pcap: packet tapping

Some random guy was trying to intercept traffic right in the middle of a connection. Then he wondered how he could store his freshly hunted packets. Of course I know something appropriate! But little did he know...

-- khorben <khorben@uberwall.org>

0sec : October 15th 2005

ÜberWall - http://www.uberwall.org/

Alpha to Omega

Introduction
Flying over pcap
Open packet surgery
Future of packet hunting
Conclusion

Introduction

They wonder. Why the f...? UW_sslmitm!

SSL MITM implementation
Dumps traffic to a pcap-formatted file
...or not quite

Brief description

An uniform library interface to the packet capture systems including the Berkeley Packet Filter (BSD and SunOS), Data Link Provider Interface (Solaris and SYSV), Stanford Enetfilter (IBM RT/4.3BSD), Network Interface Tap (SunOS 3), Streams Network Interface Tap (SunOS 4), Packet Filter, and Snoop (IRIX)
In short, a portable protocol packet capture library
Available at http://www.tcpdump.org/

Brief history

Lawrence Berkeley Laboratory (BPF, traceroute, CBQ, ECN, ...)
FTP notice: Federal computer system and is the property of the United States Government

Version	Date	Matter
0.9.4	02/10/2005	latest to date
0.6	09/01/2001	portable file format
0.5	10/06/2000	released on tcpdump.org
0.4	25/07/1998	last from LBL
0.3	30/11/1996	Linux support
0.0	20/06/1994	project started

Flying over pcap

He opens the archive. Let's have a look at this.

$ wget http://www.tcpdump.org/release/libpcap-0.9.3.tar.gz
$ tar -xzf libpcap-0.9.3.tar.gz
$ "$EDITOR" libpcap-0.9.3/README

Principles

Sniff traffic from the wire or a file
Filter captured data
Intended for C programmers
Has Perl, Ruby, OCaml, Python, Java bindings
Found shipped as hardware

Software using pcap

$ ldd /usr/{bin,sbin}/* | grep pcap | wc -l
 26

Traffic analysis:
- tcpdump, ethereal, tcpflow, tcptrace, netdude, ...
Monitoring:
- ntop, kismet, etherape, ...
Security:
- snort, ulogd, ...
- ettercap, dsniff, ...
- sing, hping3, ...

Ethereal

Network protocol analyzer (features plug-ins, VoIP calls)

Etherape

Graphical network browser

Vulnerabilities to date

tcpdump buffer overflows : CVE-2000-1026, CVE-2001-1279, CVE-2002-0380
tcpdump DoS : 16 known since 2002
ethereal has had its lot : 50 vulnerabilities just on May 4th 2005!

Good practices

Prefer tcpdump for live captures ("proven" software, privileges drop, with chroot)
Less code required for silent output
Work with other software on capture files (as regular user)

Not possible for real time analysis...

Open packet surgery

When he enters. He gets stuck. He's debating. Gah, this hurts real bad!. And finally...

pcap internals

Uses BPF for in-kernel filtering
Can't use in-kernel filtering if BPF is not available
Linux has simplified BPF-like kernel filtering
Timestamps are from the kernel if supported
Endian-proof
Can be slower than the sniffed link
Checksums are wrong if handled by hardware

Source code

$ find pcap -name '*.c' | wc -l
 41

Has its own reference for link types, as they are different on every system
Few are actually handled (ethernet, FDDI)
TLV : format_print(data, length)

API changes

Note well: this interface is new and is likely to change.

30 C calls in 0.4...
...50 in 0.9.3
Still 3 "XXX" in pcap.h
No reference documentation

Handling files

Captures are possible:

from the network;
from an existing pcap file.

File format

Tuned for performance
At least 4 different formats are already there (libpcap, Kuznetzov, Mesquita, Navtel)

Note that the current file formats supported by libpcap are not the only formats that will ever be used. At some point, we will probably implement a new capture file format.

File format: continued

struct pcap_file_header hdr;
foreach packet:
- struct pcap_pkthdr phdr;
- ...
- struct ip iphdr;
- struct tcp tcphdr;
- ...

struct pcap_file_header

{
    bpf_u_int32 magic = TCPDUMP_MAGIC;
    u_short version_major = PCAP_VERSION_MAJOR;
    u_short version_minor = PCAP_VERSION_MINOR;
    bpf_int32 thiszone;   /* gmt to local
			correction */
    bpf_u_int32 sigfigs;  /* accuracy of
			timestamps */
    bpf_u_int32 snaplen;  /* max length saved
			portion of each pkt */
    bpf_u_int32 linktype = LINKTYPE_RAW;
}

struct pcap_pkthdr

{
    struct timeval ts;  /* timestamp */
    bpf_u_int32 caplen; /* length of portion */
    bpf_u_int32 len;    /* length this packet */
}

Future of packet hunting

Where he asked. This can certainly be improved! But how?

No real alternative ?

BTSoftw@re Packet Sniffer SDK (Windows only, shareware)
...what else ?

File format draft

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Shipped in libpcap 0.9.3

Missing link types and protocols

Should be submitted to <tcpdump-workers@tcpdump.org> (preferably with code) to be assigned
Some have been for private use (PCI Express, ...)
16 temporary types are reserved
LINUX_IRDA is not supported

Conclusion

Ideas for the future:

Use new file format
Full rewrite...?
Protocol definition framework...?

Thank you pcap hackers.

Thank you too. Any questions?