个人中心
gpt4 book ai didi

python - python中的BPF嗅探多个TCP端口的数据包

转载 作者:可可西里 更新时间:2023-11-01 02:33:36 25 4
gpt4 key购买 nike

我从 http://allanrbo.blogspot.in/2011/12/raw-sockets-with-bpf-in-python.html 得到代码.它工作正常,但我想嗅探多个 TCP 端口上的流量,如端口 90008022...

所以我修改了filter_list像吹

filters_list = [  
    # Must have dst port 67. Load (BPF_LD) a half word value (BPF_H) in   
    # ethernet frame at absolute byte offset 36 (BPF_ABS). If value is equal to  
    # 67 then do not jump, else jump 5 statements.  
    bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 36),  
    bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 0, 5), <===== Here I added another port
    bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 80, 0, 5),


    # Must be UDP (check protocol field at byte offset 23)  
    bpf_stmt(BPF_LD | BPF_B | BPF_ABS, 23),   
    bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 0x06, 0, 3), #<==Changed for TCP "0x06"

    # Must be IPv4 (check ethertype field at byte offset 12)  
    bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 12),   
    bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 0x0800, 0, 1),  

    bpf_stmt(BPF_RET | BPF_K, 0x0fffffff), # pass  
    bpf_stmt(BPF_RET | BPF_K, 0), # reject   ]

问题是,它有时有效有时无效,例如仅在 9000 而不是 80 上获得流量,有时在 80 上获得流量。我没有完全理解代码。有帮助吗?

最佳答案

据我所知,问题似乎出在您前两个条件跳转的逻辑上。具体来说:

bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 0, 5), # if false, skip 5 instructions
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 80, 0, 5),

一条指令bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, <val>, <jtrue>, <jfalse>)意思是

if value currently in register K is equal to <val>
    then add <jtrue> to instruction pointer
        (i.e. skip the next <jtrue> instructions),
    else add <jfalse> instead`

所以这两行的意思是:

if port is 9000
    then if port is 80
        then go on with checks…
    else skip 5 instructions (i.e. reject)
else
    skip 5 instructions (i.e. pass, as jump offset was not updated from 5 to 6)

虽然您可能想要看起来更像的东西:

if port is 9000
    then go on with checks…
else
    if port is 80
        then go on with checks…
    else reject

我没有测试过,但是为了得到这个逻辑我会说你需要调整跳跃偏移量如下:

bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0), # if true skip 1 insn
                                                 # (i.e. port 80 check) else 0
                                                 # and check for port 80
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 80, 0, 5),   # if true skip 0 else skip 5
                                                 # (and land on “reject”)

编辑 1:然后过滤三个端口,将变为:

bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 2, 0), # skip the next 2 checks if true
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0), # skip the next check if true
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22,   0, 5), # if true go on else reject

编辑 2: 要同时过滤源端口(除了目标端口),您可以尝试这样的操作(我这边还没有测试过):

# Load TCP src port into register K, and check port value
# For packets with IP header len == 20 bytes, TCP src port should be at offset 34
# We adapt the jump offsets to go to next check if no match (or to “reject” after
# the last check), or to skip all remaining checks on ports if a match is found.
bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 34),           # 34 == offset of src port
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 6, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 5, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22,   4, 0),

# As before: if no match on src port, check on dst port
bpf_stmt(BPF_LD | BPF_H | BPF_ABS, 36),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 8084, 2, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 9000, 1, 0),
bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, 22,   0, 5),


关于python - python中的BPF嗅探多个TCP端口的数据包,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41340734/

25 4 0
文章推荐: java - 如何为抽象方法编写契约?
文章推荐: http - 浏览器如何将网络响应映射回请求?
文章推荐: javascript - 如何从突变中获取新对象的 ID?
文章推荐: sockets - 游戏服务器的 tcp 或 udp?
可可西里
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com