--- embedaddon/libnet/doc/PACKET_BUILDING 2012/02/21 22:14:23 1.1.1.1 +++ embedaddon/libnet/doc/PACKET_BUILDING 2013/07/22 11:54:41 1.1.1.2 @@ -1,39 +1,85 @@ =============================================================================== - $Id: PACKET_BUILDING,v 1.1.1.1 2012/02/21 22:14:23 misho Exp $ + $Id: PACKET_BUILDING,v 1.1.1.2 2013/07/22 11:54:41 misho Exp $ LIBNET 1.1 (c) 1998 - 2004 Mike D. Schiffman http://www.packetfactory.net/libnet =============================================================================== - ADDING A NEW PACKET BUILDER + ADDING A NEW PACKET BUILDER, STATIC HEADER SIZE - Adding a new packet building module is usually pretty simple. It depends - completely on the complexity of the protocol. The following document - shows you how to add a packet builder for a simple protocol with a - static header size, but these concepts can be extended to a complex - protocol also. +Adding a new packet building module to libnet is usually pretty simple. The +following short document details how to add a packet builder to libnet for a +protocol that has a static header size. We'll use the Sebek protocol as an +example to walk through the process. - 1) Start by defining your protocol header format in libnet-headers.h: +1) Make sure you have a good reference for the protocol in question. Be it an + RFC or an official release doc from the author or vendor, you'll need + something comprehensive. For Sebek, the comprehensive reference is here: + http://project.honeynet.org. - #define LIBNET_XXX_H 0xSIZE +2) Figure out how big the header is and add it to the top of libnet-headers.h: - struct XXX_hdr - { - u_char field1; - u_short field2; - u_long field3; - }; +#define LIBNET_SEBEK_H 0x30 /* sebek header: 48 bytes */ - 2) Add a pblock definition to libnet-structures.h (appened to the list): +3) Create the protocol header structure and add it to the end of + libnet-headers.h. Take care to use POSIX datatypes to define all of your + values. Structure naming conventions are more or less up to you. Since + they're never exported to the user, it's not a big deal, but try to keep + them short and descriptive. Convention is to add the symbolic constant + #defines above the structure members they apply to. - #define LIBNET_PBLOCK_XXX_H 0xNUMBER +/* + * Sebek header + * Static header size: 48 bytes + */ +struct libnet_sebek_hdr +{ + u_int32_t magic; /* identify packets that should be hidden */ + u_int16_t version; /* protocol version, currently 1 */ +#define SEBEK_PROTO_VERSION 1 + u_int16_t type; /* type of record */ +#define SEBEK_TYPE_READ 0 /* currently, only read is supported */ +#define SEBEK_TYPE_WRITE 1 + u_int32_t counter; /* PDU counter */ + u_int32_t time_sec; /* EPOCH timer */ + u_int32_t time_usec; /* residual microseconds */ + u_int32_t pid; /* PID */ + u_int32_t uid; /* UID */ + u_int32_t fd; /* FD */ +#define SEBEK_CMD_LENGTH 12 + u_int8_t cmd[SEBEK_CMD_LENGTH]; /* 12 first characters of the command */ + u_int32_t length; /* PDU length */ +}; - 3) Then work from the following template for libnet_build_XXX.c: +3) Append a pblock identifier to the end of the list in libnet-structures.h. + The ID number is not imporant as long as it is UNIQUE. As such, just find + the last entry, append the new entry after it, and increase the pblock ID + by one: +#define LIBNET_PBLOCK_SEBEK_H 0x3f /* Sebek header */ + +4) Create your new builder file in src/. Adhere to the "libnet_build_PROTOCOL.c" + convention. I recommend copying one of the existing builder modules and + modifying it as you go. + + +4a) + #if (HAVE_CONFIG_H) #include "../include/config.h" #endif +#if (!(_WIN32) || (__CYGWIN__)) #include "../include/libnet.h" +#else +#include "../include/win32/libnet.h" +#endif + +libnet_ptag_t +libnet_build_sebek(u_int32_t magic, u_int16_t version, u_int16_t type, +u_int32_t counter, u_int32_t time_sec, u_int32_t time_usec, u_int32_t pid, +u_int32_t uid, u_int32_t fd, u_int8_t cmd[SEBEK_CMD_LENGTH], u_int32_t length, +u_int8_t *payload, u_int32_t payload_s, libnet_t *l, libnet_ptag_t ptag) +{ libnet_ptag_t