From: Nicola Padovano <nicola.padovano@gmail.com>
To: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: fragmented packet
Date: Sat, 4 Sep 2010 19:09:05 +0200 [thread overview]
Message-ID: <AANLkTikniSd5X_ryuhWbAyDLPa7oDSDULe1iYfG02vuP@mail.gmail.com> (raw)
Hi all! I'm write a simple netfilter module which recognize a fragmented packet.
First of all, i've used hping to send frag packet to my host (local
host), in particular i create only one packet (40 byte for default,
20bytes of header and 20 bytes of payload) specifying an MTU of 4
byte, so in this way i've to receive 5 packet (20bytes/4bytes of MTU).
So, this is the piece of code
[CODE]
#define FRAG_OFF(x) ntohs(x->frag_off) & IP_OFFSET
#define MORE_FRAG(x) ntohs(x->frag_off) & IP_MF
...
printk(KERN_INFO "sk_buff len: %d\n",skb->size);
...
struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb);
...
if (FRAG_OFF || MORE_FRAG) {
printk(KERN_INFO "!!!fragmented!!!\n");
printk(KERN_INFO "frag off: %d\n",FRAG_OFF);
printk(KERN_INFO "\n\n");
}
[/CODE]
then iptables (where TAR is my new target)
[IPTABLES]
iptables -t mangle -A PREROUTING -p tcp -s localhost -j TAR
[/IPTABLES]
(note: i use mangle table to have available PREROUTING hook, where the
packets are not yet defragmented)
so hpinging in this way (-c = packets' number, -m = mtu in byte)
[HPING]
hping -m 4 -c 1 localhost
[/HPING]
Now let's a look to output
[OUTPUT]
sk_buff len: 24
!!!fragmented!!!
frag off: 0
sk_buff len: 24
!!!fragmented!!!
frag off: 0
sk_buff len: 24
!!!fragmented!!!
frag off: 1
sk_buff len: 24
!!!fragmented!!!
frag off: 1
sk_buff len: 24
!!!fragmented!!!
frag off: 2
[/OUTPUT]
As you can see, there are two couples of frag with the same frag off:
the first and the second with 0 frag_off, then the third and the
fourth with 1 frag_off.
how is it possible?
Thank you guys!
--
Nicola Padovano
e-mail: nicola.padovano@gmail.com
web: http://npadovano.altervista.org
next reply other threads:[~2010-09-04 17:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-04 17:09 Nicola Padovano [this message]
2010-09-04 18:25 ` fragmented packet Jan Engelhardt
2010-09-04 18:31 ` Nicola Padovano
2010-09-04 18:56 ` Nicola Padovano
2010-09-04 22:19 ` Jan Engelhardt
2010-09-04 23:31 ` Nicola Padovano
2010-09-05 9:45 ` Nicola Padovano
2010-09-05 15:24 ` Changli Gao
2010-09-05 15:54 ` Jan Engelhardt
2010-09-05 16:18 ` Changli Gao
2010-09-05 23:19 ` Nicola Padovano
2010-09-05 23:47 ` Changli Gao
2010-09-06 0:04 ` Nicola Padovano
2010-09-06 0:09 ` Changli Gao
2010-09-06 9:51 ` Nicola Padovano
2010-09-06 0:10 ` Nicola Padovano
2010-09-06 9:12 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTikniSd5X_ryuhWbAyDLPa7oDSDULe1iYfG02vuP@mail.gmail.com \
--to=nicola.padovano@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).