pcap: packet tapping

Some random guy was trying to intercept traffic right in the middle of a connection. Then he wondered how he could store his freshly hunted packets. Of course I know something appropriate! But little did he know...

-- khorben <khorben@uberwall.org>

0sec : October 15th 2005

ÜberWall - http://www.uberwall.org/

Alpha to Omega

Introduction

They wonder. Why the f...? UW_sslmitm!

Brief description

Brief history

VersionDateMatter
0.9.402/10/2005latest to date
0.609/01/2001portable file format
0.510/06/2000released on tcpdump.org
0.425/07/1998last from LBL
0.330/11/1996Linux support
0.020/06/1994project started

Flying over pcap

He opens the archive. Let's have a look at this.

$ wget http://www.tcpdump.org/release/libpcap-0.9.3.tar.gz
$ tar -xzf libpcap-0.9.3.tar.gz
$ "$EDITOR" libpcap-0.9.3/README

Principles

Software using pcap

$ ldd /usr/{bin,sbin}/* | grep pcap | wc -l
 26

Ethereal

Network protocol analyzer (features plug-ins, VoIP calls)
ethereal

Etherape

Graphical network browser
etherape

Vulnerabilities to date

Good practices

Not possible for real time analysis...

Open packet surgery

When he enters. He gets stuck. He's debating. Gah, this hurts real bad!. And finally...

pcap internals

Source code

$ find pcap -name '*.c' | wc -l
 41

API changes

Note well: this interface is new and is likely to change.

Handling files

Captures are possible:

File format

Note that the current file formats supported by libpcap are not the only formats that will ever be used. At some point, we will probably implement a new capture file format.

File format: continued

struct pcap_file_header

{
    bpf_u_int32 magic = TCPDUMP_MAGIC;
    u_short version_major = PCAP_VERSION_MAJOR;
    u_short version_minor = PCAP_VERSION_MINOR;
    bpf_int32 thiszone;   /* gmt to local
			correction */
    bpf_u_int32 sigfigs;  /* accuracy of
			timestamps */
    bpf_u_int32 snaplen;  /* max length saved
			portion of each pkt */
    bpf_u_int32 linktype = LINKTYPE_RAW;
}

struct pcap_pkthdr

{
    struct timeval ts;  /* timestamp */
    bpf_u_int32 caplen; /* length of portion */
    bpf_u_int32 len;    /* length this packet */
}

Future of packet hunting

Where he asked. This can certainly be improved! But how?

No real alternative ?

File format draft

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Shipped in libpcap 0.9.3

Missing link types and protocols

Conclusion

Ideas for the future:

Thank you pcap hackers.

Thank you too. Any questions?