PACKET FLOW IN THE SYSTEM

 The network card is the entry point for any packet in the system.
 The kernel layer is responsible for managing packets in memory and
performing security checks.
 Only legitimate packets make it to the application layer, where they can be
processed by software applications.

SOFTWARE BEHIND THE SOCKET (IT receives data into the socket which is meant
only for it)

The above is a c program that outlines how to create a UDP socket, bind it to a
port, and listen for incoming packets using basic socket programming concepts.
 Socket Creation: Creates a UDP socket using socket().
 Server Details: Specifies the IP and port to bind the socket.
 Binding: Associates the socket with a particular IP and port.
 Receiving Packets: Listens for incoming packets and prints them to the
console.

PROMISCOUS MODE

Packet Flow in Promiscuous Mode:

1. Hardware Layer (Network Card)
o The Network Interface Card (NIC) is configured to operate in
promiscuous mode.
o No filtering is done on the packet’s destination address, meaning
the NIC will accept every packet it sees on the wire, irrespective of
whether it is addressed to that NIC's MAC address or another host.
o All packets arriving at the hardware (Ethernet frames) are passed
up to the kernel.
2. Kernel Layer (Kernel Buffer)
o The NIC transfers packets to the kernel memory using Direct
Memory Access (DMA).
o In normal mode, the kernel would drop packets not meant for it.
However, in promiscuous mode, it receives all packets that the
NIC captures.
o The kernel does not discriminate based on the packet’s MAC
address or IP address.
3. Kernel to User Space (Link Layer Driver)
 o The packets are then passed from the kernel buffer to the Link
Level Driver.
o The driver handles the packet and delivers it to the protocol stack
above it.
4. User Space (Protocol Stack)
o In the protocol stack, applications (such as packet sniffers) can
access these packets.
o Packet sniffing applications like Wireshark, tcpdump, or custom
tools written in Python (using Scapy) use the protocol stack to
capture and analyze packets.
o All packets, regardless of their destination, are visible to the
application in promiscuous mode.

Packet sniffing
Process of capturing live data as they go across the network. It is used by
admins to find faulty network configurations. It is also used by intruders to do
reconnaissance.

Packet Sniffers

Applications that register with the kernel so as to capture all packets seen in the
network
Typically requires superuser permissions

READ PREET
Step 1:
Create the raw socket
Step 2:
Turn on promiscuous mode
Step 3:
Getting captured packets

The image describes the creation and operation of Packet Sniffers using raw
sockets in network programming. Here's a breakdown:
Raw Socket Creation:
The code snippet socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) creates a
raw socket.
AF_PACKET allows access to the link layer (Ethernet).
SOCK_RAW specifies that the socket is a raw socket, meaning it can capture and
send raw packets.
htons(ETH_P_ALL) ensures that the socket listens to all Ethernet protocols.

Promiscuous Mode:
mr.mr_type = PACKET_MR_PROMISC puts the network interface in promiscuous
mode, allowing it to capture all packets on the network, not just those addressed
to the device.

Packet Flow:
A normal socket (like TCP or UDP) processes packets in the Transport, IP, and
Ethernet Layers before reaching the application.
A typical socket would only deliver the payload, stripping off the headers
(source/destination IP, MAC addresses, etc.).
A raw socket, however, bypasses these layers, capturing the entire packet
including the headers. This allows applications to obtain unprocessed or
"unintercepted" packets
Key Idea:

Raw sockets are used by packet sniffers because they capture

complete network packets, providing detailed header information.
Promiscuous mode ensures that all network traffic is captured,
regardless of its destination.

Flooding of Packets in User Space

 Applications that register with the kernel so as to capture all packets seen
in the network
 Typically, sniffers are only interested in a small subset of packets, all the
other packets are discarded.
 Improves performance considerably (less processing time)
 Would require much less expensive hardware
 Filtering: BSD packet filtering (BPF) provides a means by which sniffers
can specify to the kernel, the packets they are interested in.

FILTER REQUIREMENTS
1. Programmable Filtering
This means that the filtering rules can be dynamically changed or programmed
based on the needs of the user or the application. Programmable filters allow for
adaptability to different network scenarios or types of traffic, ensuring that only
relevant packets are processed.
2. Different Packet Interests
Each network sniffer (or monitoring tool) may have unique requirements based
on what they need to analyze. For example, one might be interested in HTTP
traffic, while another might focus on DNS queries. A flexible filtering mechanism
allows each sniffer to define its own rules for capturing packets.
3. Close to the NIC
The filter should operate as close to the Network Interface Card (NIC) as possible.
This is critical because:
 Early Filtering: By filtering packets close to the NIC, you reduce the
amount of unnecessary data that needs to be processed by the operating
system and user-space applications. This helps in conserving CPU
resources and improving overall system performance.
 Network Efficiency: Early filtering minimizes the load on the network
stack and can lead to faster response times and lower latency.
4. Ruling Out User-Space Filtering
User-space filtering occurs after the operating system has already processed the
packets, which can lead to inefficiencies. It is not ideal for your requirements
since you want to filter packets before they reach user-space applications.
5. Kernel-Based Filtering
Kernel-based filtering allows packet filtering to occur within the kernel space of
the operating system. This is beneficial because:
 Performance: Kernel space has direct access to hardware and can
process packets faster than user-space applications.
 Control: You have finer control over how packets are handled and can
implement complex filtering rules without the overhead of user-space
context switching.
 Security: Filtering at the kernel level can provide enhanced security as
malicious packets can be dropped before they reach user-space
applications.
6. Hardware-Based Filtering
Hardware-based filtering refers to using specialized hardware (like network
appliances or programmable network cards) to filter packets. This can offer
several advantages:
 Efficiency: Dedicated hardware can handle filtering tasks without
consuming CPU resources of the host machine.
 Scalability: Hardware can often handle higher throughput and more
complex filtering rules than software solutions.
 Offloading: Some network interface cards come with built-in capabilities
to filter packets based on specific criteria, offloading this work from the
CPU.
This image appears to represent how Operating System (OS) filters work for
network packets, specifically showing the flow of data from the network card
(hardware) through the kernel and up to the user space, with different
components involved in filtering and processing.
1. Hardware Layer (Network Card):
The network card (NIC) receives network packets.
If the NIC is in promiscuous mode, it receives all packets on the network, without
filtering.
These packets are transferred to the kernel memory using DMA (Direct Memory
Access).
2. Kernel Layer:
After the DMA transfer, packets are placed in the kernel buffer.
A filter in the kernel processes the packets, determining which ones are passed
up to user space.
Packets that pass the filter are sent to the next stage, while others are discarded
3. User Space:
In the user space, data moves through the Protocol Stack, which processes
network protocols (like TCP/IP).
A Sniffer application, such as tcpdump, can receive packets that pass the
kernel’s filter.
Packets are buffered in user space for further processing or analysis.
The diagram distinguishes between filtered and unfiltered packets. The NIC
sends all packets to the kernel buffer, but only filtered packets (those passing the
filter) are sent to user space applications like sniffers.
It shows how data moves from hardware (NIC) to software components, passing
through various buffers and filters in both the kernel and user space.

BPF
BSD Packet Filters (BPF) is a powerful and efficient mechanism used primarily in
BSD-based operating systems (like FreeBSD, OpenBSD, and NetBSD) for
capturing and filtering network packets. Here’s a detailed overview:
What is BPF?
BPF allows applications to efficiently capture packets that pass through a
network interface. It works at the link layer and can filter packets based on a
variety of criteria before they are delivered to the application layer.

PCAP
• It is a library that provides APIs for packet capture
• Has a compiler (pcap_compile) that
• Takes as input filtering rules using human readable Boolean
expressions
• Converts the Boolean expressions into BPF pseudo-code which can
be used by the kernel
• Well defined APIs available on many platforms:
• Port in Linux is called libpcap
• Port in Windows is called WinPCap
(APIs are common across ports)
Common Tools Using PCap
1. Wireshark:
o A popular network protocol analyzer that uses PCap to capture and
display packet data in a user-friendly graphical interface.
2. tcpdump:
o A command-line packet analyzer that allows users to capture and
display packets transmitted over a network.
3. Snort:
o An open-source intrusion detection and prevention system that
utilizes PCap for real-time traffic analysis.
4. Scapy:
 o A powerful interactive packet manipulation tool that can capture,
create, and send packets using PCap.
PCap filter expressions are a powerful way to capture specific network traffic,
making it easier to analyze relevant packets without unnecessary data.
Mastering BPF syntax will enhance your ability to monitor and troubleshoot
network issues effectively. Whether you're using tools like tcpdump or
programming with libpcap, understanding these expressions is essential for
effective network analysis.
• Examples:
host foo and not port ftp and not port ftp-data
Any traffic from/to the host name foo except traffic on ftp and ftp-data
ports
gateway snup and (port ftp or ftp-data)
All FTP traffic through the gatewap snup
gateway snup and ip[2:2] > 576
All gateway traffic through snup with size greater than 576 bytes
ether[0] & 1 = 0 and ip[16] >= 224
IP broadcast or multicast traffic that were not sent via Ethernet
broadcast/multicast
Byte 0 LSB 1 in Ethernet frame indicates a broadcast
IP broadcast have destination address 224.0.0.0 to 239.255.255.255
host helios and \( hot or ace \)
 Meaning: This expression captures packets that are either sent to or
received from a host named "helios" and are also either sent to or
received from hosts named "hot" or "ace."
ip and not net localnet
 Meaning: This expression captures all IP packets that are not part of the
local network (denoted as "localnet").
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
 Meaning: This expression captures TCP packets that have either the SYN
or FIN flag set and are not from or to the local network.