How to intercept packet on TCP layer in kernel to analyze data?

2
votes

I intend to find certain packet data in the kernel and intercept it (either drop certain packets or redirect them). A natural way is to somehow catch all packets, inspect their data and drop/redirect certain packets.

I have tried to intercept them directly in the kernel code (here, at the point to copy the data into user space) but the data that is pushed by the server without requests cannot be accessed there.

Another choice could be netfilter hooks like this post. However, such hook is below TCP layer and it seems that reordering and packet losing is not dealt with yet.

So I'm wondering whether there are any elegant solutions to catch packet and operate on them upon TCP layer?

Thanks!

1
linuxnetworkingtcplinux-kernel
you could look at the snort IDS and write rules for that (or as it is open source, get the code, and work out what they do).Cwissy
@Cwissy Thanks! So may I ask one more question: do you know whether Snort works upon TCP (to handle reordering)? My gut feeling is that it could handle reordering because it uses libpcap which is used by tcpdump. Am I correct?zzy
I don't, no, sorry. I imagine it must do, however as I know you can write matching rules that get deep into the packets i.e. if an email comes from a certain address, drop packets from the ip address that is sending it. Doing that would require opening each packet and there would be no point if it hadn't got the whole message in sequence.Cwissy
@Cwissy I see. OK let me go through the available Snort rules. Thank you so much for advising!zzy
wireshark may helpEd Heal

1 Answers

2
votes

If you want to receive only specific stuff and drop not matching stuff, could you open a raw/tcp socket with a BFP filter attached to it ?

Ex - https://www.kernel.org/doc/Documentation/networking/filter.txt