I'm trying to evaluate a tool called ohrwurm, which claims to be able to corrupt RTP traffic between two SIP endpoints. By reading its source code I don't believe it works, and would like other's opinions before I try it out.
It's premise is simple:
- Assume endpoint A has IP address 192.168.0.11, and endpoint B has IP address 192.168.0.22.
- On a third box C on the same subnet as A and B execute the following commands in two SSH sessions:
- arpspoof 192.168.0.11
- arpspoof 192.168.0.22
- Execute ohrwurm.
Taking a look at ohrwurm's source code it does the following:
- Set /proc/sys/net/ipv4/ip_forward to 1.
- Use libpcap in promiscuous mode to intercept all IP packets between the two boxes above.
- For those packets which are SIP, grab the RTP port numbers out.
- For those packets that are UDP and between the two RTP ports grabbed earlier, fuzz the RTP contents.
Here's what I don't get though. I accept that the arpspoof'ing will cause all IP traffic between A and B to travel through C. Moreover, by setting /proc/sys/net/ipv4/ip_forward to 1 we're getting the kernel to forward this IP traffic correctly for us.
But I thought libpcap was read-only? How is it possible to modify packets we've sniffed in promiscuous mode in-situ? You'll notice in ohrwurm.c line 401 that we're even trying to drop RTCP packets! Is this possible?
I know nothing about libpcap, and am curious to know more! Please educate me. Thanks.
