Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Libnet
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Code working with LIBNET_RAW4, not with LIBNET_LINK

from [Karen Pease] Network Security [Permanent Link]
Subject: Code working with LIBNET_RAW4, not with LIBNET_LINK
Date: Sun, 16 Jan 2005 23:23:11 -0600 
I've just discovered libnet, and have been working on some test programs to 
become familiar with it; it looks great.  I've worked my way through a number 
of stumbling blocks, and have gotten most of what I have attempted to do 
working; however, I cannot figure out, nor can find anything online about 
this current problem.

I have two versions of the same code; one builds a packet with a UDP header 
and an IP header on LIBNET_RAW4 mode; the other builds a packet with a UDP 
header, an IP header, and the underlying ethernet header on LIBNET_LINK mode.  
tcpdump -w shows the output on the wire of the two commands as being 
identical; however, only the RAW4 version makes it to its destination.  
Here's a snippet from two tcpdump runs:

Without link:
00004CA0   0C 3A EB 41  E3 40 0B 00  34 00 00 00  34 00 00 
00  .:.A.@..4...4...
00004CB0   00 20 E0 35  54 40 00 50  04 6C E7 30  08 00 45 
00  . .5T@.P.l.0..E.
00004CC0   00 26 00 F2  00 00 40 11  A9 B7 C0 A8  00 03 81 
FF  .&....@.........
00004CD0   8D 73 75 30  00 50 00 08  BA 3F 01 02  03 04 05 
06  .su0.P...?......
00004CE0   74 65 73 74

With link:
00004B50   40 3A EB 41  E1 A5 0E 00  34 00 00 00  34 00 00 00  
@:.A....4...4...
00004B60   00 20 E0 35  54 40 00 50  04 6C E7 30  08 00 45 
00  . .5T@.P.l.0..E.
00004B70   00 26 00 F2  00 00 40 11  A9 B7 C0 A8  00 03 81 
FF  .&....@.........
00004B80   8D 73 75 30  00 50 00 08  BA 3F 01 02  03 04 05 
06  .su0.P...?......
00004B90   74 65 73 74

**Unknown header**:

Byte 0 is different
Bytes 1 through 3 are the same
Bytes 4 through 6 are different
Bytes 7 through 15 are the same

**Ethernet header**:

dhost: 00 20 E0 35 54 40
shost: 00 50 04 6C E7 30
type:  08 00

**IP header**:

version: 4
ihl:  5
tos:  00
tot_len: 00 26
id:  00 F2
frag_off: 00 00
ttl:  40
proto: 11
check: A9 B7
saddr: C0 A8 00 03
daddr: 81 FF 8D 73

**UDP header**:

Proper source: 75 30
Proper dest: 00 50
Proper length: 00 08
Proper check: BA 3F

**Data**:

Proper data: 01 02 03 04 05 06 74 65 73 74

There is one header that I'm not sure what it is, and what it's for; the only 
differences between the RAW and LINK versions are in these 15 bytes of data.  
Also, I don't know for certain that this data is a header; it could equally 
well be at the end of the packets, as the output runs end on end.

Does anyone have any clue what's wrong, and what's going on here?  I'd be very 
appreciative.  :)

 - Karen Pease
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bug#238344: libnet_init(): unknown physical layer type 0x30f, Domenico Andreoli
Next by Date:  Re: Code working with LIBNET_RAW4, not with LIBNET_LINK, Aaron Turner
Previous by Thread:  Bug#238344: libnet_init(): unknown physical layer type 0x30f, Domenico Andreoli
Next by Thread:  Re: Code working with LIBNET_RAW4, not with LIBNET_LINK, Aaron Turner
Indexes:  [Date] [Thread] [Top] [All Lists]