Solved

how to analyze a tcpdump

Posted on 2012-03-23
4
590 Views
Last Modified: 2012-03-23
Hi

I'm in need of some advice.  I have a tcp dump in which I need to write my own custom sniffer to detect any corrupt tcp packets.  The tcpdump contains packets that I have modified to hide hidden data.  This has been done by using a kernel module and protocol type handler (to clone the packet) to insert ("hidden") data into the checksum field.

Can anyone give me some advice in how I can design a program to detect this?  Could I use libpcap?  (im using linux ubuntu)


Thanks
0
Comment
Question by:codey-06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 37757642
libpcap would indeed be my first choice for any type of sniffer. It's flexible enough to do pretty much anything you want (related to sniffing). And if it's not, the source is available to be modified ;)

What you describe is pretty straightforward : read packets from the dump file using libpcap (or sniff them directly from the network), and then have your own code that interprets the contents of the packets however you need.
0
 

Author Comment

by:codey-06
ID: 37757661
Thanks for the swift reply.  Yes thats what I've got planned out in my head.. but completely new to this.  Could you show me some example code?..
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37757827
This is a very decent introduction to libpcap programming :

    http://www.tcpdump.org/pcap.html

But a quick and dirty example would look like :

void process_packet(u_char* context, const struct pcap_pkthdr* header, const u_char* packet) {
    /* do whatever you want here with the packet - this function will be called for every captured packet */
}

char errbuf[PCAP_ERRBUF_SIZE] = "";
struct bpf_program filter;
pcap_t* capture_handle = 0;

capture_handle = pcap_open_offline("dump.pcap", errbuf);
pcap_compile(capture_handle, &filter, "tcp port 1234", 1, PCAP_NETMASK_UNKNOWN);
pcap_setfilter(capture_handle, &filter);
pcap_loop(capture_handle, -1, &process_packet, 0);

Open in new window


You still need to add error handling, etc. of course. I left that out for compactness reasons.
0
 

Author Closing Comment

by:codey-06
ID: 37759177
Thank you, that has been a great help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A short article about problems I had with the new location API and permissions in Marshmallow
This is about my first experience with programming Arduino.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question