Netfilter和Scapy

2024-06-30 05:17:41 发布

您现在位置:Python中文网/ 问答频道 /正文
7615 3

我在内核模块中玩netfilter钩子。我希望能够捕捉到scapy创建的数据包。在

钩子和通过scapy生成包都运行在同一个物理主机上。似乎没有一个可用的netfilter钩子能够捕获包。在

我还试图从虚拟机内部发送相同的包,但这也不起作用。在

我怀疑问题与环回iterface上运行的所有内容有关,因为它都在同一个框中。在

我当然可以用两个物理主机,但不幸的是现在不可能:

static unsigned int out_hook(unsigned int hooknum,
                struct sk_buff *skb,
                const struct net_device *in,
                const struct net_device *out,
                int (*okfn)(struct sk_buff *))
{
    sock_buff = skb; 

    if (!sock_buff) {
        return NF_ACCEPT;
    } else {
            ip_header = (struct iphdr *)skb_network_header(sock_buff);
        if (!ip_header) {
            return NF_ACCEPT;
        } else {
            if (ip_header->protocol == IPPROTO_TCP) {
                th = (struct tcphdr *)(skb_transport_header(sock_buff)+sizeof(struct iphdr));

                printk(KERN_INFO "[LOCAL_OUT] %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", ip_header->saddr & 0x000000FF, (ip_header->saddr & 0x0000FF00) >> 8,(ip_header->saddr & 0x00FF0000) >> 16,(ip_header->saddr & 0xFF000000) >> 24, th->source, ip_header->daddr & 0x000000FF, (ip_header->daddr & 0x0000FF00) >> 8,(ip_header->daddr & 0x00FF0000) >> 16,(ip_header->daddr & 0xFF000000) >> 24, th->dest);

                unsigned int len = sock_buff->len - sizeof(struct tcphdr) - sizeof(struct iphdr);
                printk(KERN_INFO "\t [skbuf->len]=%d", sock_buff->len);
                printk(KERN_INFO "\t [skbuf->data_len]=%d", sock_buff->data_len); 


                return NF_ACCEPT;

            } else {
                return NF_ACCEPT;
            }
        }
    }
}

上面是钩子。在

^{pr2}$

以上是发送.py在


Tags: iplenreturnstruct钩子buffintheader
1条回答
网友
1楼 · 发布于 2024-06-30 05:17:41

Sniffing with Scapy

[mpenning@Bucksnort ~]$ sudo python
Python 2.5.2 (r252:60911, Jan 24 2010, 14:53:14)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from scapy.all import sniff
>>> from scapy.all import wrpcap
>>> foo = sniff(filter="icmp", count=3)
>>> wrpcap("icmppaks.pcap", foo)
>>> quit()
[mpenning@Bucksnort ~]$ tshark -r icmppaks.pcap
  1   0.000000 192.0.2.178 -> 192.0.2.6 ICMP Echo (ping) request
  2   0.000065 192.0.2.6 -> 192.0.2.178 ICMP Echo (ping) reply
  3   1.004224 192.0.2.178 -> 192.0.2.6 ICMP Echo (ping) request
[mpenning@Bucksnort ~]$

相关问题 更多 >

    编程相关推荐