Solved

how to analyze a tcpdump

Posted on 2012-03-23
4
582 Views
Last Modified: 2012-03-23
Hi

I'm in need of some advice.  I have a tcp dump in which I need to write my own custom sniffer to detect any corrupt tcp packets.  The tcpdump contains packets that I have modified to hide hidden data.  This has been done by using a kernel module and protocol type handler (to clone the packet) to insert ("hidden") data into the checksum field.

Can anyone give me some advice in how I can design a program to detect this?  Could I use libpcap?  (im using linux ubuntu)


Thanks
0
Comment
Question by:codey-06
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 37757642
libpcap would indeed be my first choice for any type of sniffer. It's flexible enough to do pretty much anything you want (related to sniffing). And if it's not, the source is available to be modified ;)

What you describe is pretty straightforward : read packets from the dump file using libpcap (or sniff them directly from the network), and then have your own code that interprets the contents of the packets however you need.
0
 

Author Comment

by:codey-06
ID: 37757661
Thanks for the swift reply.  Yes thats what I've got planned out in my head.. but completely new to this.  Could you show me some example code?..
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37757827
This is a very decent introduction to libpcap programming :

    http://www.tcpdump.org/pcap.html

But a quick and dirty example would look like :

void process_packet(u_char* context, const struct pcap_pkthdr* header, const u_char* packet) {
    /* do whatever you want here with the packet - this function will be called for every captured packet */
}

char errbuf[PCAP_ERRBUF_SIZE] = "";
struct bpf_program filter;
pcap_t* capture_handle = 0;

capture_handle = pcap_open_offline("dump.pcap", errbuf);
pcap_compile(capture_handle, &filter, "tcp port 1234", 1, PCAP_NETMASK_UNKNOWN);
pcap_setfilter(capture_handle, &filter);
pcap_loop(capture_handle, -1, &process_packet, 0);

Open in new window


You still need to add error handling, etc. of course. I left that out for compactness reasons.
0
 

Author Closing Comment

by:codey-06
ID: 37759177
Thank you, that has been a great help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you haven’t already, I encourage you to read the first article (http://www.experts-exchange.com/articles/18680/An-Introduction-to-R-Programming-and-R-Studio.html) in my series to gain a basic foundation of R and R Studio.  You will also find the …
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now