suricata抓包方式之一 AF_PACKET

1、前言

　　　　linux提供了原始套接字RAW_SOCKET，可以抓取数据链路层的报文。这样可以对报文进行深入分析。今天介绍一下AF_PACKET的用法，分为两种方式。第一种方法是通过套接字，打开指定的网卡，然后使用recvmsg读取，实际过程需要需要将报文从内核区拷贝到用户区。第二种方法是使用packet_mmap，使用共享内存方式，在内核空间中分配一块内核缓冲区，然后用户空间程序调用mmap映射到用户空间。将接收到的skb拷贝到那块内核缓冲区中，这样用户空间的程序就可以直接读到捕获的数据包了。PACKET_MMAP减少了系统调用，不用recvmsg就可以读取到捕获的报文，相比原始套接字+recvfrom的方式，减少了一次拷贝和一次系统调用。libpcap就是采用第二种方式。suricata默认方式也是使用packet mmap抓包。

2、测试例子

　　为了方便测试，可以使用linux提供的sock_filter过滤ip地址。使用tcpdump可以反汇编出来过滤的条件。以www.qq.com为例进行说明：

ping www.qq.com得到ip地址：101.226.103.106

tcpdump ip -s 2048 -d host 101.226.103.106
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 7
(002) ld       [26]
(003) jeq      #0x65e2676a      jt 6    jf 4
(004) ld       [30]
(005) jeq      #0x65e2676a      jt 6    jf 7
(006) ret      #2048
(007) ret      #0

 tcpdump -dd host 101.226.103.106
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 4, 0x00000800 },
{ 0x20, 0, 0, 0x0000001a },
{ 0x15, 8, 0, 0x65e2676a },
{ 0x20, 0, 0, 0x0000001e },
{ 0x15, 6, 7, 0x65e2676a },
{ 0x15, 1, 0, 0x00000806 },
{ 0x15, 0, 5, 0x00008035 },
{ 0x20, 0, 0, 0x0000001c },
{ 0x15, 2, 0, 0x65e2676a },
{ 0x20, 0, 0, 0x00000026 },
{ 0x15, 0, 1, 0x65e2676a },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 }

更新详细过滤细节可以参考： http://blog.csdn.net/eqiang8271/article/details/8489769

（1）第一种方法：

#include <sys/types.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
#include <arpa/inet.h>
#include <string.h>
#include <signal.h>
#include <net/if.h>
#include <stdio.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/filter.h>
#include <stdlib.h>

#define ETH_HDR_LEN 14
#define IP_HDR_LEN 20
#define UDP_HDR_LEN 8
#define TCP_HDR_LEN 20

static int sock;

void sig_handler(int sig) 
{
    struct ifreq ethreq;
    if(sig == SIGTERM)
        printf("SIGTERM recieved, exiting.../n");
    else if(sig == SIGINT)
        printf("SIGINT recieved, exiting.../n");
    else if(sig == SIGQUIT)
        printf("SIGQUIT recieved, exiting.../n");
    // turn off the PROMISCOUS mode 
    strncpy(ethreq.ifr_name, "eth1", IFNAMSIZ);
    if(ioctl(sock, SIOCGIFFLAGS, &ethreq) != -1) {
        ethreq.ifr_flags &= ~IFF_PROMISC;
        ioctl(sock, SIOCSIFFLAGS, &ethreq);
    }
    close(sock);
    exit(0);
}

int main(int argc, char ** argv) {
    int n;
    char buf[2048];
    unsigned char *ethhead;
    unsigned char *iphead;
    struct ifreq ethreq;
    struct sigaction sighandle;

#if 0
    $tcpdump ip -s 2048 -d host 192.168.1.2
        (000) ldh      [12]
        (001) jeq      #0x800           jt 2 jf 7
        (002) ld       [26]
        (003) jeq      #0xc0a80102      jt 6 jf 4
        (004) ld       [30]
        (005) jeq      #0xc0a80102      jt 6 jf 7
        (006) ret      #2048
        (007) ret      #0
#endif

#if 0
        测试访问www.qq.com 
        ping www.qq.com 得到ip地址为:101.226.103.106
        tcpdump -dd host 101.226.103.106
         { 0x28, 0, 0, 0x0000000c },
         { 0x15, 0, 4, 0x00000800 },
         { 0x20, 0, 0, 0x0000001a },
         { 0x15, 8, 0, 0x65e2676a },
         { 0x20, 0, 0, 0x0000001e },
         { 0x15, 6, 7, 0x65e2676a },
         { 0x15, 1, 0, 0x00000806 },
         { 0x15, 0, 5, 0x00008035 },
         { 0x20, 0, 0, 0x0000001c },
         { 0x15, 2, 0, 0x65e2676a },
         { 0x20, 0, 0, 0x00000026 },
         { 0x15, 0, 1, 0x65e2676a },
         { 0x6, 0, 0, 0x0000ffff },
         { 0x6, 0, 0, 0x00000000 },
#endif
        struct sock_filter bpf_code[] = {
            { 0x28, 0, 0, 0x0000000c },
            { 0x15, 0, 5, 0x00000800 },
            { 0x20, 0, 0, 0x0000001a },
            { 0x15, 2, 0, 0x65e2676a },
            { 0x20, 0, 0, 0x00000026 },
            { 0x15, 0, 1, 0x65e2676a },
            { 0x6, 0, 0, 0x0000ffff },
            { 0x6, 0, 0, 0x00000000 }
        };

    struct sock_fprog filter;
    filter.len = sizeof(bpf_code)/sizeof(bpf_code[0]);
    filter.filter = bpf_code;

    sighandle.sa_flags = 0;
    sighandle.sa_handler = sig_handler;
    sigemptyset(&sighandle.sa_mask);
    //sigaddset(&sighandle.sa_mask, SIGTERM);
    //sigaddset(&sighandle.sa_mask, SIGINT);
    //sigaddset(&sighandle.sa_mask, SIGQUIT);
    sigaction(SIGTERM, &sighandle, NULL);
    sigaction(SIGINT, &sighandle, NULL);
    sigaction(SIGQUIT, &sighandle, NULL);

    // AF_PACKET allows application to read pecket from and write packet to network device
    // SOCK_DGRAM the packet exclude ethernet header
    // SOCK_RAW raw data from the device including ethernet header
    // ETH_P_IP all IP packets 
    if((sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP))) == -1) {
        perror("socket");
        exit(1);
    }

    // set NIC to promiscous mode, so we can recieve all packets of the network
    strncpy(ethreq.ifr_name, "eth1", IFNAMSIZ);
    if(ioctl(sock, SIOCGIFFLAGS, &ethreq) == -1) {
        perror("ioctl");
        close(sock);
        exit(1);
    }

    ethreq.ifr_flags |= IFF_PROMISC;
    if(ioctl(sock, SIOCSIFFLAGS, &ethreq) == -1) {
        perror("ioctl");
        close(sock);
        exit(1);
    }

#if 1
    // attach the bpf filter
    if(setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) == -1) {
        perror("setsockopt");
        close(sock);
        exit(1);
    }
#endif

    while(1) {
        n = recvfrom(sock, buf, sizeof(buf), 0, NULL, NULL);
        if(n < (ETH_HDR_LEN+IP_HDR_LEN+UDP_HDR_LEN)) {
            printf("invalid packet\n");
            continue;
        }

        printf("%d bytes recieved\n", n);

        ethhead = buf;
        printf("Ethernet: MAC[%02X:%02X:%02X:%02X:%02X:%02X]", ethhead[0], ethhead[1], ethhead[2],
                ethhead[3], ethhead[4], ethhead[5]);
        printf("->[%02X:%02X:%02X:%02X:%02X:%02X]", ethhead[6], ethhead[7], ethhead[8],
                ethhead[9], ethhead[10], ethhead[11]);
        printf(" type[%04x]\n", (ntohs(ethhead[12]|ethhead[13]<<8)));

        iphead = ethhead + ETH_HDR_LEN;
        // header length as 32-bit
        printf("IP: Version: %d HeaderLen: %d[%d]", (*iphead>>4), (*iphead & 0x0f), (*iphead & 0x0f)*4);
        printf(" TotalLen %d", (iphead[2]<<8|iphead[3]));
        printf(" IP [%d.%d.%d.%d]", iphead[12], iphead[13], iphead[14], iphead[15]);
        printf("->[%d.%d.%d.%d]", iphead[16], iphead[17], iphead[18], iphead[19]);
        printf(" %d", iphead[9]);

        if(iphead[9] == IPPROTO_TCP)
            printf("[TCP]");
        else if(iphead[9] == IPPROTO_UDP)
            printf("[UDP]");
        else if(iphead[9] == IPPROTO_ICMP)
            printf("[ICMP]");
        else if(iphead[9] == IPPROTO_IGMP)
            printf("[IGMP]");
        else if(iphead[9] == IPPROTO_IGMP)
            printf("[IGMP]");
        else
            printf("[OTHERS]");

        printf(" PORT [%d]->[%d]\n", (iphead[20]<<8|iphead[21]), (iphead[22]<<8|iphead[23]));
    }
    close(sock);
    exit(0);
}

（2）第二种方法：

#include <stdio.h>
#include <sys/types.h>          /* See NOTES */
#include <sys/socket.h>
#include <sys/mman.h>
#include <poll.h>
#include <linux/types.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/filter.h>
#include <net/ethernet.h>

#define ETH_HDR_LEN 14
void CallBackPacket(char *data)
{
    unsigned char *ethhead;
    unsigned char *iphead;
    printf("Recv A Packet.\n");
    ethhead = data;
    printf("Ethernet: MAC[%02X:%02X:%02X:%02X:%02X:%02X]", ethhead[0], ethhead[1], ethhead[2],
            ethhead[3], ethhead[4], ethhead[5]);
    printf("->[%02X:%02X:%02X:%02X:%02X:%02X]", ethhead[6], ethhead[7], ethhead[8],
            ethhead[9], ethhead[10], ethhead[11]);
    printf(" type[%04x]\n", (ntohs(ethhead[12]|ethhead[13]<<8)));

    iphead = ethhead + ETH_HDR_LEN;
    // header length as 32-bit
    printf("IP: Version: %d HeaderLen: %d[%d]", (*iphead>>4), (*iphead & 0x0f), (*iphead & 0x0f)*4);
    printf(" TotalLen %d", (iphead[2]<<8|iphead[3]));
    printf(" IP [%d.%d.%d.%d]", iphead[12], iphead[13], iphead[14], iphead[15]);
    printf("->[%d.%d.%d.%d]", iphead[16], iphead[17], iphead[18], iphead[19]);
    printf(" %d", iphead[9]);
}

int main()
{
    int fd = 0, ret = 0;
    char *buff = NULL;

    fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
    //可以使用ARP进行一下测试
    //fd = socket(PF_PACKET, SOCK_DGRAM, htons (ETH_P_ARP));
    if(fd<0)
    {
        perror("socket");
        goto failed_2;
    }

    //PACKET_VERSION和SO_BINDTODEVICE可以省略
#if 1
    const int tpacket_version = TPACKET_V1;
    /* set tpacket hdr version. */
    ret = setsockopt(fd, SOL_PACKET, PACKET_VERSION, &tpacket_version, sizeof (int));
    if(ret<0)
    {
        perror("setsockopt");
        goto failed_2;
    }

    //#define NETDEV_NAME "wlan0"
#define NETDEV_NAME "eth1"
    /* bind to device. */
    ret = setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, NETDEV_NAME, sizeof (NETDEV_NAME));
    if(ret<0)
    {
        perror("setsockopt");
        goto failed_2;
    }
#endif

    struct tpacket_req req;
#define PER_PACKET_SIZE 2048
    const int BUFFER_SIZE = 1024*1024*16; //16MB的缓冲区
    req.tp_block_size = 4096;
    req.tp_block_nr = BUFFER_SIZE/req.tp_block_size;
    req.tp_frame_size = PER_PACKET_SIZE;
    req.tp_frame_nr = BUFFER_SIZE/req.tp_frame_size;

    ret = setsockopt(fd, SOL_PACKET, PACKET_RX_RING, (void *)&req, sizeof(req));
    if(ret<0)
    {
        perror("setsockopt");
        goto failed_2;
    }

#if 1
    struct sock_filter bpf_code[] = {
        { 0x28, 0, 0, 0x0000000c },
        { 0x15, 0, 5, 0x00000800 },
        { 0x20, 0, 0, 0x0000001a },
        { 0x15, 2, 0, 0x65e2676a },
        { 0x20, 0, 0, 0x00000026 },
        { 0x15, 0, 1, 0x65e2676a },
        { 0x6, 0, 0, 0x0000ffff },
        { 0x6, 0, 0, 0x00000000 }
    };
    struct sock_fprog filter;
    filter.len = sizeof(bpf_code)/sizeof(bpf_code[0]);
    filter.filter = bpf_code;
    // attach the bpf filter
    if(setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) == -1) {
        perror("setsockopt");
        close(fd);
        goto failed_2;
    }
#endif

    buff = (char *)mmap(0, BUFFER_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
    if(buff == MAP_FAILED)
    {
        perror("mmap");
        goto failed_2;
    }

    int nIndex=0, i=0;
    while(1)
    {
        //这里在poll前先检查是否已经有报文被捕获了
        struct tpacket_hdr* pHead = (struct tpacket_hdr*)(buff+ nIndex*PER_PACKET_SIZE);
        //如果frame的状态已经为TP_STATUS_USER了，说明已经在poll前已经有一个数据包被捕获了，如果poll后不再有数据包被捕获，那么这个报文不会被处理，这就是所谓的竞争情况。
        if(pHead->tp_status == TP_STATUS_USER)
            goto process_packet;

        //poll检测报文捕获
        struct pollfd pfd;
        pfd.fd = fd;
        //pfd.events = POLLIN|POLLRDNORM|POLLERR;
        pfd.events = POLLIN;
        pfd.revents = 0;
        ret = poll(&pfd, 1, -1);
        if(ret<0)
        {
            perror("poll");
            goto failed_1;
        }

process_packet:
        //尽力的去处理环形缓冲区中的数据frame，直到没有数据frame了
        for(i=0; i < req.tp_frame_nr; i++)
        {
            struct tpacket_hdr* pHead = (struct tpacket_hdr*)(buff+ nIndex*PER_PACKET_SIZE);

            //XXX: 由于frame都在一个环形缓冲区中，因此如果下一个frame中没有数据了，后面的frame也就没有frame了
            if(pHead->tp_status == TP_STATUS_KERNEL)
                break;

            //处理数据frame
            CallBackPacket((char*)pHead+pHead->tp_net);

            //重新设置frame的状态为TP_STATUS_KERNEL
            pHead->tp_len = 0;
            pHead->tp_status = TP_STATUS_KERNEL;

            //更新环形缓冲区的索引，指向下一个frame
            nIndex++;
            nIndex %= req.tp_frame_nr;
        }

    }
success:
    close(fd);
    munmap(buff, BUFFER_SIZE);
    return 0;

failed_1:
    munmap(buff, BUFFER_SIZE);

failed_2:
    close(fd);
    return -1;
}

3、测试结果：

执行main程序，使用curl http://www.qq.com