Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    on what conditions can tcpdump on a host capture packets which are not


    I have three laptops in a WLAN, A, B and C. A and C are using Wlan interface wlan0 but B is using Ethernet eth0,B is connected to the wireless router via network cable.. A is with windows, B is fedora while C is ubuntu.

    A and B establishes a TCP connection, and then C masquerade as B to send packets to A (using IP spoofing with raw socket).

    Originally I have an IP spoofing program using C, and then I modify it to C++. So they are of the same functionalities but with different programming language.

    The C spoofing program can successfully hijack the TCP connection but the C++ program can't (when I use tcpdump on A, it can't even capture the IP-spoofing packets). I use tcpdump to capture packets on B's eth0 (the filter rule is based on the TCP port) to find why. And I notice when I use the C++ program, the tcpdump can capture the IP-spoofing packets sent by C to A (the source IP is B and the dest IP is A), but if I use the C program, the tcpdump can't capture the IP-spoofing packets (still, the source IP is B and the dest IP is A). This is strange.

    1) A establishes a TCP connection with B
    2) C masquerade B, so it sends out packets with src_ip = IP(B) and dst_ip = IP(A)
    3) use tcpdump to capture packets on A,B,C
    4) it is expected that tcpdump on A can capture the IP spoofing packets, but it can't. It is strange that tcpdump on B captures the packets.

    so I'm wondering on what conditions can tcpdump on a host capture packets which are not from and not to it?
    Last edited by esolve; 11-12-2015 at 07:59 PM.

  2. #2
    -->
    I notice it is due to the MAC address. When the C++ program ran, the kernel/system adds the MAC address of B as destination MAC to the IP-spoofing packets(it is expected that the kernel adds the MAC address of A coz the destination IP is of A). However, I wrote packets on IP level and I use raw socket as below in both C program and C++ program:

    send_sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW));
    ...
    sendto(send_sd, packet, ip_len, 0, (struct sockaddr*)&client_addr, addr_len);


    so it is strange that when I ran these two programs, the kernel/system added different destination MAC addresses, what are potential causes?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •