以下ã®ã‚¨ãƒ³ãƒˆãƒªã¯ä¸€éƒ¨èª¤èªãŒå«ã¾ã‚Œã¦ã„ãŸã®ã§ã€ä¸Šè¨˜ã‚¨ãƒ³ãƒˆãƒªã«ãã®æ—¨ã‚’ã¾ã¨ã‚ã¾ã—ãŸã®ã§å¾¡è¦§ãã ã•ã„。
ã¨ã‚る事情ã§ãƒŸãƒ‰ãƒ«ã‚¦ã‚§ã‚¢ä¸Šã‹ã‚‰é«˜é€Ÿã«ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã®ãƒãƒ¼ãƒˆã®Listenãƒã‚§ãƒƒã‚¯ã‚’ã—ãŸããªã‚Šã¾ã—ãŸã€‚ãƒãƒ¼ã‚«ãƒ«ãƒ›ã‚¹ãƒˆã®ãƒãƒ¼ãƒˆã§ã‚ã‚Œã°ã€/procã‚„netlinkãªã©ã‚’使ã£ã¦ç´ æ—©ããƒã‚§ãƒƒã‚¯ã™ã‚‹æ–¹æ³•ãŒã‚ã‚Šã¾ã™ãŒã€ä»Šå›žã¯å¯¾è±¡ãŒãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆãªã®ã§ã‚½ã‚±ãƒƒãƒˆã§ãªã‚“ã¨ã‹ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
ãã“ã§ã€èª°ã‚‚ãŒã¾ãšæ€ã„ã¤ãã®ã¯ã€connect()システムコールã«ã‚ˆã£ã¦ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã®ãƒãƒ¼ãƒˆã«æŽ¥ç¶šã—ã«ã„ã£ã¦ã€connectã§ãã‚Œã°OKã€ã§ããªã‘ã‚Œã°NGã¨åˆ¤å®šã™ã‚‹æ–¹æ³•ãŒã‚ã‚Šå¾—ã‚‹ã§ã—ょã†ã€‚ï¼ˆé«˜è² è·æ™‚ã«æŽ¥ç¶šã§ããªã„パターンã¯Listenã—ã¦ã„ãªã„ã¨åˆ¤å®šã—ã¦ã‚ˆã„)
ãã“ã§ä¸€æ—¦ã€æœ€ä½Žé™socket()システムコールã¨connect()システムコールã§æŽ¥ç¶šã™ã‚‹æ™‚ã®ãƒ‘ケットをtcpdumpã§çœºã‚ã¦ã¿ã¾ã™ã€‚
06:35:01.857749 IP (tos 0x0, ttl 64, id 27212, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.47498 > 127.0.0.1.53: Flags [S], cksum 0xfe30 (incorrect -> 0x73a5), seq 3957461550, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 0,nop,wscale 7], length 0
06:35:01.857757 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.53 > 127.0.0.1.47498: Flags [S.], cksum 0xfe30 (incorrect -> 0x2020), seq 2210551288, ack 3957461551, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 22509666,nop,wscale 7], length 0
06:35:01.857765 IP (tos 0x0, ttl 64, id 27213, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47498 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0xf264), seq 1, ack 1, win 342, options [nop,nop,TS val 22509666 ecr 22509666], length 0
06:35:01.858468 IP (tos 0x0, ttl 64, id 36578, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.47500 > 127.0.0.1.53: Flags [S], cksum 0xfe30 (incorrect -> 0xeada), seq 2421749376, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 0,nop,wscale 7], length 0
06:35:01.858474 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.53 > 127.0.0.1.47500: Flags [S.], cksum 0xfe30 (incorrect -> 0x77bf), seq 3628867844, ack 2421749377, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 22509666,nop,wscale 7], length 0
06:35:01.858539 IP (tos 0x0, ttl 64, id 36579, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47500 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x4a04), seq 1, ack 1, win 342, options [nop,nop,TS val 22509666 ecr 22509666], length 0
06:35:01.858754 IP (tos 0x0, ttl 64, id 41537, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.47502 > 127.0.0.1.53: Flags [S], cksum 0xfe30 (incorrect -> 0x8919), seq 242604579, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 0,nop,wscale 7], length 0
06:35:01.858759 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.53 > 127.0.0.1.47502: Flags [S.], cksum 0xfe30 (incorrect -> 0x854e), seq 71402943, ack 242604580, win 43690, options [mss 65495,sackOK,TS val 22509666 ecr 22509666,nop,wscale 7], length 0
06:35:01.858765 IP (tos 0x0, ttl 64, id 41538, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47502 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x5793), seq 1, ack 1, win 342, options [nop,nop,TS val 22509666 ecr 22509666], length 0
ãµã‚€ã‚€ã‚€ã€connectæˆåŠŸæ™‚ã¯9パケットã®ãƒ‘ケットé€å—ä¿¡ãŒç™ºç”Ÿã—ã¦ã„ã¾ã™ã。ã“れを見るã¨ã€ãƒãƒ¼ãƒˆã®ãƒã‚§ãƒƒã‚¯ã ã‘ã‚’ã—ãŸã„ã®ã«9パケットã£ã¦ã€6パケット分ãらã„ã¯ç„¡é§„ã«æ„Ÿã˜ã¾ã™ã‚ˆã。TCPã®3wayhandshakeçš„ã«ã¯ã€synパケットé€ã£ã¦syn+ackãŒã‹ãˆã£ã¦ã“ã‚Œã°ãã‚Œã§åŸºæœ¬ã¯Listenã—ã¦ã„ã‚‹ã¨ã¿ãªã›ã‚‹ã®ã ã‹ã‚‰ã€synパケットé€ä¿¡â†’syn+ackパケットå—信→rstパケットé€ä¿¡ã€ã®3パケットã§å分ãªã‚ã‘ã§ã™ã€‚ãã‚Œã ã£ãŸã‚‰ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã«ç°¡æ˜“TCPスタックを自作ã—ã¦ã€synパケットを作ã£ã¦RAWソケットを介ã—ã¦æˆ»ã‚Šã®ãƒ‘ケットをå—ä¿¡ã—ã¦ã‚„ã‚Œã°è‰¯ã„ã‚ã‘ã§ã™ã。
2017/02/13追記
@matsumotory 記事冒é ã®9パケット発生ã—ã¦ã„るパケットã®ãƒ€ãƒ³ãƒ—ãªã‚“ã§ã™ã‘ã©ã€ãƒãƒ¼ã‚«ãƒ«ãƒãƒ¼ãƒˆã‚’変ãˆãªãŒã‚‰3回ãƒãƒ³ãƒ‰ã‚·ã‚§ã‚¤ã‚¯ã—ã¦ã„るよã†ã«è¦‹ãˆã‚‹ã®ã§ã™ãŒè²¼ã‚Šé–“é•ãˆã ã£ãŸã‚Šã—ã¾ã™ã‹..?
— ã¿ã‚„ã³ (@pandax381) 2017å¹´2月13æ—¥
ã«ã‚ˆã‚‹æŒ‡æ‘˜ã®é€šã‚Šã€å®Ÿéš›ã¯æ™®é€šã«connectã—ã¦closeã™ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ãªtcpdumpã§ã—ãŸã€‚全部ã§æ™®é€šã¯6パケットã§ã™ã。
09:13:59.353115 IP (tos 0x0, ttl 64, id 45250, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.47536 > 127.0.0.1.53: Flags [S], cksum 0xfe30 (incorrect -> 0xd259), seq 3532090005, win 43690, options [mss 65495,sackOK,TS val 24894039 ecr 0,nop,wscale 7], length 0
09:13:59.353128 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.53 > 127.0.0.1.47536: Flags [S.], cksum 0xfe30 (incorrect -> 0x4130), seq 394239430, ack 3532090006, win 43690, options [mss 65495,sackOK,TS val 24894039 ecr 24894039,nop,wscale 7], length 0
09:13:59.353140 IP (tos 0x0, ttl 64, id 45251, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x1375), seq 1, ack 1, win 342, options [nop,nop,TS val 24894039 ecr 24894039], length 0
09:14:04.641694 IP (tos 0x0, ttl 64, id 45252, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [F.], cksum 0xfe28 (incorrect -> 0x0e49), seq 1, ack 1, win 342, options [nop,nop,TS val 24895362 ecr 24894039], length 0
09:14:04.642176 IP (tos 0x0, ttl 64, id 18320, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.53 > 127.0.0.1.47536: Flags [F.], cksum 0xfe28 (incorrect -> 0x091d), seq 1, ack 2, win 342, options [nop,nop,TS val 24895362 ecr 24895362], length 0
09:14:04.642189 IP (tos 0x0, ttl 64, id 45253, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x091d), seq 2, ack 2, win 342, options [nop,nop,TS val 24895362 ecr 24895362], length 0
ユーザランドã«ç°¡æ˜“TCPスタックを作る
IPヘッダやTCPãƒ˜ãƒƒãƒ€ã‚’æ§‹é€ ä½“ã§å®šç¾©ã™ã‚‹ãŸã‚ã«ã€æœ€åˆã¯ä»¥ä¸‹ã®ã‚ˆã†ãªæ§‹é€ 体を自å‰ã§ä½œã£ã¦ãƒ‘ケットを作ã£ã¦ã„ã¾ã—ãŸã€‚
#pragma pack(1) struct tcp { __extension__ union { struct { u_int16_t src_port; u_int16_t dst_port; u_int32_t seq; u_int32_t ack; #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ u_int8_t dummy : 4; u_int8_t offset : 4; #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ u_int8_t offset : 4; u_int8_t dummy : 4; #endif u_int8_t flags; u_int16_t win_size; u_int16_t cksum; u_int16_t urg_ptr; }; }; }
ã¡ã‚‡ã†ã©synパケットãŒé€ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ããŸæ™‚ãらã„ã«ã€ã‚ˆãよã調ã¹ã¦ã„ãã¨#include <netinet/ip.h>ã‚„#include <netinet/tcp.h>ã‚ãŸã‚Šã«IPヘッダやTCPヘッダã®æ§‹é€ 体ãŒæ—¢ã«å®šç¾©æ¸ˆã¿ã§ã€ãれを使ã£ãŸæ–¹ãŒã ã„ã¶æ¥½ã ã¨ã„ã†ã“ã¨ãŒåˆ†ã‹ã£ãŸã®ã§ã€ãれらã®ãƒ˜ãƒƒãƒ€ãƒ•ã‚¡ã‚¤ãƒ«ã‚’利用ã—ã¾ã™ã€‚
以下ã®ã‚ˆã†ã«ã€RAWソケットを作ã£ã¦ã€IPヘッダやTCPヘッダを自å‰ã§å®šç¾©ã—ã¦ãƒ‘ケットをé€ã‚Šã¤ã‘ã¾ã™ã€‚ãã‚Œã«ã‚ˆã£ã¦ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã§é€å—ä¿¡ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ã«ã‚‚TCP/IPヘッダãŒå«ã¾ã‚Œã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚概ã以下ã®ã‚ˆã†ã«æ›¸ãã“ã¨ã«ãªã‚Šã¾ã™ã€‚
int s; int src_port, dst_port; char *dst_host; char packet[4096]; char source_ip[20]; struct sockaddr_in dest; struct pseudo_header psh; struct iphdr *iph = (struct iphdr *)packet; struct tcphdr *tcph = (struct tcphdr *)(packet + sizeof(struct ip)); int flag = 1; const int *val = &flag; src_port = 54321; dst_host = argv[1]; dst_port = atoi(argv[2]); s = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (s < 0) { ERROR("socket"); } if (inet_addr(dst_host) != -1) { dest_ip.s_addr = inet_addr(dst_host); } else { char *ip = hostname_to_ip(dst_host); if (ip != NULL) { printf("%s resolved to %s\n", dst_host, ip); dest_ip.s_addr = inet_addr(hostname_to_ip(dst_host)); } else { printf("Unable to resolve hostname: %s", dst_host); exit(1); } } local_ip(source_ip); memset(packet, 0, 4096); iph->ihl = 5; iph->version = 4; iph->tos = 0; iph->tot_len = sizeof(struct ip) + sizeof(struct tcphdr); iph->id = htons(54321); iph->frag_off = htons(16384); iph->ttl = 64; iph->protocol = IPPROTO_TCP; iph->check = 0; iph->saddr = inet_addr(source_ip); iph->daddr = dest_ip.s_addr; iph->check = cksum((unsigned short *)packet, iph->tot_len >> 1); tcph->source = htons(src_port); tcph->dest = htons(80); tcph->seq = htonl(1105024978); tcph->ack_seq = 0; tcph->doff = sizeof(struct tcphdr) / 4; tcph->fin = 0; tcph->syn = 1; tcph->rst = 0; tcph->psh = 0; tcph->ack = 0; tcph->urg = 0; tcph->window = htons(14600); tcph->check = 0; tcph->urg_ptr = 0; if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof(flag)) < 0) { printf("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n", errno, strerror(errno)); exit(0); } dest.sin_family = AF_INET; dest.sin_addr.s_addr = dest_ip.s_addr; dest.sin_port = ntohs(tcph->dest); tcph->dest = htons(dst_port); tcph->check = 0; psh.source_address = inet_addr(source_ip); psh.dest_address = dest.sin_addr.s_addr; psh.placeholder = 0; psh.protocol = IPPROTO_TCP; psh.tcp_length = htons(sizeof(struct tcphdr)); memcpy(&psh.tcp, tcph, sizeof(struct tcphdr)); tcph->check = cksum((unsigned short *)&psh, sizeof(struct pseudo_header)); if (sendto(s, packet, sizeof(struct iphdr) + sizeof(struct tcphdr), 0, (struct sockaddr *)&dest, sizeof(dest)) < 0) { ERROR("sendto"); }
IPヘッダã¨TCPヘッダã®æ§‹é€ 体ãŠã‚ˆã³ãƒ˜ãƒƒãƒ€ã‚µã‚¤ã‚ºã«æ°—ã‚’ã¤ã‘ãªãŒã‚‰packetãƒãƒƒãƒ•ã‚¡ä¸Šã®ãƒã‚¤ãƒ³ã‚¿ã®ä½ç½®ã‚’移動ã•ã›ã€IPãŠã‚ˆã³TCPヘッダを定義ã—ã¦ã„ãã¾ã™ã€‚今回ã¯ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆãŒ80ãƒãƒ¼ãƒˆã‚’Listenã—ã¦ã„ã‚‹ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚‹ãŸã‚ã«ã€ãれらã®æƒ…å ±ã¨synフラグを立ã¦ãŸTCPヘッダを作りã¾ã—ãŸã€‚ã¾ãŸã€IPヘッダãŠã‚ˆã³TCPヘッダも以下ã®ã‚ˆã†ã«è¨ˆç®—ã—ã¾ã™ã€‚ãƒã‚§ãƒƒã‚¯ã‚µãƒ ã«ã¤ã„ã¦ã¯ä»Šå›žã¯æµã‚Œã‚’説明ã™ã‚‹ãŸã‚詳細をçœç•¥ã—ã¾ã™ã€‚ã‚°ã‚°ã‚‹ã¨æ²¢å±±ã§ã¦ãã¾ã™ã®ã§ã€‚
unsigned short cksum(unsigned short *ptr, int nbytes) { register long sum; unsigned short oddbyte; register short answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); answer = (short)~sum; return (answer); }
ãã—ã¦ã€ãƒ‘ケットを作るã“ã¨ãŒã§ããŸã‚‰ã€ãれをsendto()システムコールã«ã‚ˆã£ã¦é€ä¿¡ã—ã¾ã™ã€‚ã“ã‚Œã§ã€ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã«å¯¾ã—ã¦synフラグã®ãŸã£ãŸãƒ‘ケットをユーザランドã§ä½œã£ã¦é€ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
実際ã«ä¸Šè¨˜ã®ã‚ˆã†ãªãƒ‘ケットã®ä½œã‚Šæ–¹ã§tcpdumpを見るã¨ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
06:54:15.278121 IP (tos 0x0, ttl 64, id 54321, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.15.54321 > 10.0.2.15.80: Flags [S], cksum 0xf08b (correct), seq 1105024978, win 14600, length 0
ã¡ã‚ƒã‚“ã¨synパケットをé€ã‚Œã¦ã„ã¾ã™ã。
後ã¯synã¨ackã®ãƒ•ãƒ©ã‚°ãŒç«‹ã£ãŸãƒ‘ケットをåŒæ§˜ã«recvfrom()ã™ã‚Œã°è‰¯ã„ã ã‘….ã¨ãªã‚Šã¾ã™ãŒã€ã“ã“ã§å¤§ããªå•é¡ŒãŒç™ºç”Ÿã—ã¾ã™ã€‚
カーãƒãƒ«ã®TCPスタックã«é‚ªé”ã•ã‚Œã‚‹
RAWソケットを介ã—ã¦ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã§è‡ªå‰ã§ä½œã£ãŸãƒ‘ケットをé€ä¿¡ã—ã€ãã®å¾Œãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã‹ã‚‰è¿”ã‚Šã®ãƒ‘ケットをå—ä¿¡ã™ã‚‹å ´åˆã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã®TCPスタックã ã‘ã§ãªãカーãƒãƒ«ã®TCPスタックも通éŽã™ã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ã™ã‚‹ã¨ã€ã‚«ãƒ¼ãƒãƒ«ã®TCPスタックã¯ã“ã‚“ãªè¿”ã‚Šã®ãƒ‘ケット知らãªã„ï¼ã¨ã„ã£ã¦ã€ä¸è¦ãªãƒ‘ケットã¨ã¿ãªã—rstフラグã®ãŸã£ãŸãƒ‘ケットを返ã—ã¦ã„ã—ã¾ã„ã¾ã™ã€‚実際ã«RAWソケットã§synパケットをé€ã£ãŸå¾Œã®tcpdumpã®å‡ºåŠ›ã—ã¦ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
06:54:15.278121 IP (tos 0x0, ttl 64, id 54321, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.15.54321 > 10.0.2.15.80: Flags [S], cksum 0xf08b (correct), seq 1105024978, win 14600, length 0
06:54:15.278133 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
10.0.2.15.80 > 10.0.2.15.54321: Flags [S.], cksum 0x183c (incorrect -> 0xbe01), seq 1991915580, ack 1105024979, win 43690, options [mss 65495], length 0
06:54:15.278139 IP (tos 0x0, ttl 64, id 45579, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.15.54321 > 10.0.2.15.80: Flags [R], cksum 0x2991 (correct), seq 1105024979, win 0, length 0
ã“ã‚Œã¯ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰å´ã§TCP/IPヘッダをå«ã‚€ãƒ‘ケットをrecvfrom()ã—ãªãã¦ã‚‚発生ã—ã¾ã™ã€‚ã¨ã„ã†ã®ã‚‚ã€ã‚«ãƒ¼ãƒãƒ«ã®TCPスタックãŒå…ˆã«rstパケットをé€ã£ã¦ã—ã¾ã£ã¦ã„ã‚‹ãŸã‚ã§ã™ã€‚ãã†ãªã‚‹ã¨ã€ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã¯é€šä¿¡ãŒçµ‚了ã—ãŸã“ã¨ã«ãªã‚Šã€ãã®å¾Œã«ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã®TCPスタックã‹ã‚‰recvfromã—ãŸã¨ã—ã¦ã‚‚接続ã¯åˆ‡ã‚Œã¦ã„ã‚‹ã¨åˆ¤å®š(返り値0)ã•ã‚Œã€ãƒ‘ケットをå—ä¿¡ã§ããªããªã‚Šã¾ã™ã€‚çµæžœã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰TCPスタック上ã§syn+ackパケットãŒè¿”ã£ã¦ããŸã“ã¨ãŒåˆ¤å®šã§ãã¾ã›ã‚“。
ãã“ã§ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã§ã‚‚ãれを知る方法ã¨ã—ã¦ä»¥ä¸‹ã®2ã¤ã®æˆ¦ç•¥ãŒã‚ã‚Šãˆã¾ã™ã€‚
- カーãƒãƒ«ã®TCPスタックãŒrstã‚’é€ã‚‹ã‚ˆã‚Šã‚‚速ãユーザランドã§ãƒ‘ケットをå—ä¿¡ã™ã‚‹
- ユーザランドã®TCPスタックã§ãƒ‘ケットを処ç†ã—ãªãŒã‚‰BPF経由ã§ãƒ‘ケットをモニタリングã™ã‚‹
ã§ã¯ã€ãã‚Œãžã‚Œã®æ–¹é‡ã§å®Ÿè£…を進ã‚ã¦ã¿ã¾ã—ょã†ã€‚
カーãƒãƒ«ã®TCPスタックãŒrstã‚’é€ã‚‹ã‚ˆã‚Šã‚‚速ãユーザランドã§ãƒ‘ケットをå—ä¿¡ã™ã‚‹
パケットãŒã‚«ãƒ¼ãƒãƒ«ã®TCPスタックを登るå‰ã«ã€RAWソケットã¨ã—ã¦ã¯ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰å´ã«ã‚‚コピーã•ã‚Œã‚‹ã¯ãšãªã®ã§ã€ã‚«ãƒ¼ãƒãƒ«ã®TCPスタックã®å‡¦ç†ã‚ˆã‚Šã‚‚å…ˆã«ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰å´ã§ãƒ‘ケットをå—ä¿¡ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ãã“ã§ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã®TCPスタックã§ä½œã£ãŸsynパケットをé€ä¿¡ã™ã‚‹å‰ã«ã€ã‚らã‹ã˜ã‚å—信専用ã®ã‚¹ãƒ¬ãƒƒãƒ‰ã‚’作ã£ã¦å—信処ç†ã‚’ループã•ã›ã¦å¾…æ©Ÿã—ã¦ãŠãã€synパケットé€ä¿¡å¾Œã€è¿”ã‚Šã®ãƒ‘ケットをã§ãã‚‹ã ã‘速ãå—ä¿¡ã§ãるよã†ã«è©¦ã¿ã¦ã¿ã¾ã™ã€‚ãã®å ´åˆã€ä»¥ä¸‹ã®ã‚ˆã†ãªå®Ÿè£…ã«ãªã‚Šã¾ã™ã€‚
pthread_t new_packet_reciever_thread; if (pthread_create(&new_packet_reciever_thread, NULL, new_packet_reciever, NULL) < 0) { ERROR("pthread_create"); } dest.sin_family = AF_INET; dest.sin_addr.s_addr = dest_ip.s_addr; dest.sin_port = ntohs(tcph->dest); tcph->dest = htons(dst_port); tcph->check = 0; psh.source_address = inet_addr(source_ip); psh.dest_address = dest.sin_addr.s_addr; psh.placeholder = 0; psh.protocol = IPPROTO_TCP; psh.tcp_length = htons(sizeof(struct tcphdr)); memcpy(&psh.tcp, tcph, sizeof(struct tcphdr)); tcph->check = cksum((unsigned short *)&psh, sizeof(struct pseudo_header)); if (sendto(s, packet, sizeof(struct iphdr) + sizeof(struct tcphdr), 0, (struct sockaddr *)&dest, sizeof(dest)) < 0) { ERROR("sendto"); } pthread_join(new_packet_reciever_thread, NULL);
æµã‚Œã¨ã—ã¦ã¯ã€ä¸Šè¨˜ã®ã‚ˆã†ã«sendtoå‰ã‹ã‚‰å—信スレッドを走らã›ã¦ãŠãã€ã‚¹ãƒ¬ãƒƒãƒ‰ã®å‡¦ç†ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«å®Ÿè£…ã—ã¦ãŠãã¾ã™ã€‚
/* thread */ void *new_packet_reciever(void *ptr) { int socket_raw, saddr_size, data_size; struct sockaddr saddr; unsigned char *buffer = (unsigned char *)malloc(65536); socket_raw = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (socket_raw < 0) { ERROR("socket"); } saddr_size = sizeof(saddr); while (1) { data_size = recvfrom(socket_raw, buffer, 65536, 0, (struct sockaddr *)&saddr, &saddr_size); if (data_size < 0) { ERROR("recvfrom"); } if (found_syn_ack_packet(buffer, data_size)) { printf("found syn_ack packet by new_packet_reciever thread\n"); break; } } close(socket_raw); }
ãã®ä¸Šã§ã€é‹è‰¯ãカーãƒãƒ«ãŒrstã‚’é€ã‚Šãるより速ãsyn+ackパケットをå—ä¿¡ã§ããŸå ´åˆã«ã€ãã‚Œã®ãƒ‘ケットを表示ã™ã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚
static int found_syn_ack_packet(unsigned char *buffer, int size) { struct iphdr *iph = (struct iphdr *)buffer; struct sockaddr_in source, dest; unsigned short iphdrlen; if (iph->protocol == 6) { struct iphdr *iph = (struct iphdr *)buffer; iphdrlen = iph->ihl * 4; struct tcphdr *tcph = (struct tcphdr *)(buffer + iphdrlen); memset(&source, 0, sizeof(source)); source.sin_addr.s_addr = iph->saddr; memset(&dest, 0, sizeof(dest)); dest.sin_addr.s_addr = iph->daddr; if (tcph->syn == 1 && tcph->ack == 1 && source.sin_addr.s_addr == dest_ip.s_addr) { ip_capture(buffer); return 1; } else { printf("raw packet recieved. but isn't syn_ack packet\n"); } } return 0; }
ã“ã‚Œã§ã€ç†å±ˆä¸Šã¯ã†ã¾ãã„ããã†ã§ã™ã€‚ã¾ãŸã€TCPスタックåŒå£«ã®å‡¦ç†é€Ÿåº¦ã§ã¯å‹è² ã«ãªã‚‰ãªã„ã¯ãšãªã®ã§ã€TCPスタックã®å‡¦ç†ãŒç„¡è¦–ã§ãã‚‹ã»ã©ã®ãƒ¬ã‚¤ãƒ†ãƒ³ã‚·ãƒ¼ã®ä½Žã„リモートホストã§ã‚ã‚Œã°ã€rstãŒã‚«ãƒ¼ãƒãƒ«ã‹ã‚‰ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã«å±Šã(1往復åŠ)よりも速ãã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã§syn+ackã‚’å—ä¿¡(1往復)ã§ãã‚‹å¯èƒ½æ€§ã¯é«˜ããªã‚Šãã†ã§ã™ã€‚
ユーザランドã®TCPスタックã§ãƒ‘ケットを処ç†ã—ãªãŒã‚‰BPF経由ã§ãƒ‘ケットをモニタリングã™ã‚‹
ã‚‚ã†ä¸€ã¤ã®æˆ¦ç•¥ã¯BPF経由ã§ãƒ‘ケットをモニタリングã™ã‚‹æ–¹æ³•ã§ã™ã€‚一般的ã«ã¯libpcapãªã©ã‚’使ãˆã°ã‚ˆã„ã®ã§ã€æ¯”較的簡å˜ã«å®Ÿè£…ã§ãã‚‹ã§ã—ょã†ã€‚ã‚‚ã¯ã‚„ユーザランドã§ã‚„ã£ã¦ã„ã‚‹ã¨è¨€ã£ã¦ã„ã„ã®ã‹ä¸æ˜Žã§ã™ãŒã€ã¨ã‚Šã‚ãˆãšå®Ÿè£…ã—ã¦ã¿ã¾ã™ã€‚ã“れもã€ä¸€ã¤ç›®ã®æˆ¦ç•¥ã¨åŒæ§˜ã«ãƒ‘ケットを見失ã‚ãªã„よã†ã«äºˆã‚スレッドを動ã‹ã—ã¦ã€ãƒ‘ケットを監視ã™ã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚ã¾ãšã¯ã€åŒæ§˜ã«ä»¥ä¸‹ã®ã‚ˆã†ã«ã‚¹ãƒ¬ãƒƒãƒ‰ã‚’作りã¾ã™ã€‚
pthread_t new_packet_capture_run_thread; if (pthread_create(&new_packet_capture_run_thread, NULL, new_packet_capture_run, NULL) < 0) { ERROR("pthread_create"); } dest.sin_family = AF_INET; dest.sin_addr.s_addr = dest_ip.s_addr; dest.sin_port = ntohs(tcph->dest); tcph->dest = htons(dst_port); tcph->check = 0; psh.source_address = inet_addr(source_ip); psh.dest_address = dest.sin_addr.s_addr; psh.placeholder = 0; psh.protocol = IPPROTO_TCP; psh.tcp_length = htons(sizeof(struct tcphdr)); memcpy(&psh.tcp, tcph, sizeof(struct tcphdr)); tcph->check = cksum((unsigned short *)&psh, sizeof(struct pseudo_header)); if (sendto(s, packet, sizeof(struct iphdr) + sizeof(struct tcphdr), 0, (struct sockaddr *)&dest, sizeof(dest)) < 0) { ERROR("sendto"); } pthread_join(new_packet_capture_run_thread, NULL);
recvfromã®ãƒ«ãƒ¼ãƒ—戦略ã¨åŒæ§˜ã§ã™ã。ã•ã‚‰ã«ã€ã‚¹ãƒ¬ãƒƒãƒ‰ä¸Šã§BPFã«ã‚ˆã‚‹ãƒ‘ケットモニタリングを実装ã—ã¾ã™ã€‚
/* thread */ void *new_packet_capture_run(void *ptr) { pcap_t *pd; char errbuf[PCAP_ERRBUF_SIZE]; bpf_u_int32 netp; bpf_u_int32 maskp; struct bpf_program fprog; struct pcap_userdata pud; char *filter = "dst host 10.0.2.15 and src port 80 and dst port 54321"; char *dev = "enp0s3"; int dl = 0; int dl_len = 0; if ((pd = pcap_open_live(dev, 1514, 1, 500, errbuf)) == NULL) { ERROR("pcap_open_live"); } pcap_lookupnet(dev, &netp, &maskp, errbuf); pcap_compile(pd, &fprog, filter, 0, netp); if (pcap_setfilter(pd, &fprog) == -1) { ERROR("pcap_setfilter"); } pcap_freecode(&fprog); dl = pcap_datalink(pd); switch (dl) { case 1: dl_len = 14; break; default: dl_len = 14; break; } pud.l1_len = dl_len; pud.pd = pd; if (pcap_loop(pd, -1, raw_packet_receiver, (u_char *)&pud) < 0) { printf("found syn_ack packet by new_packet_capture_run thread\n"); } }
pcapã§ãƒ‘ケットをフィルタã—ã¤ã¤ã€pcap_loopã§ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ã—続ã‘ã¾ã™ã€‚ãã®ä¸Šã§ã€ãƒ‘ケットをå—ä¿¡ã—ãŸã‚‰ãã®ãƒ‘ケットã®ãƒ•ãƒ©ã‚°ã‚’解æžã—ã€syn+ackãªãƒ‘ケットã§ã‚ã‚Œã°ã€pcap_loopを抜ã‘ã‚‹ãŸã‚ã«pcap_breakloopを実行ã—ã¾ã™ã€‚ã“ã®ã‚ãŸã‚Šã¯libeventã«ã‚‚ä¼¼ãŸã‚¤ãƒ³ã‚¿ãƒ¼ãƒ•ã‚§ã‚¤ã‚¹ã«ãªã£ã¦ã„ã¾ã™ã。ã“ã®ã‚³ãƒ¼ãƒ‰ã®found_syn_ack_packetã¯recvfromã«ã‚ˆã‚‹å—信スレッドã®ã‚‚ã®ã¨åŒä¸€ã§ã™ã€‚
void raw_packet_receiver(u_char *udata, const struct pcap_pkthdr *pkthdr, const u_char *packet) { struct pcap_userdata *pud = (struct pcap_userdata *)udata; if (found_syn_ack_packet((char *)(packet + pud->l1_len), sizeof(struct ip) + sizeof(struct tcphdr))) { pcap_breakloop(pud->pd); } }
実際ã«è©¦ã—ã¦ã¿ã¾ã—ょã†
実際ã«ã“れらã®ã‚³ãƒ¼ãƒ‰ã‚’å…¨ã¦ã¾ã¨ã‚ãŸã‚‚ã®ãŒä»¥ä¸‹ã«ãªã‚Šã¾ã™ã€‚é•·ã„ã§ã™ã€‚
/* * gcc raw_packet.c -g -lpcap -lpthread -o tcp_port_check * */ #include <stdio.h> #include <string.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <errno.h> #include <netdb.h> #include <arpa/inet.h> #include <netinet/tcp.h> #include <netinet/ip.h> #include <pcap.h> #include <pthread.h> #define ERROR(name) \ perror(name); \ exit(EXIT_FAILURE) struct in_addr dest_ip; struct pcap_userdata { int l1_len; pcap_t *pd; }; struct pseudo_header { unsigned int source_address; unsigned int dest_address; unsigned char placeholder; unsigned char protocol; unsigned short tcp_length; struct tcphdr tcp; }; static void tcp_capture(char *packet) { struct tcphdr *tcphdr; int i; tcphdr = (struct tcphdr *)packet; printf("src port: %d\n", ntohs(tcphdr->source)); printf("dst port: %d\n", ntohs(tcphdr->dest)); printf("sec num: %zu\n", (size_t)ntohl(tcphdr->seq)); printf("ack num: %zu\n", (size_t)ntohl(tcphdr->ack_seq)); printf("reserve : 0x%x\n", tcphdr->res1); printf("offset: 0x%x\n", ntohs(tcphdr->doff)); printf("fin: %x\n", tcphdr->fin); printf("syn: %x\n", tcphdr->syn); printf("rst: %x\n", tcphdr->rst); printf("psh: %x\n", tcphdr->psh); printf("ack: %x\n", tcphdr->ack); printf("urg: %x\n", tcphdr->urg); printf("res2: %x\n", tcphdr->res2); printf("window size: %d\n", ntohs(tcphdr->window)); printf("checksum: 0x%x\n", ntohs(tcphdr->check)); printf("urgent ptr: 0x%x\n", ntohs(tcphdr->urg_ptr)); } static void ip_capture(char *packet) { struct ip *iphdr; iphdr = (struct ip *)packet; printf("ip version: %x\n", iphdr->ip_v); printf("header length: %xbyte\n", iphdr->ip_hl); printf("service type: 0x%.2x\n", iphdr->ip_tos); printf("packet length: �yte\n", ntohs(iphdr->ip_len)); printf("identify: 0x%.4x\n", ntohs(iphdr->ip_id)); printf("flag offset: 0x%.4x\n", ntohs(iphdr->ip_off)); printf("ttl: 0x%.2x\n", iphdr->ip_ttl); switch (iphdr->ip_p) { case 1: printf("protocol: ICMP\n"); break; case 6: printf("protocol: TCP\n"); break; case 17: printf("protocol: UDP\n"); break; default: printf("protocol: 0x%.2x\n", iphdr->ip_p); break; } printf("header checksum: 0x%.4x\n", ntohs(iphdr->ip_sum)); printf("src ipaddress: %s\n", inet_ntoa(iphdr->ip_src)); printf("dst ipaddress: %s\n", inet_ntoa(iphdr->ip_dst)); if (iphdr->ip_p == 6) tcp_capture((char *)(packet + sizeof(struct ip))); } static int found_syn_ack_packet(unsigned char *buffer, int size) { struct iphdr *iph = (struct iphdr *)buffer; struct sockaddr_in source, dest; unsigned short iphdrlen; if (iph->protocol == 6) { struct iphdr *iph = (struct iphdr *)buffer; iphdrlen = iph->ihl * 4; struct tcphdr *tcph = (struct tcphdr *)(buffer + iphdrlen); memset(&source, 0, sizeof(source)); source.sin_addr.s_addr = iph->saddr; memset(&dest, 0, sizeof(dest)); dest.sin_addr.s_addr = iph->daddr; if (tcph->syn == 1 && tcph->ack == 1 && source.sin_addr.s_addr == dest_ip.s_addr) { ip_capture(buffer); return 1; } else { printf("raw packet recieved. but isn't syn_ack packet\n"); } } return 0; } void raw_packet_receiver(u_char *udata, const struct pcap_pkthdr *pkthdr, const u_char *packet) { struct pcap_userdata *pud = (struct pcap_userdata *)udata; if (found_syn_ack_packet((char *)(packet + pud->l1_len), sizeof(struct ip) + sizeof(struct tcphdr))) { pcap_breakloop(pud->pd); } } /* thread */ void *new_packet_capture_run(void *ptr) { pcap_t *pd; char errbuf[PCAP_ERRBUF_SIZE]; bpf_u_int32 netp; bpf_u_int32 maskp; struct bpf_program fprog; struct pcap_userdata pud; char *filter = "dst host 10.0.2.15 and src port 80 and dst port 54321"; char *dev = "enp0s3"; int dl = 0; int dl_len = 0; if ((pd = pcap_open_live(dev, 1514, 1, 500, errbuf)) == NULL) { ERROR("pcap_open_live"); } pcap_lookupnet(dev, &netp, &maskp, errbuf); pcap_compile(pd, &fprog, filter, 0, netp); if (pcap_setfilter(pd, &fprog) == -1) { ERROR("pcap_setfilter"); } pcap_freecode(&fprog); dl = pcap_datalink(pd); switch (dl) { case 1: dl_len = 14; break; default: dl_len = 14; break; } pud.l1_len = dl_len; pud.pd = pd; if (pcap_loop(pd, -1, raw_packet_receiver, (u_char *)&pud) < 0) { printf("found syn_ack packet by new_packet_capture_run thread\n"); } } unsigned short cksum(unsigned short *ptr, int nbytes) { register long sum; unsigned short oddbyte; register short answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); answer = (short)~sum; return (answer); } char *hostname_to_ip(char *hostname) { struct hostent *he; struct in_addr **addr_list; int i; if ((he = gethostbyname(hostname)) == NULL) { herror("gethostbyname"); return NULL; } addr_list = (struct in_addr **)he->h_addr_list; for (i = 0; addr_list[i] != NULL; i++) { return inet_ntoa(*addr_list[i]); } return NULL; } int local_ip(char *buffer) { int err; int sock; const char *p; struct sockaddr_in serv; struct sockaddr_in name; socklen_t namelen; sock = socket(AF_INET, SOCK_DGRAM, 0); memset(&serv, 0, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = inet_addr("8.8.8.8"); serv.sin_port = htons(53); err = connect(sock, (const struct sockaddr *)&serv, sizeof(serv)); namelen = sizeof(name); err = getsockname(sock, (struct sockaddr *)&name, &namelen); p = inet_ntop(AF_INET, &name.sin_addr, buffer, 100); close(sock); } /* thread */ void *new_packet_reciever(void *ptr) { int socket_raw, saddr_size, data_size; struct sockaddr saddr; unsigned char *buffer = (unsigned char *)malloc(65536); socket_raw = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (socket_raw < 0) { ERROR("socket"); } saddr_size = sizeof(saddr); while (1) { data_size = recvfrom(socket_raw, buffer, 65536, 0, (struct sockaddr *)&saddr, &saddr_size); if (data_size < 0) { ERROR("recvfrom"); } if (found_syn_ack_packet(buffer, data_size)) { printf("found syn_ack packet by new_packet_reciever thread\n"); break; } } close(socket_raw); } int main(int argc, char **argv) { int s; int src_port, dst_port; char *dst_host; char packet[4096]; char source_ip[20]; struct sockaddr_in dest; struct pseudo_header psh; struct iphdr *iph = (struct iphdr *)packet; struct tcphdr *tcph = (struct tcphdr *)(packet + sizeof(struct ip)); int flag = 1; const int *val = &flag; if (argc != 3) { printf("dst_host dst_port \n"); exit(1); } src_port = 54321; dst_host = argv[1]; dst_port = atoi(argv[2]); s = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (s < 0) { ERROR("socket"); } if (inet_addr(dst_host) != -1) { dest_ip.s_addr = inet_addr(dst_host); } else { char *ip = hostname_to_ip(dst_host); if (ip != NULL) { printf("%s resolved to %s\n", dst_host, ip); dest_ip.s_addr = inet_addr(hostname_to_ip(dst_host)); } else { printf("Unable to resolve hostname: %s", dst_host); exit(1); } } local_ip(source_ip); memset(packet, 0, 4096); iph->ihl = 5; iph->version = 4; iph->tos = 0; iph->tot_len = sizeof(struct ip) + sizeof(struct tcphdr); iph->id = htons(54321); iph->frag_off = htons(16384); iph->ttl = 64; iph->protocol = IPPROTO_TCP; iph->check = 0; iph->saddr = inet_addr(source_ip); iph->daddr = dest_ip.s_addr; iph->check = cksum((unsigned short *)packet, iph->tot_len >> 1); tcph->source = htons(src_port); tcph->dest = htons(80); tcph->seq = htonl(1105024978); tcph->ack_seq = 0; tcph->doff = sizeof(struct tcphdr) / 4; tcph->fin = 0; tcph->syn = 1; tcph->rst = 0; tcph->psh = 0; tcph->ack = 0; tcph->urg = 0; tcph->window = htons(14600); tcph->check = 0; tcph->urg_ptr = 0; if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof(flag)) < 0) { printf("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n", errno, strerror(errno)); exit(0); } pthread_t new_packet_capture_run_thread; if (pthread_create(&new_packet_capture_run_thread, NULL, new_packet_capture_run, NULL) < 0) { ERROR("pthread_create"); } pthread_t new_packet_reciever_thread; if (pthread_create(&new_packet_reciever_thread, NULL, new_packet_reciever, NULL) < 0) { ERROR("pthread_create"); } dest.sin_family = AF_INET; dest.sin_addr.s_addr = dest_ip.s_addr; dest.sin_port = ntohs(tcph->dest); tcph->dest = htons(dst_port); tcph->check = 0; psh.source_address = inet_addr(source_ip); psh.dest_address = dest.sin_addr.s_addr; psh.placeholder = 0; psh.protocol = IPPROTO_TCP; psh.tcp_length = htons(sizeof(struct tcphdr)); memcpy(&psh.tcp, tcph, sizeof(struct tcphdr)); tcph->check = cksum((unsigned short *)&psh, sizeof(struct pseudo_header)); if (sendto(s, packet, sizeof(struct iphdr) + sizeof(struct tcphdr), 0, (struct sockaddr *)&dest, sizeof(dest)) < 0) { ERROR("sendto"); } pthread_join(new_packet_capture_run_thread, NULL); pthread_join(new_packet_reciever_thread, NULL); return 0; }
ã“れを以下ã®ã‚ˆã†ã«ãƒ“ルドã—ã¾ã™ã€‚
gcc raw_packet.c -g -lpcap -lpthread -o tcp_port_check
実行ã¯ã€RAWソケットを扱ã†ãŸã‚CAP_NET_ADMINã®ç‰¹æ¨©ãŒå¿…è¦ã¨ãªã‚‹ã®ã§ã€sudoã§å®Ÿè¡Œã—ã¾ã™ã€‚
sudo ./tcp_port_check 10.0.2.15 80
ã“ã‚Œã«ã‚ˆã‚Šã€ã‚«ãƒ¼ãƒãƒ«ã‚ˆã‚Šã‚‚速ãユーザランドã®TCPスタックã§ã‚„ã‚ŠãŸã„ã“ã¨ãŒã§ããŸã‚‰ãƒ‘ケットã®ãƒ€ãƒ³ãƒ—ãŒè¡¨ç¤ºã•ã‚Œã‚‹ã¯ãšã€‚ã§ã¯å®Ÿè¡Œã—ã¦ã¿ã¾ã—ょã†ã€‚
raw packet recieved. but isn't syn_ack packet raw packet recieved. but isn't syn_ack packet raw packet recieved. but isn't syn_ack packet raw packet recieved. but isn't syn_ack packet raw packet recieved. but isn't syn_ack packet ip version: 4 header length: 5byte service type: 0x00 packet length: 44byte identify: 0x9d0e flag offset: 0x0000 ttl: 0x40 protocol: TCP header checksum: 0xc97a src ipaddress: xxx.xxx.xxx.xxx dst ipaddress: 10.0.2.15 src port: 80 dst port: 54321 sec num: 1385297409 ack num: 1105024979 reserve : 0x0 offset: 0x600 fin: 0 syn: 1 rst: 0 psh: 0 ack: 1 urg: 0 res2: 0 window size: 65535 checksum: 0xcd0d urgent ptr: 0x0 found syn_ack packet by new_packet_reciever thread # ↑ã“ã‚Œã¯å—信スレッド ip version: 4 header length: 5byte service type: 0x00 packet length: 44byte identify: 0x9d0e flag offset: 0x0000 ttl: 0x40 protocol: TCP header checksum: 0xc97a src ipaddress: xxx.xxx.xxx.xxx dst ipaddress: 10.0.2.15 src port: 80 dst port: 54321 sec num: 1385297409 ack num: 1105024979 reserve : 0x0 offset: 0x600 fin: 0 syn: 1 rst: 0 psh: 0 ack: 1 urg: 0 res2: 0 window size: 65535 checksum: 0xcd0d urgent ptr: 0x0 found syn_ack packet by new_packet_capture_run thread # ↑ã“ã‚Œã¯BPFスレッド
ãŠãŠãŠï¼å—ä¿¡ã§ããŸï¼ãƒ‘ケットã®æ•°ã‚‚ãŸã£ãŸã®3パケットã ï¼
09:45:15.246002 IP (tos 0x0, ttl 64, id 54321, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.15.54321 > 10.0.2.15.80: Flags [S], cksum 0xd948 (correct), seq 45298, win 14600, length 0
09:45:15.246015 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
10.0.2.15.80 > 10.0.2.15.54321: Flags [S.], cksum 0x183c (incorrect -> 0x5ca3), seq 3390123776, ack 45299, win 43690, options [mss 65495], length 0
09:45:15.246021 IP (tos 0x0, ttl 64, id 16593, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.15.54321 > 10.0.2.15.80: Flags [R], cksum 0x124e (correct), seq 45299, win 0, length 0
ã‚„ã£ãŸãƒ¼ãƒ¼ãƒ¼ãƒ¼ãƒ¼ï¼
connectã§9パケットé€ã‚‹å¿…è¦ç„¡ã„ã—ã€9個もé€ã‚‹ã¨é…ããªã‚‹ã‹ã‚‰ã€ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰ã«ç°¡æ˜“TCPスタックを作ã£ã¦ã€ã‚¹ãƒ¬ãƒƒãƒ‰ã‚’駆使ã—ã¦ã‚«ãƒ¼ãƒãƒ«ãŒrsté€ã‚Šãるよりも速ãsyn+ackパケットå—ä¿¡ã—ãŸã‚Šã€BPFã§ãƒ‘ケットモニタリングã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦ãƒ‘ケット6個も減らã—ã¦ã€å…¨éƒ¨ã§3パケットã§ãƒãƒ¼ãƒˆã®Listenãƒã‚§ãƒƒã‚¯ã§ãる処ç†ãŒå®Ÿç¾ã§ããŸãžãƒ¼ãƒ¼ãƒ¼ãƒ¼ãƒ¼ãƒ¼ï¼ï¼
ã‚れ?
ã¾ã¨ã‚
ã¨ã„ã†ã“ã¨ã§ã€çµè«–ã¨ã—ã¦ã¯é«˜é€Ÿã«ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã®ãƒãƒ¼ãƒˆãŒListenã—ã¦ã„ã‚‹ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚‹ã«ã¯ç‰¹æ¨©ã‚‚ã„らãªã„connectã§å分ã§ã‚ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã—ãŸï¼ˆconnectã§ããªã‹ã£ãŸå ´åˆã¯ãŸã£ãŸã®2パケット)。ã¾ãŸã€ãƒ‘ケットを3ã¤ã«æŠ‘ãˆãŸæ‰€ã§ã€ä»Šå›žã®ã‚ˆã†ãªå®Ÿè£…ã ã¨å®Ÿéš›ã®ãƒã‚§ãƒƒã‚¯ã‚³ã‚¹ãƒˆã¯ä¸‹æ‰‹ã—ãŸã‚‰1000å€ãらã„ã‹ã‹ã£ã¦ãŠã‚Šã€ãƒ‘ケット6個を減らã™ãŸã‚ã«ãƒ¦ãƒ¼ã‚¶ãƒ©ãƒ³ãƒ‰TCPスタックã®å®Ÿè£…やパケットã®è‡ªå‰å®Ÿè£…ã€BPFã«ã‚ˆã‚‹ãƒ•ã‚£ãƒ«ã‚¿ãƒªãƒ³ã‚°ç‰ã€è‰²ã€…é ‘å¼µã‚Šã¾ã—ãŸãŒã€ãƒŸãƒ‰ãƒ«ã‚¦ã‚§ã‚¢ã®ã‚ˆã†ãªã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã‹ã‚‰é«˜é€Ÿã«ãƒªãƒ¢ãƒ¼ãƒˆãƒ›ã‚¹ãƒˆã®ãƒãƒ¼ãƒˆã®Listen状態をãƒã‚§ãƒƒã‚¯ã™ã‚‹ã¨ã„ã†è¦³ç‚¹ã§ã¯ãƒŽãƒ¼ãƒãƒªãƒ¥ãƒ¼ã§ãƒ•ã‚£ãƒ‹ãƒƒã‚·ãƒ¥ã§ã—ãŸã€‚
2017/02/13追記
冒é ã§è¿½è¨˜ã—ãŸã‚ˆã†ã«ã€
@matsumotory 記事冒é ã®9パケット発生ã—ã¦ã„るパケットã®ãƒ€ãƒ³ãƒ—ãªã‚“ã§ã™ã‘ã©ã€ãƒãƒ¼ã‚«ãƒ«ãƒãƒ¼ãƒˆã‚’変ãˆãªãŒã‚‰3回ãƒãƒ³ãƒ‰ã‚·ã‚§ã‚¤ã‚¯ã—ã¦ã„るよã†ã«è¦‹ãˆã‚‹ã®ã§ã™ãŒè²¼ã‚Šé–“é•ãˆã ã£ãŸã‚Šã—ã¾ã™ã‹..?
— ã¿ã‚„ã³ (@pandax381) 2017å¹´2月13æ—¥
ã«ã‚ˆã‚‹æŒ‡æ‘˜ã®é€šã‚Šã€å®Ÿéš›ã¯æ™®é€šã«connectã—ã¦closeã™ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ãªtcpdumpã§ã—ãŸã€‚全部ã§æ™®é€šã¯6パケットã§ã—ãŸã€‚
09:13:59.353115 IP (tos 0x0, ttl 64, id 45250, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.47536 > 127.0.0.1.53: Flags [S], cksum 0xfe30 (incorrect -> 0xd259), seq 3532090005, win 43690, options [mss 65495,sackOK,TS val 24894039 ecr 0,nop,wscale 7], length 0
09:13:59.353128 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.53 > 127.0.0.1.47536: Flags [S.], cksum 0xfe30 (incorrect -> 0x4130), seq 394239430, ack 3532090006, win 43690, options [mss 65495,sackOK,TS val 24894039 ecr 24894039,nop,wscale 7], length 0
09:13:59.353140 IP (tos 0x0, ttl 64, id 45251, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x1375), seq 1, ack 1, win 342, options [nop,nop,TS val 24894039 ecr 24894039], length 0
09:14:04.641694 IP (tos 0x0, ttl 64, id 45252, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [F.], cksum 0xfe28 (incorrect -> 0x0e49), seq 1, ack 1, win 342, options [nop,nop,TS val 24895362 ecr 24894039], length 0
09:14:04.642176 IP (tos 0x0, ttl 64, id 18320, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.53 > 127.0.0.1.47536: Flags [F.], cksum 0xfe28 (incorrect -> 0x091d), seq 1, ack 2, win 342, options [nop,nop,TS val 24895362 ecr 24895362], length 0
09:14:04.642189 IP (tos 0x0, ttl 64, id 45253, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.47536 > 127.0.0.1.53: Flags [.], cksum 0xfe28 (incorrect -> 0x091d), seq 2, ack 2, win 342, options [nop,nop,TS val 24895362 ecr 24895362], length 0
ç¾å®Ÿçš„ã«ã¯ connect æˆåŠŸã—ã¦ã‹ã‚‰ SO_LINGER 0 を指定ã—㦠close ã™ã‚Œã° RST ãŒé£›ã‚“㧠4 packet ã§ãƒ•ã‚£ãƒ‹ãƒƒã‚·ãƒ¥ã ã‘ã©ã€ã“ã†ã„ã†ã®å¤§å¥½ã https://t.co/v6IxzhRSqJ
— ã¿ã‚„ã³ (@pandax381) 2017å¹´2月13æ—¥
ã“ã®æ–¹æ³•ã«ã‚ˆã‚Šã€ã‚«ãƒ¼ãƒãƒ«ã®TCPスタックを使ã£ã¦ã‚‚4パケットã§ãƒ•ã‚£ãƒ‹ãƒƒã‚·ãƒ¥å¯èƒ½ãã†ã§ã™ã€‚ ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã™ï¼
実際試ã™ã¨ï¼ˆã‚¨ãƒ©ãƒ¼å‡¦ç†ã¯çœç•¥ï¼‰ã€
#include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <arpa/inet.h> int main(int argc, char **argv) { int s; int dst_port; char *dst_host; struct sockaddr_in dest; struct linger so_linger; dst_host = argv[1]; dst_port = atoi(argv[2]); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); dest.sin_family = AF_INET; dest.sin_addr.s_addr = inet_addr(dst_host); dest.sin_port = ntohs(dst_port); connect(s, (struct sockaddr *)&dest, sizeof(dest)); so_linger.l_onoff = 1; so_linger.l_linger = 0; setsockopt(s, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(so_linger)); close(s); return 0; }
ã“ã‚Œã ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ãªtcpdumpçµæžœã¨ãªã‚Šã¾ã—ãŸã€‚4パケットã§ãƒ•ã‚£ãƒ‹ãƒƒã‚·ãƒ¥ã—ã¦ã„ã‚‹ã®ã§ã€ã‚«ãƒ¼ãƒãƒ«ã®TCPã®ã‚¹ã‚¿ãƒƒã‚¯ã‚’使ã†å ´åˆã®æœ€å°ãƒ‘ケット数ã¨æ€ã‚ã‚Œã¾ã™ã€‚
09:32:01.527284 IP (tos 0x0, ttl 64, id 15485, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.15.52154 > 10.0.2.15.80: Flags [S], cksum 0x184c (incorrect -> 0xdb93), seq 527746906, win 43690, options [mss 65495,sackOK,TS val 25164583 ecr 0,nop,wscale 7], length 0
09:32:01.527292 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.15.80 > 10.0.2.15.52154: Flags [S.], cksum 0x184c (incorrect -> 0xccf3), seq 2287569294, ack 527746907, win 43690, options [mss 65495,sackOK,TS val 25164583 ecr 25164583,nop,wscale 7], length 0
09:32:01.527299 IP (tos 0x0, ttl 64, id 15486, offset 0, flags [DF], proto TCP (6), length 52)
10.0.2.15.52154 > 10.0.2.15.80: Flags [.], cksum 0x1844 (incorrect -> 0x9f38), seq 1, ack 1, win 342, options [nop,nop,TS val 25164583 ecr 25164583], length 0
09:32:01.527393 IP (tos 0x0, ttl 64, id 15487, offset 0, flags [DF], proto TCP (6), length 52)
10.0.2.15.52154 > 10.0.2.15.80: Flags [R.], cksum 0x1844 (incorrect -> 0x9f34), seq 1, ack 1, win 342, options [nop,nop,TS val 25164583 ecr 25164583], length 0
