1. #include <linux/init.h>
    #include <linux/module.h>
    #include <linux/skbuff.h>
    #include <linux/ip.h>
    #include <linux/netfilter.h>
    #include <linux/netfilter_ipv4.h>

    MODULE_LICENSE("GPL");

    void analyzeIPHeader(struct iphdr* ip_hdr)
    {
        printk("***********IP Header***********\n");
        printk("%30s:\t0x%02x\n", "Version", 
                ip_hdr->version);

        printk("%30s:\t0x%02x (%u)\n", "Header Length(Bytes)", 
            ip_hdr->ihl, 
            ip_hdr->ihl);
        
        printk("%30s:\t0x%02x\n", "Type of service", 
            ip_hdr->tos);

        printk("%30s:\t0x%04x (%u)\n", "Total Length(Bytes)", 
            ip_hdr->tot_len, 
            ip_hdr->tot_len);

        printk("%30s:\t0x%04x (%u)\n", "Identification", 
            ip_hdr->id,
            ip_hdr->id);

        printk("%30s:\t0x%04x (%u)\n", "Fragment Offset", 
            ip_hdr->frag_off,
            ip_hdr->frag_off);

        printk("%30s:\t0x%02x\n", "Time to live", 
            ip_hdr->ttl);

        printk("%30s:\t0x%02x", "Protocol", 
            ip_hdr->protocol);

        
        if (ip_hdr->protocol == 0x11)
        {
            printk(" [UDP]\n");
        }
        else if (ip_hdr->protocol == 0x06)
        {
            printk(" [TCP]\n");
        }
        else if (ip_hdr->protocol == 0x01)
        {
            printk(" [ICMP]\n");
        }
        else if (ip_hdr->protocol == 0x02)
        {
            printk(" [IGMP]\n");
        }

        printk("%30s:\t0x%04x\n", "Header Checksum (CRC)", 
            ip_hdr->check);

        printk("%30s:\t%u:%u:%u:%u\n", "Source IP Address", 
            *(unsigned char*)(((unsigned char*)&ip_hdr->saddr) + 0),
            *(unsigned char*)(((unsigned char*)&ip_hdr->saddr) + 1),
            *(unsigned char*)(((unsigned char*)&ip_hdr->saddr) + 2),
            *(unsigned char*)(((unsigned char*)&ip_hdr->saddr) + 3)
            );

        printk("%30s:\t%u:%u:%u:%u\n", "Destination IP Address", 
            *(unsigned char*)(((unsigned char*)&ip_hdr->daddr) + 0),
            *(unsigned char*)(((unsigned char*)&ip_hdr->daddr) + 1),
            *(unsigned char*)(((unsigned char*)&ip_hdr->daddr) + 2),
            *(unsigned char*)(((unsigned char*)&ip_hdr->daddr) + 3)
            );

    }

    unsigned int hook_func(unsigned int hooknum,
        struct sk_buff *skb,
        const struct net_device *in,
        const struct net_device *out,
        int (*okfn)(struct sk_buff *))
    {
        struct sk_buff *sb = skb;
        struct iphdr *iph ;
        

        if (sb != NULL)
        {
            iph = ip_hdr(sb);

            // printk("sk_buff : 0x%08x ip_hdr : 0x%08x \n", sb, iph);
            if (iph != NULL)
            {
                // printk("ip: %d:%d\n", iph->saddr, iph->daddr);
                analyzeIPHeader(iph);
            }    
        }

        return NF_ACCEPT;    
    }

    static struct nf_hook_ops hook_ops = {
        .hook = hook_func,
        .hooknum = NF_INET_PRE_ROUTING,
        .pf = PF_INET,
        .priority = NF_IP_PRI_FIRST,
    };

    static int pslist_init()
    {
        printk("###################################################################\n");

        // analyzeRegisters();
        // analyzeUMANode();
        // analyzeProcesses();
        // analyzePhysicalPages();
        // analyzeTaskPgd();
        // cpuidTest();
        // netanalyze();
        nf_register_hook(&hook_ops);
        return 0;
    }

    static void pslist_exit()
    {
        nf_unregister_hook(&hook_ops);
        printk("###################################################################\n");
    }

    module_init(pslist_init);
    module_exit(pslist_exit);

结果如下:

  1. [ 3026.194484] ***********IP Header***********
    [ 3026.194487]                        Version:    0x04
    [ 3026.194489]           Header Length(Bytes):    0x05 (5)
    [ 3026.194490]                Type of service:    0x00
    [ 3026.194491]            Total Length(Bytes):    0x7c00 (31744)
    [ 3026.194492]                 Identification:    0xdd24 (56612)
    [ 3026.194493]                Fragment Offset:    0x0000 (0)
    [ 3026.194494]                   Time to live:    0x40
    [ 3026.194494]                       Protocol:    0x11 [UDP]
    [ 3026.194496]          Header Checksum (CRC):    0x0f3e
    [ 3026.194497]              Source IP Address:    10:64:1:55
    [ 3026.194498]         Destination IP Address:    127:0:0:1
    [ 3026.439485] ***********IP Header***********
    [ 3026.439489]                        Version:    0x04
    [ 3026.439490]           Header Length(Bytes):    0x05 (5)
    [ 3026.439491]                Type of service:    0x00
    [ 3026.439492]            Total Length(Bytes):    0x2800 (10240)
    [ 3026.439493]                 Identification:    0xde24 (56868)
    [ 3026.439494]                Fragment Offset:    0x0000 (0)
    [ 3026.439495]                   Time to live:    0x40
    [ 3026.439496]                       Protocol:    0x06 [TCP]
    [ 3026.439497]          Header Checksum (CRC):    0x5d03
    [ 3026.439499]              Source IP Address:    115:239:210:151
    [ 3026.439500]         Destination IP Address:    127:0:0:1
    [ 3026.746484] ***********IP Header***********
    [ 3026.746495]                        Version:    0x04
    [ 3026.746503]           Header Length(Bytes):    0x05 (5)
    [ 3026.746504]                Type of service:    0x00
    [ 3026.746505]            Total Length(Bytes):    0x2800 (10240)
    [ 3026.746506]                 Identification:    0xdf24 (57124)
    [ 3026.746507]                Fragment Offset:    0x0000 (0)
    [ 3026.746508]                   Time to live:    0x40
    [ 3026.746509]                       Protocol:    0x06 [TCP]
    [ 3026.746510]          Header Checksum (CRC):    0x7b11
    [ 3026.746511]              Source IP Address:    180:149:131:210
    [ 3026.746513]         Destination IP Address:    127:0:0:1
    [ 3028.557038] ***********IP Header***********
    [ 3028.557042]                        Version:    0x04
    [ 3028.557043]           Header Length(Bytes):    0x05 (5)
    [ 3028.557044]                Type of service:    0x00
    [ 3028.557045]            Total Length(Bytes):    0x2800 (10240)
    [ 3028.557046]                 Identification:    0xe024 (57380)
    [ 3028.557047]                Fragment Offset:    0x0000 (0)
    [ 3028.557048]                   Time to live:    0x40
    [ 3028.557049]                       Protocol:    0x06 [TCP]
    [ 3028.557050]          Header Checksum (CRC):    0x6329
    [ 3028.557052]              Source IP Address:    61:160:226:222
    [ 3028.557053]         Destination IP Address:    127:0:0:1
    [ 3028.617738] ***********IP Header***********
    [ 3028.617742]                        Version:    0x04
    [ 3028.617743]           Header Length(Bytes):    0x05 (5)
    [ 3028.617744]                Type of service:    0x00
    [ 3028.617746]            Total Length(Bytes):    0x2800 (10240)
    [ 3028.617747]                 Identification:    0xe124 (57636)
    [ 3028.617748]                Fragment Offset:    0x0000 (0)
    [ 3028.617749]                   Time to live:    0x40
    [ 3028.617749]                       Protocol:    0x06 [TCP]
    [ 3028.617751]          Header Checksum (CRC):    0x74ca
    [ 3028.617752]              Source IP Address:    58:221:68:143
    [ 3028.617753]         Destination IP Address:    127:0:0:1
    [ 3028.624231] ***********IP Header***********
    [ 3028.624234]                        Version:    0x04
    [ 3028.624235]           Header Length(Bytes):    0x05 (5)
    [ 3028.624236]                Type of service:    0x00
    [ 3028.624237]            Total Length(Bytes):    0x2800 (10240)
    [ 3028.624238]                 Identification:    0xe224 (57892)
    [ 3028.624239]                Fragment Offset:    0x0000 (0)
    [ 3028.624240]                   Time to live:    0x40
    [ 3028.624241]                       Protocol:    0x06 [TCP]
    [ 3028.624243]          Header Checksum (CRC):    0x6fef
    [ 3028.624244]              Source IP Address:    58:216:31:152
    [ 3028.624245]         Destination IP Address:    127:0:0:1
    [ 3030.353175] ***********IP Header***********
    [ 3030.353179]                        Version:    0x04
    [ 3030.353180]           Header Length(Bytes):    0x05 (5)
    [ 3030.353181]                Type of service:    0x00
    [ 3030.353182]            Total Length(Bytes):    0x2800 (10240)
    [ 3030.353183]                 Identification:    0xe324 (58148)
    [ 3030.353184]                Fragment Offset:    0x0000 (0)
    [ 3030.353185]                   Time to live:    0x40
    [ 3030.353186]                       Protocol:    0x06 [TCP]
    [ 3030.353187]          Header Checksum (CRC):    0x6203
    [ 3030.353188]              Source IP Address:    115:239:210:141
    [ 3030.353190]         Destination IP Address:    127:0:0:1
    [ 3030.353785] ***********IP Header***********
    [ 3030.353787]                        Version:    0x04
    [ 3030.353788]           Header Length(Bytes):    0x05 (5)
    [ 3030.353788]                Type of service:    0x00
    [ 3030.353790]            Total Length(Bytes):    0x2800 (10240)
    [ 3030.353790]                 Identification:    0xe424 (58404)
    [ 3030.353791]                Fragment Offset:    0x0000 (0)
    [ 3030.353792]                   Time to live:    0x40
    [ 3030.353793]                       Protocol:    0x06 [TCP]
    [ 3030.353794]          Header Checksum (CRC):    0x6103
    [ 3030.353795]              Source IP Address:    115:239:210:141
    [ 3030.353797]         Destination IP Address:    127:0:0:1
    [ 3030.354357] ***********IP Header***********
    [ 3030.354358]                        Version:    0x04
    [ 3030.354359]           Header Length(Bytes):    0x05 (5)
    [ 3030.354360]                Type of service:    0x00
    [ 3030.354361]            Total Length(Bytes):    0x2800 (10240)
    [ 3030.354362]                 Identification:    0xe524 (58660)
    [ 3030.354363]                Fragment Offset:    0x0000 (0)
    [ 3030.354364]                   Time to live:    0x40
    [ 3030.354365]                       Protocol:    0x06 [TCP]
    [ 3030.354366]          Header Checksum (CRC):    0x6003
    [ 3030.354367]              Source IP Address:    115:239:210:141
    [ 3030.354368]         Destination IP Address:    127:0:0:1
    [ 3030.682150] ***********IP Header***********
    [ 3030.682154]                        Version:    0x04
    [ 3030.682155]           Header Length(Bytes):    0x05 (5)
    [ 3030.682157]                Type of service:    0x00
    [ 3030.682158]            Total Length(Bytes):    0x2800 (10240)
    [ 3030.682159]                 Identification:    0xe624 (58916)
    [ 3030.682160]                Fragment Offset:    0x0000 (0)
    [ 3030.682160]                   Time to live:    0x40
    [ 3030.682161]                       Protocol:    0x06 [TCP]
    [ 3030.682163]          Header Checksum (CRC):    0x5f03
    [ 3030.682164]              Source IP Address:    115:239:210:141
    [ 3030.682165]         Destination IP Address:    127:0:0:1
    [ 3035.425863] ###################################################################

为什么通过netfilter截获的sk_buff结构,无法通过其next域获取到整个的sk_buff列表?

这是因为,sk_buff列表是由网络接口层(以太网层)维护的,当有新的网络包传送过来,网卡会向CPU发出中断请求,CPU执行中断服务例程,将网卡上的内容读入到每个CPU特定的sk_buff列表中,这个列表就是我们所说的sk_buff列表。

为了尽快地执行完中断服务例程的Top Half,一旦将sk_buff保存到队列中,就马上返回。

上层的网络层可以根据需要从队列中拿出sk_buff进行处理,如果是发往本机的,就交给上层协议继续处理,如果是转发的,就再处理一下TTL,然后交给以太网层转发出去。

对于本机发往其他机器的sk_buff,通过各层协议,最终加入到CPU的sk_buff队列,然后交给以太网层传送出去。

通过上图可见,Netfilter处于的位置,都是在以太网层上面的,因此这时截获的sk_buff都是与队列无关,因此next域都是NULL。

否则的话,这应该也算是一个漏洞,因为相当于Netfilter就可以控制所有类型的sk_buff了,而不单单是它请求处理的类型。

使用Netfilter进行数据包分析的更多相关文章

  1. 《Wireshark数据包分析实战》 - http背后,tcp/ip抓包分析

    作为网络开发人员,使用fiddler无疑是最好的选择,方便易用功能强. 但是什么作为爱学习的同学,是不应该止步于http协议的,学习wireshark则可以满足这方面的需求.wireshark作为抓取 ...

  2. WireShark数据包分析数据封装

    WireShark数据包分析数据封装 数据封装(Data Encapsulation)是指将协议数据单元(PDU)封装在一组协议头和尾中的过程.在OSI七层参考模型中,每层主要负责与其它机器上的对等层 ...

  3. 可视化数据包分析工具-CapAnalysis

    可视化数据包分析工具-CapAnalysis 我们知道,Xplico是一个从pcap文件中解析出IP流量数据的工具,本文介绍又一款实用工具-CapAnalysis(可视化数据包分析工具),将比Xpli ...

  4. snmp数据包分析

    今天看了一下snmp数据包的报文格式,用wireshark抓了两个数据包来分析. 先说说snmp get-request的书报包格式吧,get-next-request,get-response,se ...

  5. tcprstat源码分析之tcp数据包分析

    tcprstat是percona用来监测mysql响应时间的.不过对于任何运行在TCP协议上的响应时间,都可以用.本文主要做源码分析,如何使用tcprstat请大家查看博文<tcprstat分析 ...

  6. firebug登陆之数据包分析

    登陆之数据包分析 工具: python-urllib2   |  firefox+firebug或者chrome,用浏览器打开登陆页面之后,按F12键会默认打开开发者工具或者启动firebug,点击n ...

  7. Wireshark数据包分析(一)——使用入门

    Wireshark简介: Wireshark是一款最流行和强大的开源数据包抓包与分析工具,没有之一.在SecTools安全社区里颇受欢迎,曾一度超越Metasploit.Nessus.Aircrack ...

  8. Wireshark工具抓包的数据包分析

    Wireshark(前称Ethereal)是一个网络封包分析软件.网络封包分析软件的功能是撷取网络封包,并尽可能显示出最为详细的网络封包资料. Wireshark使用WinPCAP作为接口,直接与网卡 ...

  9. 网络数据包分析 网卡Offload

    http://blog.nsfocus.net/network-packets-analysis-nic-offload/     对于网络安全来说,网络传输数据包的捕获和分析是个基础工作,绿盟科技研 ...

随机推荐

  1. python 操作数据库的常用SQL命令

    这俩天在学习PYTHON操作数据库的知识.其实基本SQL命令是与以前学习的MYSQL命令一致,只是增加了一些PYTHON语句. 1,安装pymysql,并导入. import pymysql 2,因为 ...

  2. sqlserver 找不到驱动,显示项目缺少class办法

    maven使用 <dependency> <groupId>com.microsoft.sqlserver</groupId> <artifactId> ...

  3. HDU4578-Transformation-线段树的加、乘、变、次方操作

    Sample Input 5 5 3 3 5 7 1 2 4 4 4 1 5 2 2 2 5 8 4 3 5 3 0 0 Sample Output 307 7489 题意:给出n,m,表示该数有n个 ...

  4. HBase 入门之数据刷写(Memstore Flush)详细说明

    接触过 HBase 的同学应该对 HBase 写数据的过程比较熟悉(不熟悉也没关系).HBase 写数据(比如 put.delete)的时候,都是写 WAL(假设 WAL 没有被关闭) ,然后将数据写 ...

  5. Error configuring application listener of class org.springframework.web.context.

    1.java.lang.NoClassDefFoundError: org/objectweb/asm/ClassVisitor 缺少asm-3.3.jar 2.java.lang.NoClassDe ...

  6. c++计算1到100以内的质数

    自考c++实践的时候,有个求计算1-100的质数的问题,没搞出来 由于考试使用的是Dev-C++开发工具,为了下次考试做准备,改用该工具,直接下载安装即可,不会涉及到什么破解等 下载地址:https: ...

  7. 备份一下我的.bash_aliases文件

    # 这是陈悦老师的课程练习目录 alias cdchen="cd /home/branches/Documents/chen" # 每次grep都显示出行号 alias grep= ...

  8. 利用HTML和CSS实现常见的布局

    水平居中的页面布局中最为常见的一种布局形式,多出现于标题,以及内容区域的组织形式,下面介绍四种实现水平居中的方法(注:下面各个实例中实现的是child元素的对齐操作,child元素的父容器是paren ...

  9. Shell内置命令——declare

  10. 编译Android源代码

    硬盘空间需要在50G以上,最好100g 系统:ubuntu14.04 交叉工具链:arm-linux-gcc-4.5.1-v6-vfp-20120301 安装 Java 开发环境 $ sudo apt ...