current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite
1

I'm trying to create linux kernel module, that will inspect incoming packets. At the moment, I'm in process of extracting TCP header of packet and reading source and destination port -> However I'm getting incorrect values. I have hook function:

unsigned int hook_func(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) 
{
    struct iphdr *ipp = (struct iphdr *)skb_network_header(skb);
    struct tcphdr *hdr;
    unsigned long ok_ip = 2396891328; // Using this to filter data from another machine.
    if (!skb) {
      // Some problem, empty network packet. Stop it now.
      return NF_ACCEPT;
    }

    if ( ipp->saddr != ok_ip) { // Just to track only packets coming form 1 IP
      return NF_ACCEPT;
    }

    if ( ipp->protocol == IPPROTO_TCP ) { // Incomming packet is TCP
      hdr = (struct tcphdr *) skb_transport_header(skb);

      printk(" TCP ports: source: %d, dest: %d .\n", ntohs(hdr->source), ntohs(hdr->dest));
    }
}

Now, when I try to telnet port 21(not listening there I get): 

[ 4252.961912]  TCP ports: source: 17664, dest: 52 .
[ 4253.453978]  TCP ports: source: 17664, dest: 52 .
[ 4253.953204]  TCP ports: source: 17664, dest: 48 .

And when I telnet port 22 - SSH deamon listening there:

[ 4299.239940]  TCP ports: source: 17664, dest: 52 .
[ 4299.240527]  TCP ports: source: 17664, dest: 40 .
[ 4299.552566]  TCP ports: source: 17664, dest: 40 .

As visible from output I'm getting very wired results, anyone has idea where problem is coming from? when I compile module I have no errors / warnings. Version of kernel(headers): 3.7.10 . Not using SeLinux or similar.

share|improve this question
    
this might have to do with NAT redirection. Even though your packet is supposed to be leaving on port 21 and 22, the Router converts this to a dynamic port, and then the server is actually getting a request from this port. On the way back, the server's header shows this, and the router forwards it to you. I don't think the header is actually changed (or encapsulated) though, since hte router I think goes into the header and changes it. –  Magn3s1um May 13 '13 at 18:46
    
You should try and print outgoing packets too. If they show the right port, then it is the router changing these values for you. –  Magn3s1um May 13 '13 at 18:50
    
There is no NAT. Both machines are on ESX server, no VLANs. Machines are having IPs: 192.168.221.141/24 and 192.168.221.142/24 so I don't see any possibility how packet can be modified by anything. Also there are no iptables rules, all is set to accept. –  LukasH May 13 '13 at 20:41
    
You need to define how they are connected to the network. Are they on a virtual lan (which you said they aren't), or are they connected to your physical network? If they're on the vlan, i can see there not being a switch/router, but if their entry point is physical, then I 100 percent doubt its not going through a router/switch. –  Magn3s1um May 13 '13 at 20:49

1 Answer 1

up vote 2 down vote accepted

I had the same problem writing a small firewall for a networking class I just found out the problem I was having. I was casting the tcp header wrong. Try casting to tcp then accessing the port.

Here is a code snippet of it working

struct iphdr *ip_header;       // ip header struct
struct tcphdr *tcp_header;     // tcp header struct
struct udphdr *udp_header;     // udp header struct
struct sk_buff *sock_buff;

unsigned int sport ,
             dport;


sock_buff = skb;

if (!sock_buff)
    return NF_ACCEPT;

ip_header = (struct iphdr *)skb_network_header(sock_buff);
if (!ip_header)
    return NF_ACCEPT;


//if TCP PACKET
if(ip_header->protocol==IPPROTO_TCP)
{
    //tcp_header = (struct tcphdr *)skb_transport_header(sock_buff); //doing the cast this way gave me the same problem

    tcp_header= (struct tcphdr *)((__u32 *)ip_header+ ip_header->ihl); //this fixed the problem

    sport = htons((unsigned short int) tcp_header->source); //sport now has the source port
    dport = htons((unsigned short int) tcp_header->dest);   //dport now has the dest port
}
share|improve this answer
    
Thank you, tcp_header= (struct tcphdr *)((__u32 *)ip_header+ ip_header->ihl); Fixed my problem. –  LukasH May 14 '13 at 5:23
    
You can also use these two functions to get the IP header and TCP header ip_hdr(sock_buff) and tcp_hdr(sock_buff) –  HA-AS Jul 2 at 11:47

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.