Netfilter内核模块,用于截取数据包并记录它们
Netfilter内核模块,用于截取数据包并记录它们
提问于 2016-09-10 21:57:10
我有一个基本的代码。此代码丢弃并记录所有传入和传出的数据包。我想编写一个netfilter内核模块来拦截数据包,并将它们记录在内核日志中。它应该能够检测不同类型的基于TCP的侦测数据包(如图1或2所示)。模块应检测到这些数据包并将其记录到内核日志中。我不想过滤数据包,只想识别和记录它们。
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
static struct nf_hook_ops nfho; //struct holding set of hook function options
//function to be called by hook
unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
printk(KERN_INFO "packet dropped\n"); //log to var/log/messages
return NF_DROP; //drops the packet
}
//Called when module loaded using 'insmod'
int init_module()
{
nfho.hook = hook_func; //function to call when conditions below met
nfho.hooknum = NF_IP_PRE_ROUTING; //called right after packet recieved, first hook in Netfilter
nfho.pf = PF_INET; //IPV4 packets
nfho.priority = NF_IP_PRI_FIRST; //set to highest priority over all other hook functions
nf_register_hook(&nfho); //register hook
return 0; //return 0 for success
}
//Called when module unloaded using 'rmmod'
void cleanup_module()
{
nf_unregister_hook(&nfho); //cleanup – unregister hook
}回答 2
Stack Overflow用户
发布于 2016-10-09 19:45:43
首先,此模块仅丢弃传入的数据包。原因是以下行:nfho.hooknum = NF_IP_PRE_ROUTING;。关于你的问题:我不明白什么是“基于侦察包”,但你可以从包中提取所有数据,并在内核日志中显示它们。例如:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/ip.h>
#include <linux/tcp.h>
static struct nf_hook_ops nfho; //struct holding set of hook function options
//function to be called by hook
unsigned int hook_func(unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb); //you can access to IP source and dest - ip_header->saddr, ip_header->daddr
struct tcphdr *tcp_header;
if (ip_header->protocol == 6) //TCP protocol
{
printk(KERN_INFO "TCP Packet\n");
tcp_header = (struct tcphdr *)(skb_transport_header(skb)+20); //Note: +20 is only for incoming packets
printk(KERN_INFO "Source Port: %u\n", tcp_header->source); //can access dest in the same way
}
return NF_ACCEPT; //accept the packet
}
//Called when module loaded using 'insmod'
int init_module()
{
nfho.hook = hook_func; //function to call when conditions below met
nfho.hooknum = NF_INET_PRE_ROUTING; //called right after packet recieved, first hook in Netfilter
nfho.pf = PF_INET; //IPV4 packets
nfho.priority = NF_IP_PRI_FIRST; //set to highest priority over all other hook functions
nf_register_hook(&nfho); //register hook
return 0; //return 0 for success
}
//Called when module unloaded using 'rmmod'
void cleanup_module()
{
nf_unregister_hook(&nfho); //cleanup – unregister hook
} Stack Overflow用户
发布于 2016-09-10 23:56:43
您可以简单地运行ufw防火墙实用程序,
(不管怎样,你应该一直在运行它)。
从以下内容开始:
sudo ufw enable然后,为了确保它正在运行:
sudo ufw status然后打开日志功能:
sudo ufw logging on然后:
cd /var/log然后查看日志:
sudo cat ufw.log这将给出输入/输出的所有内容的日志。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/39426783
复制相关文章
相似问题
腾讯云开发者
