Solved

how to analyze a tcpdump

Posted on 2012-03-23
4
592 Views
Last Modified: 2012-03-23
Hi

I'm in need of some advice.  I have a tcp dump in which I need to write my own custom sniffer to detect any corrupt tcp packets.  The tcpdump contains packets that I have modified to hide hidden data.  This has been done by using a kernel module and protocol type handler (to clone the packet) to insert ("hidden") data into the checksum field.

Can anyone give me some advice in how I can design a program to detect this?  Could I use libpcap?  (im using linux ubuntu)


Thanks
0
Comment
Question by:codey-06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 37757642
libpcap would indeed be my first choice for any type of sniffer. It's flexible enough to do pretty much anything you want (related to sniffing). And if it's not, the source is available to be modified ;)

What you describe is pretty straightforward : read packets from the dump file using libpcap (or sniff them directly from the network), and then have your own code that interprets the contents of the packets however you need.
0
 

Author Comment

by:codey-06
ID: 37757661
Thanks for the swift reply.  Yes thats what I've got planned out in my head.. but completely new to this.  Could you show me some example code?..
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37757827
This is a very decent introduction to libpcap programming :

    http://www.tcpdump.org/pcap.html

But a quick and dirty example would look like :

void process_packet(u_char* context, const struct pcap_pkthdr* header, const u_char* packet) {
    /* do whatever you want here with the packet - this function will be called for every captured packet */
}

char errbuf[PCAP_ERRBUF_SIZE] = "";
struct bpf_program filter;
pcap_t* capture_handle = 0;

capture_handle = pcap_open_offline("dump.pcap", errbuf);
pcap_compile(capture_handle, &filter, "tcp port 1234", 1, PCAP_NETMASK_UNKNOWN);
pcap_setfilter(capture_handle, &filter);
pcap_loop(capture_handle, -1, &process_packet, 0);

Open in new window


You still need to add error handling, etc. of course. I left that out for compactness reasons.
0
 

Author Closing Comment

by:codey-06
ID: 37759177
Thank you, that has been a great help.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question