Re: [ilugd] Reading TCP packets
I'm wondering why iptables logging and dropping packets from the particular src wouldn't work. I'm probably missing something basic here... If you are hoping / trying to capture layer 2/3 data at layer 7 forget it. You can't. You can install wireshark and capture TCP data to your heart's content. regards, --Naresh ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
Raj Mathur [EMAIL PROTECTED] writes: OK, let me rephrase -- even if you can have packets for two different applications arriving on the same TCP port, actually doing so would be going against one of the basic design tenets of IP (the unique address/protocol/port identifier). I'd strongly recommend against such a setup. Apart from being totally incomprehensible to anyone else (or even to yourself 6 months after you set it up), it'll be impossible to replicate properly, and extremely fragile -- you don't write applications that break when a client upgrade changes the value of one bit in a packet somewhere. Is it fragile if iptables marks the packets in, say, unused bits of the tos settings of the tcp/ip packet just after the generator sends it? (I'm assuming this tag will traverse the net without problems so it can be filtered according to tos by iptables at the other end - I don't know how that may work in practice - it seems convenient. I'm sure you have a better idea than I do.) All in all, a horribly dirty hack which I personally wouldn't touch with a 20-metre barge pole. If it's documented how the marking is done and it traverses without causing hiccups, then it looks like a pretty clean hack (iptables being the only places the implementor has to do stuff), given the conditions the original poster has to follow. I'm almost inspired to test it out myself... PJ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PJ writes: Raj Mathur [EMAIL PROTECTED] writes: OK, let me rephrase -- even if you can have packets for two different applications arriving on the same TCP port, actually doing so would be going against one of the basic design tenets of IP (the unique address/protocol/port identifier). I'd strongly recommend against such a setup. Apart from being totally incomprehensible to anyone else (or even to yourself 6 months after you set it up), it'll be impossible to replicate properly, and extremely fragile -- you don't write applications that break when a client upgrade changes the value of one bit in a packet somewhere. Is it fragile if iptables marks the packets in, say, unused bits of the tos settings of the tcp/ip packet just after the generator sends it? (I'm assuming this tag will traverse the net without problems so it can be filtered according to tos by iptables at the other end - I don't know how that may work in practice - it seems convenient. I'm sure you have a better idea than I do.) Yes, this seems a good hack, but you need iptables (or pf or some other intelligent firewall) at the end of packet generating device or packet generating device should be configurable to allow user to set ToS byte. Never thought unused ToS bits can be used this way :) . OR other hack would be to filter on the basis of source address:source port (provided IPv4 address and TCP port used for sending packets from packet generator is static) of the packets. Ashish - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkiK95IACgkQHy+EEHYuXnSGHQCfYJUcoXncWF1y91RiY0vbIClF de8AnjXf+dNUiVaibKgg0NjNlQyVJ9Fg =64Of -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
Raj Mathur [EMAIL PROTECTED] writes: How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? You can't. I'm wondering why iptables logging and dropping packets from the particular src wouldn't work. I'm probably missing something basic here... PJ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
On Friday 25 Jul 2008, PJ wrote: Raj Mathur [EMAIL PROTECTED] writes: How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? You can't. I'm wondering why iptables logging and dropping packets from the particular src wouldn't work. I'm probably missing something basic here... OK, let me rephrase -- even if you can have packets for two different applications arriving on the same TCP port, actually doing so would be going against one of the basic design tenets of IP (the unique address/protocol/port identifier). I'd strongly recommend against such a setup. Apart from being totally incomprehensible to anyone else (or even to yourself 6 months after you set it up), it'll be impossible to replicate properly, and extremely fragile -- you don't write applications that break when a client upgrade changes the value of one bit in a packet somewhere. All in all, a horribly dirty hack which I personally wouldn't touch with a 20-metre barge pole. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
Ssh tunneling or ssh port forwarding might help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudev Barar Sent: Wednesday, July 23, 2008 3:55 PM Subject: [ilugd] Reading TCP packets This may not be correct place but collective wisdom can perhaps point me to a good resource. I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? My google time continues to turn up inconclusive leads. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
[ilugd] Reading TCP packets
This may not be correct place but collective wisdom can perhaps point me to a good resource. I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? My google time continues to turn up inconclusive leads. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sudev Barar writes: This may not be correct place but collective wisdom can perhaps point me to a good resource. I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) I'm a bit confused. Is your remote device say XYZ, sends TCP packets to $IP:$PORT, and you want your listener app say ABC to listen on $IP:$PORT to record all the data that XYZ is sending, hmm...? And your listening app can only listen on 22,25,80,110 TCP ports, right ? How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? Do you care about payload of those TCP packets or packet headers also ? If former then you do that with netcat (listening on any of your desired port). - 8-8- #!/bin/sh while true ; do CAPFILE=/capdir/$(date +%d%m%Y_%H%M%S) nc -p $DESIRED_PORT -l $IP_ADDRESS_I_WANT_TO_LISTEN_ON $CAPFILE done - 8-8- And if you log packets headers also, you've two options: tcpdump (with - -w switch) or iptables rule (with LOG target). Happy logging :) - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkiHD7oACgkQHy+EEHYuXnSm4gCgki2NiKqeduS2XmstyjvCAvrv zHcAoNeTAW1nSfKrdfOtdWrmackIKv94 =bMAw -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
On Wed, Jul 23, 2008 at 3:55 PM, Sudev Barar [EMAIL PROTECTED] wrote: This may not be correct place but collective wisdom can perhaps point me to a good resource. I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? So, are you saying you want two application (apache and some other application) sharing the TCP port. I don't think that would be possible without some scary hacks. I don't know the nature of the data that your remote device is generating, but can you write a script (cgi perhaps) running under apache that distinguishes between an HTTP request and the remote device request and depending on that passes on control. -- http://nomadicrider.com/ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
On 23/07/2008, Ashish Shukla आशीष शुक्ल [EMAIL PROTECTED] wrote: I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) I'm a bit confused. Is your remote device say XYZ, sends TCP packets to $IP:$PORT, and you want your listener app say ABC to listen on $IP:$PORT to record all the data that XYZ is sending, hmm...? And your listening app can only listen on 22,25,80,110 TCP ports, right ? App can listen on all ports but firewall does not allow anything but these ports to be opened. How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? Do you care about payload of those TCP packets or packet headers also ? If former then you do that with netcat (listening on any of your desired port). - 8-8- #!/bin/sh while true ; do CAPFILE=/capdir/$(date +%d%m%Y_%H%M%S) nc -p $DESIRED_PORT -l $IP_ADDRESS_I_WANT_TO_LISTEN_ON $CAPFILE done - 8-8- And if you log packets headers also, you've two options: tcpdump (with - -w switch) or iptables rule (with LOG target). Thanks for info and pointers. My confusion is that with apache running web service on port 80 how will system distinguish between http request and tcp packet for listening. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sudev Barar writes: Thanks for info and pointers. My confusion is that with apache running web service on port 80 how will system distinguish between http request and tcp packet for listening. You've two take one of the services (httpd, pop3d, sshd, smtpd) down. OR Put some kind of proxy in front of the services which will do some protocol checks on the data and pass the data to the appropriate service. OR You've to use iptables's 'string' and 'state' extension to match NEW connections with 'GET|PUT|HEAD|POST|DELETE /' strings in them, and then DNAT or REDIRECT them to the desired internal port (on which httpd or nc is listening). Once connection is established, then you can allow all packets of that connection using 'state' extension to match ESTABLISHED,RELATED packets. BtW, I've not tried such thing ever, so I'm not sure whether this will work or not. Quoting from iptables(8): - 8-8 string This modules matches a given string by using some pattern matching strategy. It requires a linux kernel = 2.6.14. --algo bm|kmp Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) --from offset Set the offset from which it starts looking for any matching. If not passed, default is 0. --to offset Set the offset from which it starts looking for any matching. If not passed, default is the packet size. --string pattern Matches the given pattern. --hex-string pattern Matches the given pattern in hex notation. - 88 In case your service also sends data similar to HTTP requests, then you've to figure out some other way. HTH - -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkiHGIgACgkQHy+EEHYuXnQI3ACgo9AP9F7VFhlr85WORQpDy4oP 1eMAnjsFD/cMvlzgln/lcSeedR3qI+x5 =uPuF -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
On 23/07/2008, Ashish Shukla आशीष शुक्ल [EMAIL PROTECTED] wrote: In case your service also sends data similar to HTTP requests, then you've to figure out some other way. Fortunately not. Let me try this, thanks for pointers and help. -- Regards, Sudev Barar Read http://blog.sudev.in for topics ranging from here to there. PS: I know most of people do not follow email niceties (mostly they are not aware) but if you follow bottom post/in-line post style of email conversations it becomes a whole lot easier to carry on meaningful dialogue and you can snip out what is not meaningful too. Most people just hit reply button and top post leaving prior message appended uselessly at bottom. See if you can adopt this style and persuade others. In case you are already doing this . great, spread the message. ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] Reading TCP packets
On Wednesday 23 Jul 2008, Sudev Barar wrote: This may not be correct place but collective wisdom can perhaps point me to a good resource. I have a remote device that is generating data and is sending as a TCP packet to designated IP:Port. If I open and set a non standard port I am able to receive the packets using a listener. Problem is that the host where I have to move this project allows listening only on port 80 (apache) or port 25/110 (mail) or port 22 (ssh) How can I set up apache or iptables to log in incoming data packets while at the same time allow apache to serve web pages? You can't. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/