Scribd
Upload
942 views15 pages

Raw Sockets

Raw sockets allow bypassing the network stack to (1) receive all network packets in promiscuous mode, (2) access full packet headers for analysis, and (3) inject custom packets directly into the network. Raw sockets use the PF_PACKET interface to (1) create a raw socket, (2) set an interface to promiscuous mode, (3) receive or send packets on the socket, then (4) close the socket. This allows building both sniffers to process all received packets and packet injectors to transmit custom packets.

Uploaded by

arunodoy_dasgupta3078
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
942 views15 pages

Raw Sockets

Raw sockets allow bypassing the network stack to (1) receive all network packets in promiscuous mode, (2) access full packet headers for analysis, and (3) inject custom packets directly into the network. Raw sockets use the PF_PACKET interface to (1) create a raw socket, (2) set an interface to promiscuous mode, (3) receive or send packets on the socket, then (4) close the socket. This allows building both sniffers to process all received packets and packet injectors to transmit custom packets.

Uploaded by

arunodoy_dasgupta3078
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 15

Raw Sockets - 101

Vivek Ramachandran
A day in the life of Network Packet
The gory details …..
Problem formulation- why raw
sockets ?
• We can only receive frames destined to us

(Unicast) , to everyone (Broadcast) and to


some selected addresses we subscribe to
(Multicast).
• All Headers i.e. Ethernet, IP, TCP etc are
stripped by the network stack and only the
data is shipped to the application layer.
• We cannot modify the packet headers of
packets when they are sent out from our
host.
What could be interesting ?
• If we could receive the frames for all
computers connected to our broadcast
domain – Promiscous mode
• If we could get all the headers i.e.
Ethernet , TCP, IP etc from the network
and analyze them – Raw Sockets.
• If we could inject packets with custom
headers and data into the network directly
– Raw Sockets.
Promiscous Mode
• It is the “See All, Hear All” Wizard mode 
• Tells the network driver to accept all
packets irrespective of whom the packets
are addressed to.
• Used for Network Monitoring – both legal
and illegal monitoring 
• We can do this by programmatically
setting the IFF_PROMISC flag or by using
the ifconfig utility (ifconfig eth0 promisc)
Getting all headers - Sniffing
• Once we set the interface to promiscous
mode we can get “full packets” with all the
headers.
• We can process these packets and extract
data from it.
• Note we are receiving packets meant for
all hosts => see what your neighbors are
doing in the lab 
Sending arbitrary packets – Packet
Injection
• We “manufacture” our own packets and
send it out on the network.
• Absolute power – total network stack
bypass
• Most active network monitoring tools and
hacking tools use this.
• Remember the Dos attacks ? Syn
Floods ? IP Spoofs ?
Raw Sockets – a closer look

Application
Raw Socket
What are raw sockets ?
• Simply put raw sockets provide a way to
bypass the whole network stack traversal
of a packet and deliver it directly to an
application.
• There are many ways to create raw
sockets. We will concentrate on the
PF_PACKET interface for creating raw
sockets.
PF_PACKET
• It is a software interface to send/receive
packets at layer 2 of the OSI i.e. device
driver.
• All packets received will be complete with
all headers and data.
• All packets sent will be transmitted without
modification by the kernel to the medium.
• Supports filtering using Berkley Packet
Filters.
Creating a Raw Socket
• Call socket() with appropriate arguments.

Socket(PF_PACKET, SOCK_RAW, int


protocol)

Protocol is ETH_P_IP for IP networks. It is


mostly used as a filter. To receive all types
of packets ETH_P_IP is used.
The making of a Sniffer
• Create Raw socket – socket()
• Set interface you want to sniff on in
promiscous mode.
• Bind Raw socket to this interface – bind()
• Receive packets on the socket –
recvfrom()
• Process received packets
• Close the raw socket().
The making of a Packet Injector
• Create a raw socket – socket()
• Bind socket to the interface you want to
send packets onto – bind()
• Create a packet
• Send the packet – sendto()
• Close the raw socket – close()
Class over !!

Lets start coding !!!

You might also like