Intercepting IP incoming/outgoing datagrams in kernel space

InuY4sha · External Since: Sep 07, 2009 Posts: 5

Hi list,
I'm looking for a way (in kernel space) of intercepting data being
sent to a network interface for transmission by the send/sendto
function and to fetch data incoming in the network interface:

userspace ---> send(to) ----> my_module-->
--->TCP/IPstack--->network_dev_driver

userspace <--- my_module<-- TCP/IPstack<---
<---network_dev_driver<---reception

Is it possible?
Thanks

InuY4sha · External Since: Sep 07, 2009 Posts: 5

On 7 Set, 19:20, Tauno Voipio <tauno.voi....TakeThisOut@INVALIDiki.fi> wrote:
> InuY4sha wrote:
> > Hi list,
> > I'm looking for a way (in kernel space) of intercepting data being
> > sent to a network interface for transmission by the send/sendto
> > function and to fetch data incoming in the network interface:
>
> > userspace ---> send(to) ----> my_module-->
> > --->TCP/IPstack--->network_dev_driver
>
> > userspace <--- my_module<-- TCP/IPstack<---
> > <---network_dev_driver<---reception
>
> > Is it possible?
> > Thanks
>
> Would you care to explain why?
> What are you attempting to achieve?
>
> There may be an existing clean way to do it.
>
> --
>
> Tauno Voipio

Sure: I need to access the packet payload in read/write mode both the
ways for incoming and outgoing packets (so no iptables magling I
guess?.. )

InuY4sha · External Since: Sep 07, 2009 Posts: 5

> Sure: I need to access the packet payload in read/write mode both the
> ways for incoming and outgoing packets (so no iptables magling I
> guess?.. )
I forgot to say: I want it in kernel space to make it transparent to
user apps. I'd like it to be above TCP/IP layer to be able to
intercept all packets...

InuY4sha · External Since: Sep 07, 2009 Posts: 5

I don't know why you are so obsessed with knowing why.. anyway I'd
like to perform operations on the payload such as
- applying compression algorithms
- network coding

I thought that by telling you that I needed to intercept all network
packets above TCP/IP layer would be enough...
By read/write I meant that I'm not satisfied with just monitoring with
tcpdump
By "both the ways for incoming and outgoing packets" I meant that I
need to access to packets generated locally to be sent to a remote
host and packets received from a remote host.

Tauno Voipio · External Since: Oct 21, 2005 Posts: 388

InuY4sha wrote:
> Hi list,
> I'm looking for a way (in kernel space) of intercepting data being
> sent to a network interface for transmission by the send/sendto
> function and to fetch data incoming in the network interface:
>
> userspace ---> send(to) ----> my_module-->
> --->TCP/IPstack--->network_dev_driver
>
> userspace <--- my_module<-- TCP/IPstack<---
> <---network_dev_driver<---reception
>
> Is it possible?
> Thanks

Would you care to explain why?
What are you attempting to achieve?

There may be an existing clean way to do it.

--

Tauno Voipio

Tauno Voipio · External Since: Oct 21, 2005 Posts: 388

InuY4sha wrote:
>> Sure: I need to access the packet payload in read/write mode both the
>> ways for incoming and outgoing packets (so no iptables magling I
>> guess?.. )
> I forgot to say: I want it in kernel space to make it transparent to
> user apps. I'd like it to be above TCP/IP layer to be able to
> intercept all packets...
>

I'll try again:

Why do you want to capture the IP traffic?
What would you like to do with the captured packets?

You still did not tell what you're attempting to achieve
with the captures.

You are only telling that you want to intercept
the IP traffic, but you refuse to tell why. Very
probably, nobody wants to help you without the
reasons. It is fairly possible that you're barking
up the wrong tree by simply requesting the interception.

--

Tauno Voipio

Unruh · External Since: May 27, 2005 Posts: 2213

InuY4sha <inuy4sha DeleteThis @gmail.com> writes:

>On 7 Set, 19:20, Tauno Voipio <tauno.voi... DeleteThis @INVALIDiki.fi> wrote:
>> InuY4sha wrote:
>> > Hi list,
>> > I'm looking for a way (in kernel space) of intercepting data being
>> > sent to a network interface for transmission by the send/sendto
>> > function and to fetch data incoming in the network interface:
>>
>> > userspace ---> send(to) ----> my_module-->
>> > =A0 =A0 =A0--->TCP/IPstack--->network_dev_driver
>>
>> > userspace <--- my_module<-- TCP/IPstack<---
>> > =A0 =A0 <---network_dev_driver<---reception
>>
>> > Is it possible?
>> > Thanks
>>
>> Would you care to explain why?
>> What are you attempting to achieve?
>>
>> There may be an existing clean way to do it.
>>
>> --
>>
>> Tauno Voipio

>Sure: I need to access the packet payload in read/write mode both the
>ways for incoming and outgoing packets (so no iptables magling I
>guess?.. )

Clearly your sentence has been mangled since I have no idea what it is
supposed to mean.
To capture the packets you can use tcpdump, but that is after they have
set out onto the net.No idea what "packet payload in read/write mode"
means. or "both the ways". And you still have not told us why you are
trying to do this.

Unruh · External Since: May 27, 2005 Posts: 2213

InuY4sha <inuy4sha.RemoveThis@gmail.com> writes:

>> Sure: I need to access the packet payload in read/write mode both the
>> ways for incoming and outgoing packets (so no iptables magling I
>> guess?.. )
>I forgot to say: I want it in kernel space to make it transparent to
>user apps. I'd like it to be above TCP/IP layer to be able to
>intercept all packets...

And you want to make sure that your machine runs like an old i8086 as
well I assume.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Sep 7, 1:35 pm, InuY4sha <inuy4... DeleteThis @gmail.com> wrote:

> I don't know why you are so obsessed with knowing why..

Because that tells you the best way to do it. Really.

> anyway I'd
> like to perform operations on the payload such as
> - applying compression algorithms
> - network coding

That's a really vague description. You're forcing people to guess.

Your question is like "I want to build a bridge, how should I do it".
We don't know if it should be made out of toothpicks or cement and
steel and you're making us go back and forth to get tiny morsels of
information. It's just not worth the trouble.

> I thought that by telling you that I needed to intercept all network
> packets above TCP/IP layer would be enough...
> By read/write I meant that I'm not satisfied with just monitoring with
> tcpdump
> By "both the ways for incoming and outgoing packets" I meant that I
> need to access to packets generated locally to be sent to a remote
> host and packets received from a remote host.

The best way might be to use LD_PRELOAD to catch key socket operations
and reroute them through a proxy. (For example, program binds to port
8080. You bind its socket to 65001 and set up a proxy to a daemon that
binds to port 8080 and give it a socket to that proxy.) Or the best
way might be to use 6WIND's netgraph. Or it might not be.

DS

Tauno Voipio · External Since: Oct 21, 2005 Posts: 388

I'll try a third (and last time):

InuY4sha wrote:

> I don't know why you are so obsessed with knowing why..

Your description is so vague that we are not able to
see if you're trying to re-invent something that exists.

> anyway I'd
> like to perform operations on the payload such as
> - applying compression algorithms
> - network coding

Please explain 'network coding'.

> I thought that by telling you that I needed to intercept all network
> packets above TCP/IP layer would be enough...

Please explain 'above TCP/IP layer'.

Are you interested to catch a TCP stream and mutilate it?
What about UDP datagrams?
How about other protocols running on IP (e.g.ICMP)?

If you're interested in transporting the network traffic
in the public network in encrypted format, please read
about virtual private networks (VPN). There exists a
perfectly good mechanism for it already in the Linux
networking stack, and it is not a good idea to make a
kludge to do the same thing instead.

--

Tauno Voipio
tauno voipio (at) iki fi