Solved

how to analyze a tcpdump

Posted on 2012-03-23
4
588 Views
Last Modified: 2012-03-23
Hi

I'm in need of some advice.  I have a tcp dump in which I need to write my own custom sniffer to detect any corrupt tcp packets.  The tcpdump contains packets that I have modified to hide hidden data.  This has been done by using a kernel module and protocol type handler (to clone the packet) to insert ("hidden") data into the checksum field.

Can anyone give me some advice in how I can design a program to detect this?  Could I use libpcap?  (im using linux ubuntu)


Thanks
0
Comment
Question by:codey-06
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 37757642
libpcap would indeed be my first choice for any type of sniffer. It's flexible enough to do pretty much anything you want (related to sniffing). And if it's not, the source is available to be modified ;)

What you describe is pretty straightforward : read packets from the dump file using libpcap (or sniff them directly from the network), and then have your own code that interprets the contents of the packets however you need.
0
 

Author Comment

by:codey-06
ID: 37757661
Thanks for the swift reply.  Yes thats what I've got planned out in my head.. but completely new to this.  Could you show me some example code?..
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37757827
This is a very decent introduction to libpcap programming :

    http://www.tcpdump.org/pcap.html

But a quick and dirty example would look like :

void process_packet(u_char* context, const struct pcap_pkthdr* header, const u_char* packet) {
    /* do whatever you want here with the packet - this function will be called for every captured packet */
}

char errbuf[PCAP_ERRBUF_SIZE] = "";
struct bpf_program filter;
pcap_t* capture_handle = 0;

capture_handle = pcap_open_offline("dump.pcap", errbuf);
pcap_compile(capture_handle, &filter, "tcp port 1234", 1, PCAP_NETMASK_UNKNOWN);
pcap_setfilter(capture_handle, &filter);
pcap_loop(capture_handle, -1, &process_packet, 0);

Open in new window


You still need to add error handling, etc. of course. I left that out for compactness reasons.
0
 

Author Closing Comment

by:codey-06
ID: 37759177
Thank you, that has been a great help.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question