New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Class Note for COSC 6397 with Professor Zheng at UH


Class Note for COSC 6397 with Professor Zheng at UH

Marketplace > University of Houston > Class Note for COSC 6397 with Professor Zheng at UH

No professor available

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

No professor available
Class Notes
25 ?




Popular in Course

Popular in Department

This 39 page Class Notes was uploaded by an elite notetaker on Friday February 6, 2015. The Class Notes belongs to a course at University of Houston taught by a professor in Fall. Since its upload, it has received 109 views.

Similar to Course at UH


Reviews for Class Note for COSC 6397 with Professor Zheng at UH


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 02/06/15
Libpcap and Libnet Why Libnet amp Libpcap 0 Allow manipulation interception of link layer packets 0 Using socket programming kernel will fill in the source IP address checksum etc Raw socket is one way to write IP packets directly but not everything is in IP 0 Allow testing of new protocols prcap 0 charpcaplookupdevchar errbuf Oretu sapointer ane rkd C t eo se char errbuf PCAPERRBUFSIZE dev pcaplookupdeverrbuf 0 pcap t pcap open livechar device int snapIen int promisc int toms char ebuf 0 to obtain a packet capture descriptor to look at packets on the network 0 snaplen maximum bytes to capture 0 promisc Whether set to promiscuous mode 0 toms timeout 0 ebuf error message prcap int pcapdatalink pcapt p 0 Returns the link layer of an adapter 0 DLTEN10MB Ethernet lOMb 100Mb 1000Mb and up 0 DLTPPP 0 LHZSLJP Libpcap int pcap compilepcap t p struct bpf progEam fp char str int optimize bpfuint32 netmask to compile the string str into a filter program 1 upon error int pcapsetfilterpcapt p struct bpfprogram fp to specify a filter program fp is a pointer to a bpfprogram struct usually the result of a call to pcapcom pile 1 upon failure Filter Expression Filter expression consists of an id preceded by one or more qualifier 0 Type host net and port o Eg net 128339 port 2039 0 Dir direction of transfer 0 src dst srC or dst srC and dst 0 Proto ip th arp 0 tcp dst port ftp data 0 eXpr relop eXpr relop relational operations gt lt gt2 lt2 I o pioto expr size expr gives the offset size gives the length of data 0 amp O s H w r rst 39vn m 7 quoti i 1 th H H 0 tep13amp 31 0 H 39 Y mna 391AsrsInnwuuvalivslsinzluzsuaszizruzs Source Fort Destlnatlun Fun Saquenca Number Acknnwledgamem Number u A p n x r HLEN Regened R c s s v x WmdUW G x N T u u Chenksum Urgenl Puimar Options fany Padding Data IP Header U 15 llquot 31 44m thuhmder X hlnypeofservlco V 0 WM lmgm I as 16 bu rmal mum 1n hyms DM mmndmu cannn n k F bumgmmmlrsm 839 1 3m pmmml 1mm header rherksum 20 bytes 327m some JP address 0 3mm rlesunauon IP address 7 muons Hf anv prcap uchar pcapnextpcapt p struct pcappkthdr h reads the next packet and returns a uchar pointer to the data in that packet 1nt pcaplooppcapt p 1nt cnt pcaphandler callback uchar user keeps reading packets until cnt packets are processed or an error occurs callback a Iunctlon handler user optional arguments References 0 Unix Network Prool39alnnminO Vol 1 0 http WWW caidaorg outreach resources 0 http wwwcetnauedumc8SocketTutorialssection 1 html What is Iibnet 0 A C Programming library for packet construction and injection 0 The Yin to the Yang oflihpcap 0 Libnet s Primary Role in Life 0 A simple interface for Packet construction and injection 0 Lihnet 15 good for 0 Tools requiring meticulous control over every eld of every header of every Packet 0 Lihnet 15 not well suited for 0 Builcling clientrserver Programs Where the operating system should he doing most of the Work What s inside of libnet 0 As oflibnet 112 0 About 18000 lines of C source code 0 109 exported functions 67 packet builder functions 0 Portable to all of today s hottest operating systems Windows OS X BSD Linux Solaris HPUX Why use Iibnet 0 Portability Lanet IS Portable 0 all OI our IaVOrlte and CXqulSltely Cnerlsned Operatlng Systems 0 Ease of Use 0 As we Will see Libnet 1 1x exports a braindead simple interface to building and mJCCtlng Packets easy Steps 0 Robustness 0 Libnet supports all of today s in demand protocols with more added all the time More than 30 supported in Libnet 1 12 see next slide Several link layers Ethernet Token Ring FDDI 80211 planned 0 Open Source 0 Licensing Libnet is released under a BSD license meaning it is basically free to use 0 Response time in bug fixes Large user base bugs are IIXCCI qulCKly Libnet 112 process llbnetilnlt llbnetibullditcg llbnetiDulLdilpK4 llbnetibulldiethernet 11t 1 quot7 llbnetidestr0y te Q The libnet context rw swe39 hnpmlan 0 Opaque monolithic data structure that is returned from libnetinit o l 0 Maintains state for the entire session 0 Tracks all memory usage and Packet construction 0 Defines and describes a libnet session 0 Used in almost every function 0 More detail later Packet construction 0 The core of Libnet s functionality Packets are built in Pieces 0 Each Protocol layer is usually a separate function call Generally we 7 four function calls to build an entire packet 0 Packet builders take arguInents corresponding to header values 0 Approxilnates an IP stack must be called in order 0 From the highest on the 051 model to the lowest 0 A successful call to a builder function returns a Ptag mmei nml HM Mancunian Pieseniamn Packet construction tcp libnetbuildtcp srcprt dstprt OXOlOlOlOl OX02020202 num THSYN 32767 0 0 LIBNETTCPH payloads payload payloads 1 0 source port destination port sequence number acknowledgement control flags window size checksum urgent pointer TCP packet size payload payload size context ptag Ptags and Pblocks mm mm Geamg a new prom um arew me Is vemneu Madam an 935an womm mm an ukl may 5 pained m 0 Protocol Tag ptag 0 Protocol Block Pblock 0 Protocol Tags ptags used to track Protocol Blocks pblocks 0 Whenever a new packet piece is built it is stored in a phloek and a new ptag is returned 0 Whenever an existing packet piece is modi ed an old ptag is used hooped Packet updating 0 Ptags are handled directli b the user pblocks are not Th MP 1P 39 Use is optional tap imneLmiiaJcpt Len dst7prt art EIx lEIlEIlEIl nx znznznz um TH SYN 32767 n n v vmmw w v u 1 ace to append PaleaGS O Packets ilder functions suA A ort this interface source port deem nemen eeeuenee number acknowledgement cuntrnl neee wheequot eue checksum u gent pm nter 1e r Wire injection methods 0 Raw socket interface less complex 0 Mid level interface packets built at the IP layer and above No link header needs to be built 0 Removes all routing and interface decisions 0 Useful for legitimate packet tools that do not need to spoof address information 0 Packet passes through kernel s IP stack Routing checksums firewalls all an issue 0 Less than granular level of control next slide 0 Link layer interface more complex 0 Low level interface packets built at the link layer 0 Packet does not ass throu h the kernel s IP stack Sovereign control of every field of the packet All address and routing information needs to be provided Some operating systems stamp outgoing MAC address of the Ethernet header this is by A assable IP IP Total lP Max size Fragmentati Checksu lP ID lP Source before kernel Length on m complains Performed if Linux packet is Always Always Filled in if Filled in if 22 larger than filled in filled in left 0 left 0 1500 bytes MTU Performed if Solaris paCket 395 Always 2 6 larger than filled in 39 MTU Sets DF bit Performed if OpenB packet is Always SD 28 largerthan filled in MTU Packet Checksums 0 Programmer no longer has to worry about Checksum computation 0 Common usage programmer specifies a 0 libnet autocomputes 0 Can be toggled off to use Checksum of 0 0 Alternative usage programmer specifies value libnet uses that 0 Useful for fuzzing using pre computed Checksums 1p libnetibu1ldiipv4 LIBNETJPVALH LIBNETiTCPiH payloadis length O TOS 242 IP H O 1P frag 64 TTL IPPROTOiTCP protocol O checksum srciip source IP dStilp destination IP NULL payload O payload l Initialization libnett libnetinitint injectiontype char device char errbuf Initializes the libnet library and create the environment SUCCESS FAILURE injectiontype A libnet context suitable for use NULL errbuf will contain the reason LIBNETLINK LIBNETRAW4 prO l92l680l NULL Error message if function fails device errbuf l libnvcinitLIBNETLINK prO errbuf if 1 NULL fprintfstderr libnetinit s errbuf Device interface selection Happens during initialization 1ibnet1nitLIBNETLINK prO errbuf 0 Will initialize libnet s link interface using the pr0 device 1ibnetinit LIBNETLINK 192 168 O 1 errbuf 0 Will initialize libnet s link interface using the device with the IP address 1 92 16 8 O 1 1 ibnetini t LIBNETLINK NULL errbuf 0 Will initialize libnet s link interface using the first up device it can find 0 1ibnetgetdevice1 1ibnetinit LIBNETRAW4 NULL 0 Under the Raw socket interface n0 device is selected errbuf Exception Win32 does this internally since it is built on top OfWinpcap New devices with no IP address can be specified for use stealth Error handling char libnetgeterrorlibnett 1 Returns the last error message generated by libnet SUCCESS An error string NULL if none occurred FAILURE This function cannot fail 1 The libnet context pointer l libnetautobuildipv4len IPPROTOTCP dst 1 if 1 NULL fprintfstderr libnetautobuildipv4 s libnetgeterrorl Address resolution uint32t libnetname2addr4libnett 1 char hostname uint8t usename Converts a IPv4 presentation format hostname into a big endian ordered IP number SUCCESS An IP number suitable for use with ibnetbuid FAHJJRE LthhistechnmaHy 255255255255 1 The iibnet context pointer hostname The presentation format address usename LIBNETREOLVELIBNETDONTRESOLVE dst libnetname2addr4l argvoptind LIBNETDONTRESOLVE if dst 2 l fprintf stderr libnetname2addr4 s libnetgeterror 1 Address resolution char libnetaddr2name4uint32t address uint8t usename Converts a big endian ordered IPv4 address into a presentation tormat address SUCCESS A string of dots and decimals or a hostname FAILURE This function cannot fail address The IPv4 address usename LIBNETREOLVE LIBNETDONTRESOLVE printfquots quot libuvvmwdr2name4i LIBN DVHTRESOLVE 1 Packet construction UDP libnetptagt libnetbuildudpuintl6t sp uintl6t sum uintl6t dp uint8t payload libnetptagt ptag uintl6t len uint32t payloads libnett Builds a UDP header SUCCESS A ptag referring to the UDP packet HMLURE landlibnetgeterrorcanteHyoummy sp The source UDP port dp The destination UDP port len Length of the UDP packet including payload sum Checksum 0 for Iibnet to autofill payload Optional payload payloads Pawoadske l The Iibnet context pointer ptag Protocol tag Packet construction IPv4 libnetptagt libnetbuildipv4uintl6t len uint8t tos uintl6t id uintl6t frag uint8t ttl uint8t prot uintl6t sum uint32t src uint32t dst uint8t payload uint3 t39 Davloadq 1ibntt39 1 libnet39 Di39aCfi39 39Di39aO39i Builds an IPv4 header SUCCESS A ptag referring to the IPv4 packet FAILURE gigand libnetgeterror can tell you len Length of the IPv4 packet including payload tos Type of service bits id IP identification frag Fragmentation bits ttl Time to live prot upper layer prOIOCOI sum Checksum 0 for Iibnet to autofill src Source IP address Packet construction IPv4 libnetptagt libnetbuildipv4uintl6t len uint8t tos uintl6t id u1ntlbt frag u1nt8t ttl u1ntat prot uintl6t sum uint32t src uint32t dst uint8t payload uint32t payloads libnett l libnetptagt ptag Builds an IPv4 header SUCCESS A ptag referring to the UDP packet FAILURE gigand libnetgeterror can tell you dst Destination IP address payload Optional payload payloads Pawoadske l The Iibnet context pointer ptag Protocol tag Packet construction Ethernet libnetptagt libnetbuildethernetuint8t dst uint8t src uintl6t type otmoc payload oint32t payloads libnett l libnetptagt ptag Builds an Ethernet header SUCCESS A ptag referring to the Ethernet frame FAILURE Qvtgland libnetgeterror can tell you dst Destination ethernet address src Source ethernet address type Upper layer protocol type payload Optional payload payloads Payload size 1 The libnet context pointer ptag Protocol tag Shutdown void libnetdestroylibnett 1 Shuts down the Iibnet environment l The Iibnet context pointer libnetdestroyl Libnet with other components GNIP Apoor man s A simple application 0 Simple ping client 0 250 lines of source 0 Illustrates some of libnet s and libpcap s core concepts 0 IPv4 packet construction 0 ICMP packet construction 0 Looped packet updating 0 Packet filtering capturing and dissection 1nclude lt11bnethgt d lnclude ltpcaphgt Lib an packet lter sapr cmmpdtmm deflne GNIPiFILTER quot1cmp0 Oquot Vold usagechar 1nt ma1n1nt argc char argv Murlmilhlu ounlexl I uarlables llbl letit 1 NULL pcapit p NULL uilnt87t packet u 1nt32 t dst 17 src 17 uilntl67t 1d seq count 1nt c luterval O pcapifd tlmediout uilnt87t loop payload NULL uilnt327t payloadis O llbnetgptagit 1cmp 0 1p 0 char dev1ce NULL fdiset readiset struct pcapgpkthdr pcihdr struct tlmeval tlmeout struct bpfjrogram flltericode bpfiuilnt32 localinet netmask struct llbnetilpv4ihdr 1p7hdr struct llbnetilcmpv4ihdr 1cmp7hdr char errbufLIBNETiERRBUFisIZE Side effem 0 closed interface wh11ec getoptargc argv quotI1cquot EOF sw1tch c case 39I39 dev1ce optarg break case 39139 luterval atoloptarg break case 39c39 count atoloptarg break c argc 7 optlnd gt 1f c l M canolarnw 5 mm 5 mm mm m K 7 n555mmm dam 355 Ubne Phase one If U UL 555555555255 5m5555n 531554 w 555mm 555 whammy gt 5 da uce 5 quotmy da uce 7 peep Duupdewenmm 5 meme mm mumnmm pcapgmkupdmn 5315 9cm had mm axkaEH gt handcxank peep w p 7 peep cpmgnemmce 255 u u axkaEH 5 5 mm Emmnmm pcapypmgnen 531554 w axkaEH gum m Nupoanlcxl 955 55 555 5 55 515 n5555m Smwmmm 5 pawgmhmenmmg mama mmm 555mm 7 7 7 7 7 7 5 EMF Ema MM EPxxntflstdexxy pcapguuknmetn u ankmiy 7 auto m gt mm 515 555 mm m 5 mmmneip gamma 5555555 1 535 5 5pn555d555 alumna 35955555 gum m gt apply 515 mm 55 515 Mame 5 535555u555m 555557cmy 71 5 5pn555d555 535555u555n w 535955555ipm gum m gt 5 7 5n55m52mm mnwmm zmn smm ResawelPad mss 7 5 quot55 7 555555555255 sad dextxnatxcn 5 address mm 1555595555555 m y gm had l ibnetigetiipaddr4 l Getsoume P Srcilp Eddl39E SS I if srciip 71 fprintfstderr llCan39t determine source IP address 963 nquot libnetigeterror l goto bad interval interval interval l timeouttvisec interval timeouttv7usec O pcapifd pcapifilenop d data bytesnquot 1 I fprintfstderr quotGNIP s s libnetiaddr2name4 dstiip libnetiaddr2name4 dstiip O LIBNET in4 H LIBNET ICMPV4 ECHO H payload 3 Jddp 1 LlhmPhaseTwa 7 7 7 7 7 7 7p 1f Jump 71 39Puntflstderr Can t mud map header sn Jmnetjetend u w y gum had m lxbnetibuxldgpv maneme umrgmmynoj payload length u TOS 1d 11 11 u 11 Frag w 64 M m IPPRC39roJCHP protocol u checksum a snap source IP dsup destlnatlun 1p mu payload u payload 5119 1 llhnet context my ptag m f 1 71 uwnhnnu 7 7 7 7 7 7 7r mmmstden Can t mud 1p header 245m llbnetigeterrur u w y gum bad c llhnet quotmam f n 711 mmmstden wme Eer Rasm Jametjetendum gum had FDizEROampreadiset FDisETpcapifd ampreadiset for tlmediout O t1mediout ampamp loop Interface multiplexing c selectpcap7fd l ampreadiset O O ampt1meout sw1tch c case 71 fprlhtfstderr quotselect shquot strerrorerrho goto bad case 0 tlmediout l cohtlhue default 1f FDilsSETpcapifd ampreadiset m tlmediout l cohtlhue fall through to read the packet packet uilht87t pcapihextp amppc7hdr 1f packet NULL cohtlhue quotIslhisarcsponmquot logic 39 1p7hdr struct llbhetilpv47hdr packet 14 lampihdr struct llbhetilcmpv4ihdr packet 14 1p7hdr7gt1p7hl ltlt 2 1f 1p7hdr7gt1pisrcsiaddr dstilp cohtlhue 1f lampihdrigt1cmp71d 1d fprlhtfstderr quotd bytes from s 1cmpiseq9d ttl9dhquot htohs1p7hdrigt1pileh llbhetiaderHame41p7hdr7gt1pisrcsiaddr O 1cm hdr7gt1cm se 1 hdr7gt1 ttl len tP nase Four p p q p p llbhetidestroyl pcapiclosep gt return EXITisUCCESS Al GNIP vns 28 28 28 28 28 AC bytes bytes bytes bytes bytes GNIP output from from from from LrULLL sys 11515151515 ONION l gtenet 2 MNNN rounderProjectsmisc c bak 2 2 2 2 4 root icmpseq0 icmpseql icmpseq2 icmpseq3 J u111pbcq 4 44 gnip 4222 2 28 data bytes ttl247 ttl247 ttl247 ttl247 ttl247


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Janice Dongeun University of Washington

"I used the money I made selling my notes & study guides to pay for spring break in Olympia, Washington...which was Sweet!"

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.