Capturando pacotes de rede no kernelspace
18
How grab network packets in kernelspace Beraldo Leal Instituto de Matemática e Estatística - IME/USP <[email protected]>
-
Upload
campus-party-brasil -
Category
Technology
-
view
2.794 -
download
1
description
O objetivo desta palestra é mostrar aos programadores iniciantes no mundo do kernel do GNU/Linux, como construir um pequeno módulo no kernelspace que seja capaz de capturar e manipular os pacotes de redes que passam pela máquina. Será feito um overview sobre como funciona o framework netfilter e seus hooks dentro do kernel do GNU/Linux. Questões de peformance também serão discutidas em relaćão a outras solućões em userspace. Discutiremos também como se comporta uma regra do iptables dentro do kernel do GNU/Linux. Pré-requisitos: Programaćão em C, conhecimento básico da pilha TCP/IP.
Transcript of Capturando pacotes de rede no kernelspace
How grab network packets in kernelspace
Beraldo LealInstituto de Matemática e
Estatística IME/USP<[email protected]>
How grab network packets in kernelspace
● apps:●tcpdump;●wireshark;●etc...
● Libpcap;● Netlink;
How grab network packets in kernelspace
Why in kernelspace ?
Inkernel implementation of applications does provide several advantages:
1. Context switch;
How grab network packets in kernelspace
Why in kernelspace ?
Inkernel implementation of applications does provide several advantages:
2. Data corresponding to any application that sends or receives packets is copied from user mode to kernel mode and vice versa (copy_to_user(), copy_from_user());
How grab network packets in kernelspace
Why in kernelspace ?
Inkernel implementation of applications does provide several advantages:
3. It's fun! :D
How grab network packets in kernelspace
Iptables:
“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.”
How grab network packets in kernelspace
iptables t filter A FORWARD s 192.168.1.0/24 p tcp \j ACCEPT
iptables t nat A PREROUTING p tcp dport 80 i eth0 \j DNAT to 5.6.7.8:8080
How grab network packets in kernelspace
Netfilter:
“Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.”
How grab network packets in kernelspace
Returns:
* NF_DROP; * NF_ACCEPT; * NF_STOLEN; * NF_QUEUE; * NF_REPEAT
How grab network packets in kernelspace
Netfilter:
“Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.”
#include <linux/module.h>#include <linux/netfilter.h>#include <linux/netfilter_ipv4.h>#include <linux/ip.h>
#define NF_IP_PRE_ROUTING 0
static struct nf_hook_ops nfho;
unsigned int hook_func(unsigned int hooknum, struct sk_buff *skb, const struct net_device *indev, const struct net_device *outdev, int (*okfn)(struct sk_buff *)){ printk("I grab one packet!!\n"); return NF_ACCEPT;}
How grab network packets in kernelspace
static int __init nfhook_init(void){ nfho.hook = hook_func; nfho.hooknum = NF_IP_PRE_ROUTING; nfho.pf = PF_INET; nfho.priority = NF_IP_PRI_FIRST;
nf_register_hook(&nfho);
return 0;}
static void __exit nfhook_exit(void){ nf_unregister_hook(&nfho);}
module_init(nfhook_init);module_exit(nfhook_exit);
MODULE_LICENSE("GPL");
How grab network packets in kernelspace
Questions?
How grab network packets in kernelspace
