how to analyze a tcpdump

Hi

I'm in need of some advice.  I have a tcp dump in which I need to write my own custom sniffer to detect any corrupt tcp packets.  The tcpdump contains packets that I have modified to hide hidden data.  This has been done by using a kernel module and protocol type handler (to clone the packet) to insert ("hidden") data into the checksum field.

Can anyone give me some advice in how I can design a program to detect this?  Could I use libpcap?  (im using linux ubuntu)


Thanks
codey-06Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Infinity08Commented:
libpcap would indeed be my first choice for any type of sniffer. It's flexible enough to do pretty much anything you want (related to sniffing). And if it's not, the source is available to be modified ;)

What you describe is pretty straightforward : read packets from the dump file using libpcap (or sniff them directly from the network), and then have your own code that interprets the contents of the packets however you need.
0
codey-06Author Commented:
Thanks for the swift reply.  Yes thats what I've got planned out in my head.. but completely new to this.  Could you show me some example code?..
0
Infinity08Commented:
This is a very decent introduction to libpcap programming :

    http://www.tcpdump.org/pcap.html

But a quick and dirty example would look like :

void process_packet(u_char* context, const struct pcap_pkthdr* header, const u_char* packet) {
    /* do whatever you want here with the packet - this function will be called for every captured packet */
}

char errbuf[PCAP_ERRBUF_SIZE] = "";
struct bpf_program filter;
pcap_t* capture_handle = 0;

capture_handle = pcap_open_offline("dump.pcap", errbuf);
pcap_compile(capture_handle, &filter, "tcp port 1234", 1, PCAP_NETMASK_UNKNOWN);
pcap_setfilter(capture_handle, &filter);
pcap_loop(capture_handle, -1, &process_packet, 0);

Open in new window


You still need to add error handling, etc. of course. I left that out for compactness reasons.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
codey-06Author Commented:
Thank you, that has been a great help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C

From novice to tech pro — start learning today.