low level packet access from erlang

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
i am building an experimental firewall of sorts,
and need to be able to access incoming packets
directly, so i can muck around with low level
src/dst/ports/etc information. it looks like the standard
modules handle the low level things for me, such that
i by the time i see an incoming message, the low level
details are lost.

how can i arrange access to the lower level information
(ignoring performance issues for now)?

i see like mentioned a way in an old (2001) thread:
http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
but the link to bluetail where his code was doesn't exist anymore.

i've read the ei/pcap approach presented here:
http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html

but i don't want to just sniff packets, but intercept them.

i'd appreciate any insights into how to tackle this.

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Geoff Cant
Hi there - I'm slowly building a TAP interface based library for networking at https://github.com/archaelus/enet -- some of the code might save you some time. You can send and receive packets with it, but it's missing a lot of mechanisms and infrastructure for making that easy.

I've used the packet parsing code a bunch for pcap file analysis, and the generation code only a little to try and build an IP stack.

The docs are non-existent but I'm more than happy to answer questions about the code.

-Geoff

On 2013-04-03, at 10:59 , Garry Hodgson <garry> wrote:

> i am building an experimental firewall of sorts,
> and need to be able to access incoming packets
> directly, so i can muck around with low level
> src/dst/ports/etc information. it looks like the standard
> modules handle the low level things for me, such that
> i by the time i see an incoming message, the low level
> details are lost.
>
> how can i arrange access to the lower level information
> (ignoring performance issues for now)?
>
> i see like mentioned a way in an old (2001) thread:
> http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
> but the link to bluetail where his code was doesn't exist anymore.
>
> i've read the ei/pcap approach presented here:
> http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
>
> but i don't want to just sniff packets, but intercept them.
>
> i'd appreciate any insights into how to tackle this.
>
> --
> Garry Hodgson
> AT&T Chief Security Office (CSO)






Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Matthew Evans
You could also look at procket:
http://blog.listincomprehension.com/
https://github.com/msantos/procket

> From: nem
> Date: Wed, 3 Apr 2013 11:06:14 -0700
> To: garry
> CC: erlang-questions
> Subject: Re: [erlang-questions] low level packet access from erlang
>
> Hi there - I'm slowly building a TAP interface based library for networking at https://github.com/archaelus/enet -- some of the code might save you some time. You can send and receive packets with it, but it's missing a lot of mechanisms and infrastructure for making that easy.
>
> I've used the packet parsing code a bunch for pcap file analysis, and the generation code only a little to try and build an IP stack.
>
> The docs are non-existent but I'm more than happy to answer questions about the code.
>
> -Geoff
>
> On 2013-04-03, at 10:59 , Garry Hodgson <garry> wrote:
>
> > i am building an experimental firewall of sorts,
> > and need to be able to access incoming packets
> > directly, so i can muck around with low level
> > src/dst/ports/etc information. it looks like the standard
> > modules handle the low level things for me, such that
> > i by the time i see an incoming message, the low level
> > details are lost.
> >
> > how can i arrange access to the lower level information
> > (ignoring performance issues for now)?
> >
> > i see like mentioned a way in an old (2001) thread:
> > http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
> > but the link to bluetail where his code was doesn't exist anymore.
> >
> > i've read the ei/pcap approach presented here:
> > http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
> >
> > but i don't want to just sniff packets, but intercept them.
> >
> > i'd appreciate any insights into how to tackle this.
> >
> > --
> > Garry Hodgson
> > AT&T Chief Security Office (CSO)
>
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions
> http://erlang.org/mailman/listinfo/erlang-questions
     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130403/585ca16e/attachment.html>

Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Matthias Lang-2

I have a copy of Luke's TUN/TAP code. I successfully used it many
years ago for some experiments, IIRC to study what TCP did on a lossy
network. Worked fine for me.

Luke's code is a thin layer over TUN/TAP, it's just one C file and one
.erl file. It lets you do two things: receive all packets on an
ethernet interface and send packets on an ethernet interface. It comes
with an example to get you started.

After a _quick_ look at Geoff's code, I think it's _functionally_ a
superset of Luke's. Geoff's "enet_eth_iface.erl" does pretty much the
same thing as Luke's "tuntap.erl". The rest of Geoff's code seems to
be more of the IP stack to let you do more complicated decoding, e.g. TCP.

Here's Luke's code, it'll be there until next time I clean up:

  http://corelatus.se/~matthias/luke_tuntap.tgz

Matt

--------------------

On Wednesday, April 03, Matthew Evans wrote:

> You could also look at procket:
> http://blog.listincomprehension.com/
> https://github.com/msantos/procket
>
> > From: nem
> > Date: Wed, 3 Apr 2013 11:06:14 -0700
> > To: garry
> > CC: erlang-questions
> > Subject: Re: [erlang-questions] low level packet access from erlang
> >
> > Hi there - I'm slowly building a TAP interface based library for networking at https://github.com/archaelus/enet -- some of the code might save you some time. You can send and receive packets with it, but it's missing a lot of mechanisms and infrastructure for making that easy.
> >
> > I've used the packet parsing code a bunch for pcap file analysis, and the generation code only a little to try and build an IP stack.
> >
> > The docs are non-existent but I'm more than happy to answer questions about the code.
> >
> > -Geoff
> >
> > On 2013-04-03, at 10:59 , Garry Hodgson <garry> wrote:
> >
> > > i am building an experimental firewall of sorts,
> > > and need to be able to access incoming packets
> > > directly, so i can muck around with low level
> > > src/dst/ports/etc information. it looks like the standard
> > > modules handle the low level things for me, such that
> > > i by the time i see an incoming message, the low level
> > > details are lost.
> > >
> > > how can i arrange access to the lower level information
> > > (ignoring performance issues for now)?
> > >
> > > i see like mentioned a way in an old (2001) thread:
> > > http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
> > > but the link to bluetail where his code was doesn't exist anymore.
> > >
> > > i've read the ei/pcap approach presented here:
> > > http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
> > >
> > > but i don't want to just sniff packets, but intercept them.
> > >
> > > i'd appreciate any insights into how to tackle this.
> > >
> > > --
> > > Garry Hodgson
> > > AT&T Chief Security Office (CSO)
> >
> >
> >
> >
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions
> > http://erlang.org/mailman/listinfo/erlang-questions
>

> _______________________________________________
> erlang-questions mailing list
> erlang-questions
> http://erlang.org/mailman/listinfo/erlang-questions


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Geoff Cant
It's a bit of a rewrite I think - you get a port program enet_tap that opens the tap device and then does {packet, 2} to/from erlang for forwarding the frames. It uses libevent, but I haven't worked out how fast/slow it goes. It works on OSX and linux.

enet_tap is the erlang module responsible for opening the port and decoding the 'running' vs {'frame', Data} messages. (The 'running' message lets you know when you can ifconfig the device).

enet_eth_iface is my current crazy attempt at representing an ethernet interface in erlang with pubsub for subscribing to ethernet frame types. You don't need to use it to send/receive frames. It's overly complicated right now imo.

-G

On 2013-04-03, at 11:56 , Matthias Lang <matthias> wrote:

>
> I have a copy of Luke's TUN/TAP code. I successfully used it many
> years ago for some experiments, IIRC to study what TCP did on a lossy
> network. Worked fine for me.
>
> Luke's code is a thin layer over TUN/TAP, it's just one C file and one
> .erl file. It lets you do two things: receive all packets on an
> ethernet interface and send packets on an ethernet interface. It comes
> with an example to get you started.
>
> After a _quick_ look at Geoff's code, I think it's _functionally_ a
> superset of Luke's. Geoff's "enet_eth_iface.erl" does pretty much the
> same thing as Luke's "tuntap.erl". The rest of Geoff's code seems to
> be more of the IP stack to let you do more complicated decoding, e.g. TCP.
>
> Here's Luke's code, it'll be there until next time I clean up:
>
>  http://corelatus.se/~matthias/luke_tuntap.tgz
>
> Matt


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
thanks to all for your suggestions.
i was hoping the answer would be
"just run inet:get_all_the_info_garry_needs( Sock )"
oh well, looks like i have some studying to do.


On 04/03/2013 03:31 PM, Geoff Cant wrote:

> It's a bit of a rewrite I think - you get a port program enet_tap that opens the tap device and then does {packet, 2} to/from erlang for forwarding the frames. It uses libevent, but I haven't worked out how fast/slow it goes. It works on OSX and linux.
>
> enet_tap is the erlang module responsible for opening the port and decoding the 'running' vs {'frame', Data} messages. (The 'running' message lets you know when you can ifconfig the device).
>
> enet_eth_iface is my current crazy attempt at representing an ethernet interface in erlang with pubsub for subscribing to ethernet frame types. You don't need to use it to send/receive frames. It's overly complicated right now imo.
>
> -G
>
> On 2013-04-03, at 11:56 , Matthias Lang <matthias> wrote:
>
>> I have a copy of Luke's TUN/TAP code. I successfully used it many
>> years ago for some experiments, IIRC to study what TCP did on a lossy
>> network. Worked fine for me.
>>
>> Luke's code is a thin layer over TUN/TAP, it's just one C file and one
>> .erl file. It lets you do two things: receive all packets on an
>> ethernet interface and send packets on an ethernet interface. It comes
>> with an example to get you started.
>>
>> After a _quick_ look at Geoff's code, I think it's _functionally_ a
>> superset of Luke's. Geoff's "enet_eth_iface.erl" does pretty much the
>> same thing as Luke's "tuntap.erl". The rest of Geoff's code seems to
>> be more of the IP stack to let you do more complicated decoding, e.g. TCP.
>>
>> Here's Luke's code, it'll be there until next time I clean up:
>>
>>   http://corelatus.se/~matthias/luke_tuntap.tgz
>>
>> Matt
>


--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

JD Bothma
In reply to this post by Garry Hodgson-3
It might be worth looking into how
https://www.erlang-solutions.com/products/openflow does it. IIRC it works
at the ethernet level so there's lots of info available.


On 3 April 2013 19:59, Garry Hodgson <garry> wrote:

> i am building an experimental firewall of sorts,
> and need to be able to access incoming packets
> directly, so i can muck around with low level
> src/dst/ports/etc information. it looks like the standard
> modules handle the low level things for me, such that
> i by the time i see an incoming message, the low level
> details are lost.
>
> how can i arrange access to the lower level information
> (ignoring performance issues for now)?
>
> i see like mentioned a way in an old (2001) thread:
> http://www.trapexit.org/forum/**viewtopic.php?p=4258&sid=**
> 4469db61020efe9100e1e1c2504bfc**8c<http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c>
> but the link to bluetail where his code was doesn't exist anymore.
>
> i've read the ei/pcap approach presented here:
> http://blog.**listincomprehension.com/2009/**12/erlang-packet-sniffer-**
> using-ei-and.html<http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html>
>
> but i don't want to just sniff packets, but intercept them.
>
> i'd appreciate any insights into how to tackle this.
>
> --
> Garry Hodgson
> AT&T Chief Security Office (CSO)
>
> "This e-mail and any files transmitted with it are AT&T property, are
> confidential, and are intended solely for the use of the individual or
> entity to whom this e-mail is addressed. If you are not one of the named
> recipient(s) or otherwise have reason to believe that you have received
> this message in error, please notify the sender and delete this message
> immediately from your computer. Any other use, retention, dissemination,
> forwarding, printing, or copying of this e-mail is strictly prohibited."
>
> ______________________________**_________________
> erlang-questions mailing list
> erlang-questions
> http://erlang.org/mailman/**listinfo/erlang-questions<http://erlang.org/mailman/listinfo/erlang-questions>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130403/6c78f1e4/attachment.html>

Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Michael Santos
In reply to this post by Garry Hodgson-3
On Wed, Apr 03, 2013 at 01:59:47PM -0400, Garry Hodgson wrote:

> i am building an experimental firewall of sorts,
> and need to be able to access incoming packets
> directly, so i can muck around with low level
> src/dst/ports/etc information. it looks like the standard
> modules handle the low level things for me, such that
> i by the time i see an incoming message, the low level
> details are lost.
>
> how can i arrange access to the lower level information
> (ignoring performance issues for now)?
>
> i see like mentioned a way in an old (2001) thread:
> http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
> but the link to bluetail where his code was doesn't exist anymore.
>
> i've read the ei/pcap approach presented here:
> http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
>
> but i don't want to just sniff packets, but intercept them.
>
> i'd appreciate any insights into how to tackle this.

It really depends on what level and which platforms you want to work
on. There are BSD raw sockets, the Linux PF_PACKET interface, BPF for
BSD and LSF for Linux, divert sockets, tun devices, tap devices ...

procket can handle all of those but assuming you just want to manipulate
the IP headers and don't want to worry about the ethernet framing,
maybe using a tun device would be the easiest way.

I wrote an Erlang tun/tap interface on top of procket:

https://github.com/msantos/tunctl

I've tested the code on Linux, Mac OS X and FreeBSD. Supporting other
BSDs shouldn't be a problem. Adding Windows support is on my TODO list.

Once you've created an interface and set up the routing table, you can
simply read/write frames to the device.  Here is an example of using a tap
device to create the most insecure VPN ever over Erlang distribution:

https://github.com/msantos/tunctl/blob/master/examples/vpwn.erl

Another example using a tun device:

https://github.com/msantos/sut

sut sets up an RFC 4213 IPv6 over IPv4 tunnel. There is an example of
creating a basic stateless firewall here:

https://github.com/msantos/sut/blob/master/examples/basic_firewall.erl


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
wow. this looks great. you've built up a nice set of layers here.
i was just tinkering with procket when i saw this message.
guess i need to keep on tinkering.

thanks


On 04/03/2013 05:24 PM, Michael Santos wrote:

> On Wed, Apr 03, 2013 at 01:59:47PM -0400, Garry Hodgson wrote:
>> i am building an experimental firewall of sorts,
>> and need to be able to access incoming packets
>> directly, so i can muck around with low level
>> src/dst/ports/etc information. it looks like the standard
>> modules handle the low level things for me, such that
>> i by the time i see an incoming message, the low level
>> details are lost.
>>
>> how can i arrange access to the lower level information
>> (ignoring performance issues for now)?
>>
>> i see like mentioned a way in an old (2001) thread:
>> http://www.trapexit.org/forum/viewtopic.php?p=4258&sid=4469db61020efe9100e1e1c2504bfc8c
>> but the link to bluetail where his code was doesn't exist anymore.
>>
>> i've read the ei/pcap approach presented here:
>> http://blog.listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
>>
>> but i don't want to just sniff packets, but intercept them.
>>
>> i'd appreciate any insights into how to tackle this.
> It really depends on what level and which platforms you want to work
> on. There are BSD raw sockets, the Linux PF_PACKET interface, BPF for
> BSD and LSF for Linux, divert sockets, tun devices, tap devices ...
>
> procket can handle all of those but assuming you just want to manipulate
> the IP headers and don't want to worry about the ethernet framing,
> maybe using a tun device would be the easiest way.
>
> I wrote an Erlang tun/tap interface on top of procket:
>
> https://github.com/msantos/tunctl
>
> I've tested the code on Linux, Mac OS X and FreeBSD. Supporting other
> BSDs shouldn't be a problem. Adding Windows support is on my TODO list.
>
> Once you've created an interface and set up the routing table, you can
> simply read/write frames to the device.  Here is an example of using a tap
> device to create the most insecure VPN ever over Erlang distribution:
>
> https://github.com/msantos/tunctl/blob/master/examples/vpwn.erl
>
> Another example using a tun device:
>
> https://github.com/msantos/sut
>
> sut sets up an RFC 4213 IPv6 over IPv4 tunnel. There is an example of
> creating a basic stateless firewall here:
>
> https://github.com/msantos/sut/blob/master/examples/basic_firewall.erl
>


--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
In reply to this post by Michael Santos
On 04/03/2013 05:24 PM, Michael Santos wrote:
>
> I wrote an Erlang tun/tap interface on top of procket:
>
> https://github.com/msantos/tunctl
i've been playing with tunctl, but can't seem to get
it past initial eperm problems in create(). i'm guessing
i missed some kind of setup step, but i don't know what.

i set the capabilities as per instructions:

--> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
/usr/local/lib/erlang/erts-5.9.2/bin/beam
/usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep
/usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep

running as root, when i try tuncer:create() with or without args, i get:

(r3)2> tuncer:create( <<"tun0">> ).
** exception exit: {badmatch,{error,eperm}}
      in function  tuncer:init/1
      in call from gen_server:init_it/6 (gen_server.erl, line 304)
      in call from proc_lib:init_p_do_apply/3 (proc_lib.erl, line 227)
(r3)3>
=CRASH REPORT==== 4-Jun-2013::08:28:13 ===
   crasher:
     initial call: tuncer:init/1
     pid: <0.64.0>
     registered_name: []
     exception exit: {{badmatch,{error,eperm}},
                      [{tuncer,init,1,[]},
                       {gen_server,init_it,6,

any idea what i may be missing?

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
forgot to mention, i'm running erlang R15B02
on CentOs 6.2


On 06/04/2013 09:08 AM, Garry Hodgson wrote:

> On 04/03/2013 05:24 PM, Michael Santos wrote:
>>
>> I wrote an Erlang tun/tap interface on top of procket:
>>
>> https://github.com/msantos/tunctl
> i've been playing with tunctl, but can't seem to get
> it past initial eperm problems in create(). i'm guessing
> i missed some kind of setup step, but i don't know what.
>
> i set the capabilities as per instructions:
>
> --> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
> /usr/local/lib/erlang/erts-5.9.2/bin/beam
> /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep
> /usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep
>
> running as root, when i try tuncer:create() with or without args, i get:
>
> (r3)2> tuncer:create( <<"tun0">> ).
> ** exception exit: {badmatch,{error,eperm}}
>      in function  tuncer:init/1
>      in call from gen_server:init_it/6 (gen_server.erl, line 304)
>      in call from proc_lib:init_p_do_apply/3 (proc_lib.erl, line 227)
> (r3)3>
> =CRASH REPORT==== 4-Jun-2013::08:28:13 ===
>   crasher:
>     initial call: tuncer:init/1
>     pid: <0.64.0>
>     registered_name: []
>     exception exit: {{badmatch,{error,eperm}},
>                      [{tuncer,init,1,[]},
>                       {gen_server,init_it,6,
>
> any idea what i may be missing?
>


--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Michael Santos
In reply to this post by Garry Hodgson-3
On Tue, Jun 04, 2013 at 09:08:49AM -0400, Garry Hodgson wrote:

> On 04/03/2013 05:24 PM, Michael Santos wrote:
> >
> >I wrote an Erlang tun/tap interface on top of procket:
> >
> >https://github.com/msantos/tunctl
> i've been playing with tunctl, but can't seem to get
> it past initial eperm problems in create(). i'm guessing
> i missed some kind of setup step, but i don't know what.
>
> i set the capabilities as per instructions:
>
> --> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
> /usr/local/lib/erlang/erts-5.9.2/bin/beam
> /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep
> /usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep
>
> running as root, when i try tuncer:create() with or without args, i get:
>
> (r3)2> tuncer:create( <<"tun0">> ).
> ** exception exit: {badmatch,{error,eperm}}
>      in function  tuncer:init/1
>      in call from gen_server:init_it/6 (gen_server.erl, line 304)
>      in call from proc_lib:init_p_do_apply/3 (proc_lib.erl, line 227)
> (r3)3>
> =CRASH REPORT==== 4-Jun-2013::08:28:13 ===
>   crasher:
>     initial call: tuncer:init/1
>     pid: <0.64.0>
>     registered_name: []
>     exception exit: {{badmatch,{error,eperm}},
>                      [{tuncer,init,1,[]},
>                       {gen_server,init_it,6,
>
> any idea what i may be missing?

Looks like you have everything set up correctly. Just to make sure, I
tried creating a tun device as root:

    ~/src/erlang/tunctl(master)$ sudo ./start.sh
    Erlang R16B01 (erts-5.10.2) [source-e72043e] [smp:2:2] [async-threads:10] [hipe] [kernel-poll:false]
   
    Eshell V5.10.2  (abort with ^G)
    1> tuncer:create( <<"tun0">> ).
    {ok,<0.35.0>}
    2>
   
    $ ip addr
    <...>
    5: tun0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
        link/ether 4a:1c:12:7e:4d:56 brd ff:ff:ff:ff:ff:ff

You can try creating the tun device manually:

    $ sudo ./start.sh
   
    1> {ok, FD} = procket:dev("net/tun").
    {ok,9}
   
    2> procket:ioctl(FD, 1074025674, <<"tun0", 0:96, 1:2/native-integer-unit:8, 0:112>>).
    {ok,<<116,117,110,48,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,
          0,0,0,0,0,...>>}

Are you able to create a tun device using other utilities? This should
work:

    ip tuntap add mode tun foo

Is selinux enabled?

Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
On 06/04/2013 11:30 AM, Michael Santos wrote:

> Looks like you have everything set up correctly. Just to make sure, I
> tried creating a tun device as root:
>
>      ~/src/erlang/tunctl(master)$ sudo ./start.sh
>      Erlang R16B01 (erts-5.10.2) [source-e72043e] [smp:2:2] [async-threads:10] [hipe] [kernel-poll:false]
>      
>      Eshell V5.10.2  (abort with ^G)
>      1> tuncer:create( <<"tun0">> ).
>      {ok,<0.35.0>}
>      2>
>      
hmmm...that gives me the aforementioned error.
> You can try creating the tun device manually:
>
>      $ sudo ./start.sh
>      
>      1> {ok, FD} = procket:dev("net/tun").
>      {ok,9}
--> erl -pa  /usr/local/sut/sut/deps/pkt/ebin -pa
/usr/local/sut/sut/ebin -pa  /usr/local/sut/sut/deps/procket/ebin
Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:8:8] [async-threads:0]
[hipe] [kernel-poll:false]

Eshell V5.9.2  (abort with ^G)
1> procket:dev("net/tun").
{error,eperm}

--> ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jun  3 17:23 /dev/net/tun
--> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam
/usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
/usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep
/usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep

>      
>      2> procket:ioctl(FD, 1074025674, <<"tun0", 0:96, 1:2/native-integer-unit:8, 0:112>>).
>      {ok,<<116,117,110,48,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,
>            0,0,0,0,0,...>>}
>
> Are you able to create a tun device using other utilities? This should
> work:
>
>      ip tuntap add mode tun foo

that does not:

--> ip tuntap add mode tun foo
Object "tuntap" is unknown, try "ip help".

but i can create tun using tunctl:

--> tunctl -n -u garry -g garry
Set 'tun0' persistent and owned by uid 1234 gid 1234

>
> Is selinux enabled?
i believe not:

--> /usr/sbin/getenforce
Disabled

puzzling.

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
ha! success!

r3:init: procket got {ok,13}
r3:init:got socket #Port<0.1538>
r3:init: dev is <0.58.0>
r3:init: ip address is "135.207.243.86"

poking around just now, i noticed that while i had
a sudoers entry, the permissions on my procket
were not what you specified in README:

[root ~]# ls -l /usr/local/sut/sut/deps/procket/priv/procket
-rwxr-xr-x 1 root root 11712 Jun  4 13:37
/usr/local/sut/sut/deps/procket/priv/procket

so i changed them:

[root ~]# chmod 4750 /usr/local/sut/sut/deps/procket/priv/procket
[root ~]# ls -l /usr/local/sut/sut/deps/procket/priv/procket
-rwsr-x--- 1 root root 11712 Jun  4 13:37
/usr/local/sut/sut/deps/procket/priv/procket

and your tests worked:

(r3)2> tuncer:create( <<"tun9">> ).
{ok,<0.64.0>}
(r3)3> procket:dev("net/tun").
{ok,16}

as did my code:

r3:init: procket got {ok,13}
r3:init:got socket #Port<0.1538>
r3:init: dev is <0.58.0>
r3:init: ip address is "135.207.243.86"

i think i recall doing this before, but it may have been on a different
machine. and it's odd that it helped, given that i've been running
as root.

in any case, i appear to be unstuck. i'll likely have more
questions, but i'm good for now. thanks for your help,
and your willingness to be helpful.

this is gonna be fun.

On 06/04/2013 07:07 PM, Garry Hodgson wrote:

> On 06/04/2013 11:30 AM, Michael Santos wrote:
>> Looks like you have everything set up correctly. Just to make sure, I
>> tried creating a tun device as root:
>>
>>      ~/src/erlang/tunctl(master)$ sudo ./start.sh
>>      Erlang R16B01 (erts-5.10.2) [source-e72043e] [smp:2:2]
>> [async-threads:10] [hipe] [kernel-poll:false]
>>           Eshell V5.10.2  (abort with ^G)
>>      1> tuncer:create( <<"tun0">> ).
>>      {ok,<0.35.0>}
>>      2>
> hmmm...that gives me the aforementioned error.
>> You can try creating the tun device manually:
>>
>>      $ sudo ./start.sh
>>           1> {ok, FD} = procket:dev("net/tun").
>>      {ok,9}
> --> erl -pa  /usr/local/sut/sut/deps/pkt/ebin -pa
> /usr/local/sut/sut/ebin -pa  /usr/local/sut/sut/deps/procket/ebin
> Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:8:8]
> [async-threads:0] [hipe] [kernel-poll:false]
>
> Eshell V5.9.2  (abort with ^G)
> 1> procket:dev("net/tun").
> {error,eperm}
>
> --> ls -l /dev/net/tun
> crw-rw-rw- 1 root root 10, 200 Jun  3 17:23 /dev/net/tun
> --> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam
> /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
> /usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep
> /usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep
>
>>           2> procket:ioctl(FD, 1074025674, <<"tun0", 0:96,
>> 1:2/native-integer-unit:8, 0:112>>).
>> {ok,<<116,117,110,48,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,
>>            0,0,0,0,0,...>>}
>>
>> Are you able to create a tun device using other utilities? This should
>> work:
>>
>>      ip tuntap add mode tun foo
>
> that does not:
>
> --> ip tuntap add mode tun foo
> Object "tuntap" is unknown, try "ip help".
>
> but i can create tun using tunctl:
>
> --> tunctl -n -u garry -g garry
> Set 'tun0' persistent and owned by uid 1234 gid 1234
>
>>
>> Is selinux enabled?
> i believe not:
>
> --> /usr/sbin/getenforce
> Disabled
>
> puzzling.
>


--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Michael Santos
On Tue, Jun 04, 2013 at 07:49:43PM -0400, Garry Hodgson wrote:
> ha! success!

Awesome.

> r3:init: procket got {ok,13}
> r3:init:got socket #Port<0.1538>
> r3:init: dev is <0.58.0>
> r3:init: ip address is "135.207.243.86"
>
> poking around just now, i noticed that while i had
> a sudoers entry, the permissions on my procket
> were not what you specified in README:
>
> [root ~]# ls -l /usr/local/sut/sut/deps/procket/priv/procket
> -rwxr-xr-x 1 root root 11712 Jun  4 13:37
> /usr/local/sut/sut/deps/procket/priv/procket
>
> so i changed them:
>
> [root ~]# chmod 4750 /usr/local/sut/sut/deps/procket/priv/procket
> [root ~]# ls -l /usr/local/sut/sut/deps/procket/priv/procket
> -rwsr-x--- 1 root root 11712 Jun  4 13:37
> /usr/local/sut/sut/deps/procket/priv/procket
>
> and your tests worked:
>
> (r3)2> tuncer:create( <<"tun9">> ).
> {ok,<0.64.0>}
> (r3)3> procket:dev("net/tun").
> {ok,16}
>
> as did my code:
>
> r3:init: procket got {ok,13}
> r3:init:got socket #Port<0.1538>
> r3:init: dev is <0.58.0>
> r3:init: ip address is "135.207.243.86"
>
> i think i recall doing this before, but it may have been on a different
> machine. and it's odd that it helped, given that i've been running
> as root.

That's really weird. I changed the code to be "smarter" about calling
sudo, I'll have to check if I broke something.

> in any case, i appear to be unstuck. i'll likely have more
> questions, but i'm good for now. thanks for your help,
> and your willingness to be helpful.
>
> this is gonna be fun.

Ask away and if you have any comments/suggestions, please let me know!

> On 06/04/2013 07:07 PM, Garry Hodgson wrote:
> >On 06/04/2013 11:30 AM, Michael Santos wrote:
> >>Looks like you have everything set up correctly. Just to make sure, I
> >>tried creating a tun device as root:
> >>
> >>     ~/src/erlang/tunctl(master)$ sudo ./start.sh
> >>     Erlang R16B01 (erts-5.10.2) [source-e72043e] [smp:2:2]
> >>[async-threads:10] [hipe] [kernel-poll:false]
> >>          Eshell V5.10.2  (abort with ^G)
> >>     1> tuncer:create( <<"tun0">> ).
> >>     {ok,<0.35.0>}
> >>     2>
> >hmmm...that gives me the aforementioned error.
> >>You can try creating the tun device manually:
> >>
> >>     $ sudo ./start.sh
> >>          1> {ok, FD} = procket:dev("net/tun").
> >>     {ok,9}
> >--> erl -pa  /usr/local/sut/sut/deps/pkt/ebin -pa
> >/usr/local/sut/sut/ebin -pa  /usr/local/sut/sut/deps/procket/ebin
> >Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:8:8]
> >[async-threads:0] [hipe] [kernel-poll:false]
> >
> >Eshell V5.9.2  (abort with ^G)
> >1> procket:dev("net/tun").
> >{error,eperm}
> >
> >--> ls -l /dev/net/tun
> >crw-rw-rw- 1 root root 10, 200 Jun  3 17:23 /dev/net/tun
> >--> getcap /usr/local/lib/erlang/erts-5.9.2/bin/beam
> >/usr/local/lib/erlang/erts-5.9.2/bin/beam.smp
> >/usr/local/lib/erlang/erts-5.9.2/bin/beam = cap_net_admin+ep
> >/usr/local/lib/erlang/erts-5.9.2/bin/beam.smp = cap_net_admin+ep
> >
> >>          2> procket:ioctl(FD, 1074025674, <<"tun0", 0:96,
> >>1:2/native-integer-unit:8, 0:112>>).
> >>{ok,<<116,117,110,48,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,
> >>           0,0,0,0,0,...>>}
> >>
> >>Are you able to create a tun device using other utilities? This should
> >>work:
> >>
> >>     ip tuntap add mode tun foo
> >
> >that does not:
> >
> >--> ip tuntap add mode tun foo
> >Object "tuntap" is unknown, try "ip help".
> >
> >but i can create tun using tunctl:
> >
> >--> tunctl -n -u garry -g garry
> >Set 'tun0' persistent and owned by uid 1234 gid 1234
> >
> >>
> >>Is selinux enabled?
> >i believe not:
> >
> >--> /usr/sbin/getenforce
> >Disabled
> >
> >puzzling.
> >
>
>
> --
> Garry Hodgson
> AT&T Chief Security Office (CSO)
>
> "This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
>

Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
On 06/05/2013 09:23 AM, Michael Santos wrote:
> That's really weird. I changed the code to be "smarter" about calling
> sudo, I'll have to check if I broke something.
right? especially because i had the sudoers entries
in place, and i was already root. go figure.

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
In reply to this post by Michael Santos
On 06/05/2013 09:23 AM, Michael Santos wrote:
> Ask away and if you have any comments/suggestions, please let me know!
i'm happily using tun now to intercept and inspect packets, but
any that i modify get dropped as malformed when i send them.
wireshark tells me the checksums are wrong. and indeed, i
don't get what i expect from pkt:checksum():

classify( <<4:4, _IHL:4, _TypeOfService:8, _TotalLength:16,
         _Identification:16, _FlagX:1, _FlagD:1, _FlagM:1,
_FragmentOffset:13,
         _TTL:8, ?IPPROTO_TCP:8, _HeaderCheckSum:16,
         _SrcAddr:32, _DestAddr:32, _Rest/binary>> = Raw ) ->

     { IPv4, IpPayload } = pkt:ipv4( Raw ),
     { Tcp, TcpPayload } = pkt:tcp( IpPayload ),

     TestSum = pkt:checksum( [ IPv4, Tcp, TcpPayload ] ),
     alog:debug( "classify: computed = ~b, actual = ~b", [ TestSum,
Tcp#tcp.sum ] ),
...

=INFO REPORT==== 3-Jul-2013::14:04:02 ===
{log,debug,"classify: computed = 43987, actual = 52256",r3}

any idea what i'm doing wrong?

thanks

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."


Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Michael Santos
On Wed, Jul 03, 2013 at 02:11:50PM -0400, Garry Hodgson wrote:
> On 06/05/2013 09:23 AM, Michael Santos wrote:
> >Ask away and if you have any comments/suggestions, please let me know!
> i'm happily using tun now to intercept and inspect packets, but

Glad to hear you are making some progress!

> any that i modify get dropped as malformed when i send them.
> wireshark tells me the checksums are wrong. and indeed, i
> don't get what i expect from pkt:checksum():
>
> classify( <<4:4, _IHL:4, _TypeOfService:8, _TotalLength:16,
>         _Identification:16, _FlagX:1, _FlagD:1, _FlagM:1,
> _FragmentOffset:13,
>         _TTL:8, ?IPPROTO_TCP:8, _HeaderCheckSum:16,
>         _SrcAddr:32, _DestAddr:32, _Rest/binary>> = Raw ) ->
>
>     { IPv4, IpPayload } = pkt:ipv4( Raw ),
>     { Tcp, TcpPayload } = pkt:tcp( IpPayload ),
>
>     TestSum = pkt:checksum( [ IPv4, Tcp, TcpPayload ] ),
>     alog:debug( "classify: computed = ~b, actual = ~b", [ TestSum,
> Tcp#tcp.sum ] ),
> ...
>
> =INFO REPORT==== 3-Jul-2013::14:04:02 ===
> {log,debug,"classify: computed = 43987, actual = 52256",r3}
>
> any idea what i'm doing wrong?
>
> thanks

There were a few bugs: TCP options were left out of the record to binary
conversion and the length of the payload was left out of the checksum.
Should be fixed now, thanks for letting me know!

Also, use pkt:makesum/1 to calculate the checksum. This should work:

    TestSum = pkt:makesum( [ IPv4, Tcp, TcpPayload ] ),

You may still see some checksum mismatches if your system uses TCP
checksum offloading.

> --
> Garry Hodgson
> AT&T Chief Security Office (CSO)
>
> "This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
>

Reply | Threaded
Open this post in threaded view
|

low level packet access from erlang

Garry Hodgson-3
On 07/07/2013 09:37 AM, Michael Santos wrote:

 > There were a few bugs: TCP options were left out of the
 > record to binary conversion and the length of the payload
 > was left out of the checksum.

after i posted i made my own version that included the opts
and the wireshark errors went away, so i figured it was that.
didn't know about the payload length issue, though, so mine
might still have that problem. i wonder if that could be causing
it to still not work despite (hopefully) well formed packets.

 > Also, use pkt:makesum/1 to calculate the checksum.
 > This should work: TestSum = pkt:makesum( [ IPv4, Tcp, TcpPayload ] ),

yes, i was using that at first, then switched to call my own
versions. i'll retrofit once i turn latest version into rpm form.

 > You may still see some checksum mismatches if your
 > system uses TCP checksum offloading.

oh, goodie. more things to trip over.

thanks a lot for your help.

--
Garry Hodgson
AT&T Chief Security Office (CSO)

"This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."