pcap 和 iptables 之争

发布于 2024-08-30 03:05:13 字数 219 浏览 12 评论 0原文

我已经在一台机器上设置了 DNS 服务器。我想在机器发出之前捕获 DNS 回复,并更改其中的一些字段,然后发送数据包。

我只能更改我的 pcap 代码(用 C 编写)捕获的数据包中的字段,这看起来像是一个副本,因为原始数据包也被传输。

我尝试 iptables 删除来自机器的数据包,但它也会删除 pcap 注入的数据包。

有什么办法可以解决这个问题吗?

谢谢

I have setup a DNS server on a machine. I want to capture the DNS replies before the machine sends out, and change some fields in it and then send the packet.

I am only able to change fields in the packet my pcap code(written in C) captures, which seems like a copy, as the original packet is also transmitted.

I tried iptables to drop packets originating from the machine, but it drops the pcap injected packets as well.

Is there any way out of this?

thank you

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

欢你一世 2024-09-06 03:05:13

如果您正在寻找仅 pcap 的解决方案,则必须拦截 DNS 请求数据包,检查它,并在 DNS 服务器回复之前组装正确的回复。这看起来并不真正可靠,因为如果 DNS 服务器缓存了一个条目,它很可能会在您组装数据包并将其发送出去的自定义代码完成之前进行回复。

最可靠的方法是编写一个作为 netfilter 挂钩的内核模块。 Netfilter 挂钩能够检查数据包并在数据包离开计算机之前在多个点影响对其的处理。将其挂接到 NF_IP_LOCAL_OUT 级别。然后,您可以检查传出数据包并查看它是否是符合您标准的 DNS 回复。下一部分我还没有完成,但是由于您可以直接访问 skb(套接字缓冲区)作为自定义挂钩函数的输入参数,因此您可以在那里修改数据包并返回 NF_ACCEPT 以将响应传递给客户端。如果您需要对请求本身进行一些处理,您可以改为挂钩 NF_IP_LOCAL_IN 并以多种方式处理它,包括将其传递给用户空间程序。

Google 上有很多 Linux 内核编程的示例(搜索:Linux Kernel Module Programming)以及 netfilter hook 示例。

If you're looking for a pcap only solution, you're going to have to intercept the DNS request packet, examine it, and assemble the proper reply before the DNS server replies. That doesn't seem real reliable because if the DNS server has an entry cached it's likely to reply before your custom code to assemble a packet and send it out can finish.

The most reliable way to do this is to write a kernel module that is a netfilter hook. Netfilter hooks are able to examine a packet and influence the handling of it at several points before a packet leaves a machine. Hook it at the NF_IP_LOCAL_OUT level. You can then examine the outgoing packet and see if it is a DNS reply fitting your criteria. This next part I haven't done, but since you have direct access to the skb (socket buffer) as an input parameter to your custom hook function, you could modify the packet right there and return NF_ACCEPT to pass the response along to the client. If you needed to do some processing on the request itself, you could hook into NF_IP_LOCAL_IN instead and handle it any number of ways including passing it off to a userspace program.

There are many examples on Google for Linux kernel programming (search: Linux Kernel Module Programming) and also netfilter hook examples.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文