c - Print TCP Packet Data -

in tcp communication, when packet being transferred ethernet network(ip) layer, want print data present in packet?

i working on linux.

i got information can done of linux kernel code i.e in linux nat firewall code. kernel source code? these coding being done?

how print data tcp packets

below example need: hook received tcp packets , print payloads. if want print other information received packet (like binary data), need modify bit section under comment:

/* ----- print needed information received tcp packet ------ */

if need trace transmitted packets instead of received ones, can replace line:

nfho.hooknum = nf_inet_pre_routing; 

with one:

nfho.hooknum = nf_inet_post_routing; 

save next files , issue make command build kernel module. sudo insmod print_tcp.ko load it. after able see sniffed information using dmesg command. if want unload module, run sudo rmmod print_tcp command.

print_tcp.c:

#include <linux/module.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> #include <linux/ip.h> #include <linux/tcp.h>  #define ptcp_watch_port     80  /* http port */  static struct nf_hook_ops nfho;  static unsigned int ptcp_hook_func(const struct nf_hook_ops *ops,                                    struct sk_buff *skb,                                    const struct net_device *in,                                    const struct net_device *out,                                    int (*okfn)(struct sk_buff *)) {     struct iphdr *iph;          /* ipv4 header */     struct tcphdr *tcph;        /* tcp header */     u16 sport, dport;           /* source , destination ports */     u32 saddr, daddr;           /* source , destination addresses */     unsigned char *user_data;   /* tcp data begin pointer */     unsigned char *tail;        /* tcp data end pointer */     unsigned char *it;          /* tcp data iterator */      /* network packet empty, seems problem occurred. skip */     if (!skb)         return nf_accept;      iph = ip_hdr(skb);          /* ip header */      /* skip if it's not tcp packet */     if (iph->protocol != ipproto_tcp)         return nf_accept;      tcph = tcp_hdr(skb);        /* tcp header */      /* convert network endianness host endiannes */     saddr = ntohl(iph->saddr);     daddr = ntohl(iph->daddr);     sport = ntohs(tcph->source);     dport = ntohs(tcph->dest);      /* watch port of interest */     if (sport != ptcp_watch_port)         return nf_accept;      /* calculate pointers begin , end of tcp packet data */     user_data = (unsigned char *)((unsigned char *)tcph + (tcph->doff * 4));     tail = skb_tail_pointer(skb);      /* ----- print needed information received tcp packet ------ */      /* show http packets */     if (user_data[0] != 'h' || user_data[1] != 't' || user_data[2] != 't' ||             user_data[3] != 'p') {         return nf_accept;     }      /* print packet route */     pr_debug("print_tcp: %pi4h:%d -> %pi4h:%d\n", &saddr, sport,                               &daddr, dport);      /* print tcp packet data (payload) */     pr_debug("print_tcp: data:\n");     (it = user_data; != tail; ++it) {         char c = *(char *)it;          if (c == '\0')             break;          printk("%c", c);     }     printk("\n\n");      return nf_accept; }  static int __init ptcp_init(void) {     int res;      nfho.hook = (nf_hookfn *)ptcp_hook_func;    /* hook function */     nfho.hooknum = nf_inet_pre_routing;         /* received packets */     nfho.pf = pf_inet;                          /* ipv4 */     nfho.priority = nf_ip_pri_first;            /* max hook priority */      res = nf_register_hook(&nfho);     if (res < 0) {         pr_err("print_tcp: error in nf_register_hook()\n");         return res;     }      pr_debug("print_tcp: loaded\n");     return 0; }  static void __exit ptcp_exit(void) {     nf_unregister_hook(&nfho);     pr_debug("print_tcp: unloaded\n"); }  module_init(ptcp_init); module_exit(ptcp_exit);  module_author("sam protsenko"); module_description("module printing tcp packet data"); module_license("gpl"); 

makefile:

ifeq ($(kernelrelease),)  kerneldir ?= /lib/modules/$(shell uname -r)/build  module:     $(make) -c $(kerneldir) m=$(pwd) c=1 modules  clean:     $(make) -c $(kerneldir) m=$(pwd) c=1 clean  .phony: module clean  else  module = print_tcp.o cflags_$(module) := -ddebug obj-m := $(module)  endif 

explanation

i recommend read book: [4]. particularly interested in next chapters:

• chapter 11: layer 4 protocols
  • tcp (transmission control protocol)
    • receiving packets network layer (l3) tcp
    • sending packets tcp
• chapter 9: netfilter
  • netfilter hooks

how obtain linux kernel source code

you can obtain kernel source code using 1 of ways prefer:

1. vanilla kernel kernel.org (more kernel/git/torvalds/linux.git), using git. e.g. if need k3.13, can done next way:

   $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git $ cd linux/ $ git checkout v3.13 

2. kernel sources distro. e.g. in debian can install linux-source package (sources installed /usr/src). ubuntu see these instructions.

---

details:

[1] how tcp header sk_buff

[2] network flow control in linux kernel

[3] writing loadable kernel modules using netfilter hooks

[4] "linux kernel networking: implementation , theory" rami rosen

[5] how access data/payload tcphdr

---

update

where hook captures packets example? in other words, upon tcp stack don't need take care of packet losing, reordering, etc.?

netfilter hook called in ip_rcv() function (here), working in ipv4 layer (which network layer in osi). believe packet loss handling, packet reordering etc. not handled yet in netfilter hook.

see next links insights:

• netfilter packet flow
• control flow in linux networking
• network data flow through kernel (diagram)

if want hook packets upon transport layer (tcp) -- netfilter not sufficient task, works exclusively in network layer (ipv4).