showed as 20480.
> 
> Do I have to convert something before printing in human readable format?


As one of the other guys said, the port discrepancy is an 'endian' problem.

Try this code (attached) - I had exactly the same problem when I first started
playing around with ipq.  Bear in mind that I've skipped out all of the code for
setting up the ipq handle etc, though if you've had it recieving packets then
you'll have this already.

Good luck!


Richard

-- 
Richard Bishop
Third Year Undergraduate
Department of Computer Science
University of Exeter. UK


[-- Attachment #2: ipq_test --]
[-- Type: application/octet-stream, Size: 1462 bytes --]



#include <linux/netfilter.h>
#include <libipq/libipq.h>
#include <stdio.h>
#include <linux/ip.h>
#include <netinet/in.h>
#include <linux/tcp.h>


int main(int argc, char **argv) {

	struct ipq_handle *h;
	unsigned char buffer[BUFSIZE];

	struct iphdr *iph;
	struct tcphdr *tcp;
	
	
	
	
	/* .... Code for setting up ip_queue connection etc here ... */
	

	do {
	
		status = ipq_read(h, buffer, BUFSIZE, 0);
		
		if (status <0) {
			printf("Something went wrong reading data\n");
			continue;
		}
	
		switch(ipq_message_type(buffer)) {
			
			/* If this is an error message */
			case NLMSG_ERROR: {
				printf("Ipq said something bad. Error number %d\n",ipq_get_msgerr(buffer));
			}
			
			/* Otherwise this will be a data packet */
			case IPQM_PACKET: {
				
				printf("Got a packet!\n");
				
				ipq_packet_msg_t *mess = ipq_get_packet(buffer);
				
				
				/* Obtain both a ip and tcp header for this packet by casting it into the relevant structures */
				iph = (struct iphdr*)mess->payload;
				tcp = (struct tcphdr*) ((void *) iph + iph->ihl*4);
				
				
				/* Get the source and destination ports for this connection from the tcp header */
				__u16 sport = ntohs( tcp->source);
				__u16 dport = ntohs( tcp->dest);
				
				
				printf("Source Addr: %s\n",inet_ntoa(iph->saddr));
				printf("Dest Addr: %s\n",inet_ntoa(iph->daddr));
				printf("Source Port: %d\n",sport);
				printf("Destin Port: %d\n\n",dport);
				
				
			}
			
		}
		
	}
	
}

Re: libipq/payload doubt

[Ulysses Almeida]

  Thanks, all, I just tried with htons(), and every thing works fine.

  Now I another doubt. I alredy read ip_queue.c, and alredy understood,
that payload is skb->data.

 ---
  memcpy(pmsg->payload, entry->skb->data, data_len);
 ---

  But, skb->data isn't clear enough on my head. If I queue every packge,
can I know which type is it? (TCP/UDP/ICMP), just looking for payload?
  Packet data, can be analyzed on userspace, or maybe changed?

  How can i get a payload X-ray?

  When i tried something like printf ("%d\n", tcph->syn); i started to
recive "passer: Received message truncated: No such file or directory"
from my program. What is it means?

  The last question, probably I can easily find on google, but the
other ones, I can't find that easy

  I think that's it for today! (One day I'll be able to answer
begginers question, yes I will, I belive in that! ;))


On Wed, May 19, 2004 at 11:02:52AM +0100, Richard Bishop wrote:
> 
> As one of the other guys said, the port discrepancy is an 'endian' problem.
> 
> Try this code (attached) - I had exactly the same problem when I first started
> playing around with ipq.  Bear in mind that I've skipped out all of the code for
> setting up the ipq handle etc, though if you've had it recieving packets then
> you'll have this already.
> 
> Good luck!
> 
> 
> Richard
> 

-- 
    .~.  Ulysses Almeida
   / V \  munky@maluco.com.br
 / (   ) \  Seja livre, use GNU/Linux! 
   ^^-^^

Re: libipq/payload doubt

[Ulysses Almeida]

  Realy sorry, for this stupid question.. i just find iphdr->protocol
that answers my first question. I don't have a clear idea about
payload yet, but I'm walking on this direction.

  Best regards

On Wed, May 19, 2004 at 08:03:06PM -0400, Ulysses Almeida wrote:
>   Thanks, all, I just tried with htons(), and every thing works fine.
> 
>   Now I another doubt. I alredy read ip_queue.c, and alredy understood,
> that payload is skb->data.
> 
>   memcpy(pmsg->payload, entry->skb->data, data_len);
> 
>   But, skb->data isn't clear enough on my head. If I queue every packge,
> can I know which type is it? (TCP/UDP/ICMP), just looking for payload?
>   Packet data, can be analyzed on userspace, or maybe changed?
> 
>   How can i get a payload X-ray?
> 
>   When i tried something like printf ("%d\n", tcph->syn); i started to
> recive "passer: Received message truncated: No such file or directory"
> from my program. What is it means?
> 
>   The last question, probably I can easily find on google, but the
> other ones, I can't find that easy
> 
>   I think that's it for today! (One day I'll be able to answer
> begginers question, yes I will, I belive in that! ;))
> 

-- 
    .~.  Ulysses Almeida
   / V \  munky@maluco.com.br
 / (   ) \  Seja livre, use GNU/Linux! 
   ^^-^^

Re: libipq/payload doubt

[Richard Bishop]

-- 
Richard Bishop
Third Year Undergraduate
Department of Computer Science
University of Exeter. UK


Quoting Ulysses Almeida <munky@maluco.com.br>:

>   But, skb->data isn't clear enough on my head. If I queue every packge,
> can I know which type is it? (TCP/UDP/ICMP), just looking for payload?
>   Packet data, can be analyzed on userspace, or maybe changed?

Yep, this is easy stuff :-)

/* If this is an ICMP packet */
if(mess->payload[9]==1) {
	printf("Got an ICMP Packet\n");
}
				
/* If this is a TCP connection: */
if(mess->payload[9]==6) {
	printf("TCP Packet\n");
}
				
/* If this is a UDP connection */
if(mess->payload[9]==17) {
	printf("UDP Connection\n");
}

>   How can i get a payload X-ray?

By 'x-ray' I assume you mean dump the contents of the packet to stdout. 
Behold!:

int x;
	
for (x=0; x<mess->data_len; x++) {
		
	if( (mess->payload[x]&0xff) >= 0x20 && (mess->payload[x]&0xff) <=0x7e) {
			
		printf("%c",mess->payload[x]&0xff);
	}
		
	else {
		printf(".");
	}

}

printf("\n\n");

This will deal with unprintable characters that will otherwise make your life
hell ;-)	

>   When i tried something like printf ("%d\n", tcph->syn); i started to
> recive "passer: Received message truncated: No such file or directory"
> from my program. What is it means?

Erm, sorry, no idea - anybody?

> I think that's it for today! (One day I'll be able to answer
> begginers question, yes I will, I belive in that! ;))

Yep, I'm sure you will be able to. I discovered ipq in about mid April, have
written my undergraduate thesis project using it - and am now answering
questions on how to use it too!

Hope this works for you.


Rich

Re: libipq/payload doubt

[Scott MacKay]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=us-ascii, Size: 3278 bytes --]

Not sure if this answers you entirely, but I will give
it a shot....

The payload is the actual ether packet.  The protocol
tell you the type (IP) but not the IP protocol (UDP,
TCP, etc).  The payload will consist of the protocol
(like ip) followed by the ip protocol header (for IP)
like udp/tcp, and then the data.

The very start of the payload is the contents of the
ether packet 'payload', so the start of the IP header
on a packet.  You can either cast it to a header
definition (like struct iphdr) or use the bytes. 
payload[9] is the prtocol ID (UDP. TCP, etc).
The offset to the protocol header, based on the IP
protocol is the low 4 bits of the 1st payload byte (ip
header length).  This is in full 4 byte words, so it
would be:
payload[0]&0x04 * 4.  Normally this will equate to 20
bytes (min IP length) unless there are IP options.
This will be the start of the udp/tcp/etc header
(almost to the real payload!).
UDP is always 8 bytes, tcp uses a similar formula as
ip since it supports options.  Minimally it is 20
bytes.


Examples to calculate offset to the actual payload:

int ip_payload_offset(unsigned char *ip_packet)
{
unsigned int offset=0;
struct tcphdr *tcpHeader;
struct udphdr *udpHeader;

  // Determine offset into packet contents.
  if (ip_packet[9]==6) {
      tcpHeader=(tcphdr *)(ip_packet+sizeof(ip));
      offset=sizeof(ip) + tcpHeader->doff*4;
  } else if (ip_packet[9]==17) {
      offset=sizeof(ip)+8;
  } else {
      return -1;
  }
  return offset;
}

Keep in mind this expects you already checked protocol
for it being IP and it does not insure the size of
ip_packet (for the [9] index or for insuring offset is
within the data_len range.  



--- Ulysses Almeida <munky@maluco.com.br> wrote:
>   Realy sorry, for this stupid question.. i just
> find iphdr->protocol
> that answers my first question. I don't have a clear
> idea about
> payload yet, but I'm walking on this direction.
> 
>   Best regards
> 
> On Wed, May 19, 2004 at 08:03:06PM -0400, Ulysses
> Almeida wrote:
> >   Thanks, all, I just tried with htons(), and
> every thing works fine.
> > 
> >   Now I another doubt. I alredy read ip_queue.c,
> and alredy understood,
> > that payload is skb->data.
> > 
> >   memcpy(pmsg->payload, entry->skb->data,
> data_len);
> > 
> >   But, skb->data isn't clear enough on my head. If
> I queue every packge,
> > can I know which type is it? (TCP/UDP/ICMP), just
> looking for payload?
> >   Packet data, can be analyzed on userspace, or
> maybe changed?
> > 
> >   How can i get a payload X-ray?
> > 
> >   When i tried something like printf ("%d\n",
> tcph->syn); i started to
> > recive "passer: Received message truncated: No
> such file or directory"
> > from my program. What is it means?
> > 
> >   The last question, probably I can easily find on
> google, but the
> > other ones, I can't find that easy
> > 
> >   I think that's it for today! (One day I'll be
> able to answer
> > begginers question, yes I will, I belive in that!
> ;))
> > 
> 
> -- 
>     .~.  Ulysses Almeida
>    / V \  munky@maluco.com.br
>  / (   ) \  Seja livre, use GNU/Linux! 
>    ^^-^^
> 



	
		
__________________________________
Do you Yahoo!?
Yahoo! Domains – Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer 

Re: libipq/payload doubt

[Henrik Nordstrom]

On Wed, 19 May 2004, Ulysses Almeida wrote:

  Realy sorry, for this stupid question.. i just find iphdr->protocol
> that answers my first question. I don't have a clear idea about
> payload yet, but I'm walking on this direction.

What you get is an IP packet. The rules on how to parse an IP packet is 
pretty well defined in the IP standards

  IP:   Internet STD 5 / RFC 791
  UDP:  Internet STD 6 / RFC 768
  TCP:  Internet STD 7 / RFC 793
  ICMP: Internet STD 5 / RFC 792

To find the TCP header you have to first find the IP header length. This 
is iphdr->ihl

>From there you can then find the TCP payload by calculating the TCP header 
length. This is tcphd->doff

both ihl and doff indicate the size counted in 32-bit values.. (1 = 4 
bytes, 2 = 8 bytes etc...)

The linux headers has already gone thru the pain of defining correct bit
fields for the protocol fields in the packet data so I suggest you use
these. All you need to remember is to translate fields > 8 bits to/from
network byte order using nthos/htons (16 bits) or ntohl/htonl (32 bits) 
and pretty mych everything should fall into place.

Example:

  struct iphdr *iph = data;

  if (iph->protocol == IPPROTO_TCP) {
     struct tcphdr *tcph = (struct tcphdr *)((int32_t *)iph + iph->ihl);
     char *tcp_payload = (char *)((int32_t *)tcph + tcph->doff);

     ....

  }  
  

Regards
Henrik

Re: libipq/payload doubt

[Henrik Nordstrom]

On Thu, 20 May 2004, Scott MacKay wrote:

>   // Determine offset into packet contents.
>   if (ip_packet[9]==6) {
>       tcpHeader=(tcphdr *)(ip_packet+sizeof(ip));

Don't do this. There may be IP options extending the size of the IP
header. Use iphdr->ihl to find the IP header size in the same manner as
tcphdr->doff is used to find the size of the TCP header..

Regards
Henrik

Re: libipq/payload doubt

[Scott MacKay]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=us-ascii, Size: 1413 bytes --]

AH yes, mentioned in my sentences, not in code :P
instead of sizeof(ip) you will want the offset...
Note that the ip protocol does not need htons()
Also, since ipHeader->tot_len represents the entire ip
datagram in case you want to do any validation on the
settings for the header size indicators.

int utilities::ip_payload_offset(unsigned char
*ip_packet)
{
unsigned int offset=0;
struct tcphdr *tcpHeader;
struct iphdr *ipHeader;

   ipHeader=(struct iphdr *)ip_packet;
  // Determine offset into packet contents.
  if (ipHeader.protocol==IPPROTO_TCP) {
      tcpHeader=(tcphdr *)(ip_packet+ipHeader->ihl*4);
      offset=ipHeader->ihl*4 + tcpHeader->doff*4;
  if (ipHeader.protocol==IPPROTO_UDP) {
      offset=ipHeader->ihl*4+8;
  } else {
      return -1;
  }
  return offset;
}



--- Henrik Nordstrom <hno@marasystems.com> wrote:
> On Thu, 20 May 2004, Scott MacKay wrote:
> 
> >   // Determine offset into packet contents.
> >   if (ip_packet[9]==6) {
> >       tcpHeader=(tcphdr *)(ip_packet+sizeof(ip));
> 
> Don't do this. There may be IP options extending the
> size of the IP
> header. Use iphdr->ihl to find the IP header size in
> the same manner as
> tcphdr->doff is used to find the size of the TCP
> header..
> 
> Regards
> Henrik
> 
> 



	
		
__________________________________
Do you Yahoo!?
Yahoo! Domains – Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer