From c90e2998f6ddb225efba3538f3e06b8a79f2c023 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2022 14:34:17 -0400 Subject: nettrace: various fixes --- src/fnettrace-dns/main.c | 33 ++++++++++++++++++++++----- src/fnettrace-icmp/main.c | 35 +++++++++++++++++++++++------ src/fnettrace-sni/main.c | 57 +++++++++++++++++++++++++++++++++-------------- src/fnettrace/main.c | 5 +++++ 4 files changed, 100 insertions(+), 30 deletions(-) (limited to 'src') diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index eb2eb7238..32122754f 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c @@ -22,6 +22,8 @@ #include #include #include +#include +#include #define MAX_BUF_SIZE (64 * 1024) static char last[512] = {'\0'}; @@ -106,6 +108,18 @@ static void custom_bpf(int sock) { } } +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm *t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nDNS trace for %s", ctime(&now)); + day = t->tm_yday; + } + fflush(0); +} + static void run_trace(void) { // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); @@ -113,19 +127,24 @@ static void run_trace(void) { errExit("socket"); custom_bpf(s); + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; unsigned char buf[MAX_BUF_SIZE]; while (1) { fd_set rfds; FD_ZERO(&rfds); FD_SET(s, &rfds); - struct timeval tv; - tv.tv_sec = 1; - tv.tv_usec = 0; int rv = select(s + 1, &rfds, NULL, NULL, &tv); if (rv < 0) errExit("select"); - else if (rv == 0) + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; continue; + } + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); if (bytes >= (14 + 20 + 8)) { // size of MAC + IP + UDP headers @@ -174,8 +193,10 @@ int main(int argc, char **argv) { return 1; } - time_t now = time(NULL); - printf("DNS trace for %s\n", ctime(&now)); + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); run_trace(); return 0; diff --git a/src/fnettrace-icmp/main.c b/src/fnettrace-icmp/main.c index 47d61a326..e1e5daa48 100644 --- a/src/fnettrace-icmp/main.c +++ b/src/fnettrace-icmp/main.c @@ -22,6 +22,8 @@ #include #include #include +#include +#include #define MAX_BUF_SIZE (64 * 1024) char *type_description[19] = { @@ -139,6 +141,19 @@ static void custom_bpf(int sock) { } } +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm *t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nICMP trace for %s", ctime(&now)); + day = t->tm_yday; + } + + fflush(0); +} + static void run_trace(void) { // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); @@ -146,19 +161,24 @@ static void run_trace(void) { errExit("socket"); custom_bpf(s); + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; unsigned char buf[MAX_BUF_SIZE]; while (1) { fd_set rfds; FD_ZERO(&rfds); FD_SET(s, &rfds); - struct timeval tv; - tv.tv_sec = 1; - tv.tv_usec = 0; int rv = select(s + 1, &rfds, NULL, NULL, &tv); if (rv < 0) errExit("select"); - else if (rv == 0) + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; continue; + } + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); if (bytes >= (14 + 20 + 2)) { // size of MAC + IP + ICMP code and type fields @@ -180,7 +200,6 @@ static void run_trace(void) { close(s); } - static void usage(void) { printf("Usage: fnettrace-icmp [OPTIONS]\n"); printf("Options:\n"); @@ -207,8 +226,10 @@ int main(int argc, char **argv) { return 1; } - time_t now = time(NULL); - printf("ICMP trace for %s\n", ctime(&now)); + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); run_trace(); return 0; diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index 571089e29..71793a560 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c @@ -22,6 +22,8 @@ #include #include #include +#include +#include #define MAX_BUF_SIZE (64 * 1024) static char last[512] = {'\0'}; @@ -94,19 +96,22 @@ nosni: // https://www.kernel.org/doc/html/latest/networking/filter.html static void custom_bpf(int sock) { struct sock_filter code[] = { - // sudo tcpdump "tcp port 443 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" -dd + // ports: 443 (regular TLS), 853 (DoT) + // sudo tcpdump "tcp port (443 or 853) and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" -dd { 0x28, 0, 0, 0x0000000c }, - { 0x15, 27, 0, 0x000086dd }, - { 0x15, 0, 26, 0x00000800 }, + { 0x15, 29, 0, 0x000086dd }, + { 0x15, 0, 28, 0x00000800 }, { 0x30, 0, 0, 0x00000017 }, - { 0x15, 0, 24, 0x00000006 }, + { 0x15, 0, 26, 0x00000006 }, { 0x28, 0, 0, 0x00000014 }, - { 0x45, 22, 0, 0x00001fff }, + { 0x45, 24, 0, 0x00001fff }, { 0xb1, 0, 0, 0x0000000e }, { 0x48, 0, 0, 0x0000000e }, - { 0x15, 2, 0, 0x000001bb }, + { 0x15, 4, 0, 0x000001bb }, + { 0x15, 3, 0, 0x00000355 }, { 0x48, 0, 0, 0x00000010 }, - { 0x15, 0, 17, 0x000001bb }, + { 0x15, 1, 0, 0x000001bb }, + { 0x15, 0, 17, 0x00000355 }, { 0x50, 0, 0, 0x0000001a }, { 0x54, 0, 0, 0x000000f0 }, { 0x74, 0, 0, 0x00000002 }, @@ -139,6 +144,19 @@ static void custom_bpf(int sock) { } } +static void print_date(void) { + static int day = -1; + time_t now = time(NULL); + struct tm *t = localtime(&now); + + if (day != t->tm_yday) { + printf("\nSNI trace for %s", ctime(&now)); + day = t->tm_yday; + } + + fflush(0); +} + static void run_trace(void) { // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); @@ -146,19 +164,24 @@ static void run_trace(void) { errExit("socket"); custom_bpf(s); + struct timeval tv; + tv.tv_sec = 10; + tv.tv_usec = 0; unsigned char buf[MAX_BUF_SIZE]; while (1) { fd_set rfds; FD_ZERO(&rfds); FD_SET(s, &rfds); - struct timeval tv; - tv.tv_sec = 1; - tv.tv_usec = 0; int rv = select(s + 1, &rfds, NULL, NULL, &tv); if (rv < 0) errExit("select"); - else if (rv == 0) + else if (rv == 0) { + print_date(); + tv.tv_sec = 10; + tv.tv_usec = 0; continue; + } + unsigned bytes = recvfrom(s, buf, MAX_BUF_SIZE, 0, NULL, NULL); if (bytes >= (14 + 20 + 20)) { // size of MAC + IP + TCP headers @@ -166,15 +189,13 @@ static void run_trace(void) { uint16_t port_dest; memcpy(&port_dest, buf + 14 + ip_hlen + 2, 2); port_dest = ntohs(port_dest); - uint8_t protocol = buf[14 + 9]; uint32_t ip_dest; memcpy(&ip_dest, buf + 14 + 16, 4); ip_dest = ntohl(ip_dest); uint8_t tcp_hlen = (buf[14 + ip_hlen + 12] & 0xf0) >> 2; - // if TLS packet, extract SNI - if (port_dest == 443 && protocol == 6) // TCP protocol - print_tls(ip_dest, buf + 14 + ip_hlen + tcp_hlen, bytes - 14 - ip_hlen - tcp_hlen); // IP and TCP header len + // extract SNI + print_tls(ip_dest, buf + 14 + ip_hlen + tcp_hlen, bytes - 14 - ip_hlen - tcp_hlen); // IP and TCP header len } } @@ -208,8 +229,10 @@ int main(int argc, char **argv) { return 1; } - time_t now = time(NULL); - printf("SNI trace for %s\n", ctime(&now)); + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + + print_date(); run_trace(); return 0; diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 56974e79c..f57aa6c87 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c @@ -21,6 +21,8 @@ #include "radix.h" #include #include +#include +#include #define MAX_BUF_SIZE (64 * 1024) static int arg_netfilter = 0; @@ -732,6 +734,9 @@ int main(int argc, char **argv) { return 1; } + // kill the process if the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); + ansi_clrscr(); if (arg_netfilter) logprintf("starting network lockdown\n"); -- cgit v1.2.3-54-g00ecf