Identifying neighbors within the LAN

Identifying neighbors within the LAN

[Hettiarachchige Hasitha Shan]

Dear Sirs/ Ma'ams,

I am an undergraduate student following the B Eng (Hons) Software 
Engineering degree program at University of Westminster, UK. As for my 
final year research project I am implementing a packet security 
enhancement module.

In the concept, it is required to obtain the list of neighbors within the LAN. I did some research online and I found out that I can obtain IPv4/ IPv6 neighbors by typing 
in "ip -4 neigh show" or "ip -6 neigh show" in the terminal where this feature is implemented by the module neighbour.c.

My query is , If  I am to obtain these information programatically through my kernel module, which methods should I call.

As
 in, i tried doing a #include <linux/neighbour.h> and tried to 
call  `neightbl_dump_info' but that did not work. I would be really 
grateful if you experts could advice me on how to implement the function to 
obtain the list of  IPv4/ IPv6 neighbours programatically?

Thank you,

Best Regards,
H. Hasitha Shan

P.S. I apologize in advance if this question has an obvious answer, but as I am a novice in this area, my research lead me to dead ends for weeks and your help will be very much appreciated.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140503/dec807ab/attachment-0001.html 

Identifying neighbors within the LAN

[Valdis.Kletnieks at vt.edu]

On Sat, 03 May 2014 11:01:19 -0700, Hettiarachchige Hasitha Shan said:

> In the concept, it is required to obtain the list of neighbors within the
> LAN. I did some research online and I found out that I can obtain IPv4/ IPv6
> neighbors by typing
> in "ip -4 neigh show" or "ip -6 neigh show" in the terminal where this
> feature is implemented by the module neighbour.
>
> My query is , If  I am to obtain these information programatically through
> my kernel module, which methods should I call.

Step 0:  Figure out why a packet security module even *cares* what neighbors
are known. Why do you care if a neighbor is known or not? First, figure out
under what conditions a neighbor becomes known. What security decisions are you
planning to make based on "IPv4 address is in ARP table"?  Whether an address
is in the ARP table is orthogonal to whether you should trust the host or not.
A trusted host can fail to be in the neighbor table simply because the ARP
entry has aged out.  Or an untrusted host can be *in* your ARP table....)

Step 1: When making security decisions, you probably don't need a list
of *all* neighbors - you only need an answer to "is *this* neighbor known or
not".  And that would be a different API.

(For bonus points, consider the case of a trusted host that has a longer
ARP table timeout than yours - then you can receive a packet from the host
without them ARP'ing for you first, but you still don't have a ARP entry
for them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140503/b2706f6f/attachment.bin 

Identifying neighbors within the LAN

[Hettiarachchige Hasitha Shan]

Dear Sir,

> Step 1: When making security decisions, you probably don't need a list
> of *all* neighbors - you only need an answer to "is *this* neighbor known or
> not".  And that would be a different API.

If I am to get the information of known neighbors, which API should use in my kernel module. I searched this on Google for hours and that did not do any good. I am a novice at this, a reference/ example would be really great to point me in the right direction.

Thank you very much sir,

Best Regards,
H. Hasitha Shan

P.S. Thank you Mr. Valdis for pointing me that I should always reply beck to the kernennewbies mailing list. 

> To: hh_shan at live.com
> CC: kernelnewbies at kernelnewbies.org
> Subject: Re: Identifying neighbors within the LAN
> From: Valdis.Kletnieks at vt.edu
> Date: Sat, 3 May 2014 19:10:18 -0400
> 
> On Sat, 03 May 2014 11:01:19 -0700, Hettiarachchige Hasitha Shan said:
> 
> > In the concept, it is required to obtain the list of neighbors within the
> > LAN. I did some research online and I found out that I can obtain IPv4/ IPv6
> > neighbors by typing
> > in "ip -4 neigh show" or "ip -6 neigh show" in the terminal where this
> > feature is implemented by the module neighbour.
> >
> > My query is , If  I am to obtain these information programatically through
> > my kernel module, which methods should I call.
> 
> Step 0:  Figure out why a packet security module even *cares* what neighbors
> are known. Why do you care if a neighbor is known or not? First, figure out
> under what conditions a neighbor becomes known. What security decisions are you
> planning to make based on "IPv4 address is in ARP table"?  Whether an address
> is in the ARP table is orthogonal to whether you should trust the host or not.
> A trusted host can fail to be in the neighbor table simply because the ARP
> entry has aged out.  Or an untrusted host can be *in* your ARP table....)
> 
> Step 1: When making security decisions, you probably don't need a list
> of *all* neighbors - you only need an answer to "is *this* neighbor known or
> not".  And that would be a different API.
> 
> (For bonus points, consider the case of a trusted host that has a longer
> ARP table timeout than yours - then you can receive a packet from the host
> without them ARP'ing for you first, but you still don't have a ARP entry
> for them.
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140504/a21a5f5e/attachment.html 

FW: Identifying neighbors within the LAN

[Hettiarachchige Hasitha Shan]

Dear Sirs/ Ma'ams,

I am an undergraduate student following the B Eng (Hons) Software 
Engineering degree program at University of Westminster, UK. As for my 
final year research project I am implementing a packet security 
enhancement module.

The concept includes capturing of packets via the use of libnetfilter and apply necessary security implementations. I was able to successfully capture packets and extract it relevant data where I store the IP address as unsigned int. However, I have the requirement of identifying the packets destination IP's address family.

I tried many ways, which only lead me to user space implementations, not C linux kernel module programming. During my research I just came across %pI4 and %pI6 which formats and displays the Ip address, not give out its address family, i. e. IPv6 or IPv4.

I would be really grateful if you experts would help me get through this obstacle. any references or examples to identify the IP address family (IPv4/ IPv6) of the IP (which is store in unsigned int variables) will be  highly appreciated.

Thank you,

Best Regards,
H. Hasitha Shan

P.S. I apologize in advance if this question has an obvious answer, but as I am a novice in this area, my research lead me to dead ends for weeks and your help will be very much appreciated.
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140523/224da046/attachment.html 

Identification of IP address family

[Hettiarachchige Hasitha Shan]

Dear Sirs/ Ma'ams,

I am an undergraduate student following the B Eng (Hons) Software 
Engineering degree program at University of Westminster, UK. As for my 
final year research project I am implementing a packet security 
enhancement module.

The concept includes capturing of packets via the use of libnetfilter and apply necessary security implementations. I was able to successfully capture packets and extract it relevant data where I store the IP address as unsigned int. However, I have the requirement of identifying the packets destination IP's address family.

I tried many ways, which only lead me to user space implementations, not C linux kernel module programming. During my research I just came across %pI4 and %pI6 which formats and displays the Ip address, not give out its address family, i. e. IPv6 or IPv4.

I would be really grateful if you experts would help me get through this obstacle. any references or examples to identify the IP address family (IPv4/ IPv6) of the IP (which is store in unsigned int variables) will be  highly appreciated.

Thank you,

Best Regards,
H. Hasitha Shan

P.S. I apologize in advance if this question has an obvious answer, but as I am a novice in this area, my research lead me to dead ends for weeks and your help will be very much appreciated.
 		 	   		   		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140523/484832a1/attachment.html 

Identification of IP address family

[Valdis.Kletnieks at vt.edu]

On Fri, 23 May 2014 04:34:19 -0700, Hettiarachchige Hasitha Shan said:
> The concept includes capturing of packets via the use of libnetfilter and
> apply necessary security implementations. I was able to successfully capture
> packets and extract it relevant data where I store the IP address as unsigned
> int.

YOu're in for a big surprise when that first IPv6 packet arrives.

You're in for an even bigger surprise when the first Decnet or CLNP packet
shows up. :)

> However, I have the requirement of identifying the packets destination IP's
> address family.

OK. I'll be very blunt here.  If you haven't figured out what the first 4 bits
of the IP header are for, and why they're the first 4 bits, you're going to
have a *really* hard time doing packet security.  Because the bad guys
are rarely, if ever, RFC3514 compliant...

And then you get to deal with that 8 bit field between the TTL and the
checksum in an IPv4 header.  And then there's all the fun and games of
figuring out how to deal with a fragmented IPv6 packet....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140523/3cd73bb4/attachment.bin 

Linux Kernel Module program to obtain domain name from IP

[Hettiarachchige Hasitha Shan]

I have a requirement to obtain the domain name from the destination IP from an outgoing packet. I am successful in capturing and obtaining the destination IP  packets using the `netfilter` hook as shown below. 

    unsigned int hook_func_out(unsigned int hooknum, struct sk_buff * skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) 
    {
    
        ofs = 20;    // Set theoffset to skip over the IP header.
            
        {    
                struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb);    
                struct udphdr *udp_header;    
                struct tcphdr * tcp_header;
            
            //Ican obtain the destination IP address of the packet 
            //like this
            unsigned int dest_ip = (unsigned int)ip_header->daddr;
                
            //or like this            
            char pkt_tbuf[16];            
            snprintf(pkt_tbuf, 16, "%pI4", &ip_header->daddr);

            //here I need to obtain the domain name of the obtained destination address
        }
    }

However, I have no idea on how to use that IP to obtain the domain name of the obtained IP. 

I tried many sources (https://www.google.com/search?client=ubuntu&channel=fs&q=linux+kernel+programming+domain+name+from+IP+&ie=utf-8&oe=utf-8) but did find any related information on the subject and will be really grateful if you experts would provide any sample code/ references to perform this task :) 

Thank you very much :)
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140708/e089f719/attachment-0001.html 

Linux Kernel Module program to obtain domain name from IP

[shhuiw]

Hi,

I think you need refer to some open source DNS client utilities, e.g http://en.wikipedia.org/wiki/Nslookup.

- shhuiw
 


At 2014-07-08 06:26:23, "Hettiarachchige Hasitha Shan" <hh_shan@live.com> wrote:

I have a requirement to obtain the domain name from the destination IP from an outgoing packet. I am successful in capturing and obtaining the destination IP  packets using the `netfilter` hook as shown below.

    unsigned int hook_func_out(unsigned int hooknum, struct sk_buff * skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*))
    {
    
        ofs = 20;    // Set theoffset to skip over the IP header.
            
        {    
                struct iphdr *ip_header = (struct iphdr *)skb_network_header(skb);    
                struct udphdr *udp_header;    
                struct tcphdr * tcp_header;
            
            //Ican obtain the destination IP address of the packet
            //like this
            unsigned int dest_ip = (unsigned int)ip_header->daddr;
                
            //or like this            
            char pkt_tbuf[16];            
            snprintf(pkt_tbuf, 16, "%pI4", &ip_header->daddr);

            //here I need to obtain the domain name of the obtained destination address
        }
    }

However, I have no idea on how to use that IP to obtain the domain name of the obtained IP.

I tried many sources (https://www.google.com/search?client=ubuntu&channel=fs&q=linux+kernel+programming+domain+name+from+IP+&ie=utf-8&oe=utf-8) but did find any related information on the subject and will be really grateful if you experts would provide any sample code/ references to perform this task :)

Thank you very much :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140708/69b7be9f/attachment.html 

Linux Kernel Module program to obtain domain name from IP

[Sudip Mukherjee]

On Tue, Jul 8, 2014 at 4:52 PM, shhuiw <shhuiw@163.com> wrote:
> Hi,
>
> I think you need refer to some open source DNS client utilities, e.g
> http://en.wikipedia.org/wiki/Nslookup.
>
> - shhuiw

just have a look at the source code of nslookup command ... it does
the same thing as what u want ...

but in many cases it will not work , as many domain names have shared
ip address .


>
>
> At 2014-07-08 06:26:23, "Hettiarachchige Hasitha Shan" <hh_shan@live.com>
> wrote:
>
> I have a requirement to obtain the domain name from the destination IP from
> an outgoing packet. I am successful in capturing and obtaining the
> destination IP  packets using the `netfilter` hook as shown below.
>
>     unsigned int hook_func_out(unsigned int hooknum, struct sk_buff * skb,
> const struct net_device *in, const struct net_device *out, int
> (*okfn)(struct sk_buff*))
>     {
>
>         ofs = 20;    // Set theoffset to skip over the IP header.
>
>         {
>                 struct iphdr *ip_header = (struct iphdr
> *)skb_network_header(skb);
>                 struct udphdr *udp_header;
>                 struct tcphdr * tcp_header;
>
>             //Ican obtain the destination IP address of the packet
>             //like this
>             unsigned int dest_ip = (unsigned int)ip_header->daddr;
>
>             //or like this
>             char pkt_tbuf[16];
>             snprintf(pkt_tbuf, 16, "%pI4", &ip_header->daddr);
>
>             //here I need to obtain the domain name of the obtained
> destination address
>         }
>     }
>
> However, I have no idea on how to use that IP to obtain the domain name of
> the obtained IP.
>
> I tried many sources
> (https://www.google.com/search?client=ubuntu&channel=fs&q=linux+kernel+programming+domain+name+from+IP+&ie=utf-8&oe=utf-8)
> but did find any related information on the subject and will be really
> grateful if you experts would provide any sample code/ references to perform
> this task :)
>
> Thank you very much :)
>
>
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>

Linux Kernel Module program to obtain domain name from IP

[shhuiw]

DNS loopkup should use UDP packet, and you have to construct UDP request
based on your captured IP addresses in your module.
And you have to use DNS server fallback lists and time-out control if some DNS
server cannot work well.



--

Regards,
shhuiw




At 2014-07-08 08:01:02, "Sudip Mukherjee" <sudipm.mukherjee@gmail.com> wrote:
>On Tue, Jul 8, 2014 at 4:52 PM, shhuiw <shhuiw@163.com> wrote:
>> Hi,
>>
>> I think you need refer to some open source DNS client utilities, e.g
>> http://en.wikipedia.org/wiki/Nslookup.
>>
>> - shhuiw
>
>just have a look at the source code of nslookup command ... it does
>the same thing as what u want ...
>
>but in many cases it will not work , as many domain names have shared
>ip address .
>
>
>>
>>
>> At 2014-07-08 06:26:23, "Hettiarachchige Hasitha Shan" <hh_shan@live.com>
>> wrote:
>>
>> I have a requirement to obtain the domain name from the destination IP from
>> an outgoing packet. I am successful in capturing and obtaining the
>> destination IP  packets using the `netfilter` hook as shown below.
>>
>>     unsigned int hook_func_out(unsigned int hooknum, struct sk_buff * skb,
>> const struct net_device *in, const struct net_device *out, int
>> (*okfn)(struct sk_buff*))
>>     {
>>
>>         ofs = 20;    // Set theoffset to skip over the IP header.
>>
>>         {
>>                 struct iphdr *ip_header = (struct iphdr
>> *)skb_network_header(skb);
>>                 struct udphdr *udp_header;
>>                 struct tcphdr * tcp_header;
>>
>>             //Ican obtain the destination IP address of the packet
>>             //like this
>>             unsigned int dest_ip = (unsigned int)ip_header->daddr;
>>
>>             //or like this
>>             char pkt_tbuf[16];
>>             snprintf(pkt_tbuf, 16, "%pI4", &ip_header->daddr);
>>
>>             //here I need to obtain the domain name of the obtained
>> destination address
>>         }
>>     }
>>
>> However, I have no idea on how to use that IP to obtain the domain name of
>> the obtained IP.
>>
>> I tried many sources
>> (https://www.google.com/search?client=ubuntu&channel=fs&q=linux+kernel+programming+domain+name+from+IP+&ie=utf-8&oe=utf-8)
>> but did find any related information on the subject and will be really
>> grateful if you experts would provide any sample code/ references to perform
>> this task :)
>>
>> Thank you very much :)
>>
>>
>>
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
>_______________________________________________
>Kernelnewbies mailing list
>Kernelnewbies at kernelnewbies.org
>http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140708/ea73b6a6/attachment.html 

Linux Kernel Module program to obtain domain name from IP

[Kristof Provost]

On 2014-07-08 20:19:09 (+0800), shhuiw <shhuiw@163.com> wrote:
> DNS loopkup should use UDP packet, and you have to construct UDP request
> based on your captured IP addresses in your module.
DNS can actually use both TCP and UDP.

> And you have to use DNS server fallback lists and time-out control if some DNS
> server cannot work well.

Yeah. Doing DNS lookups (forward or reverse) is complicated. 
There's a dns_query function in the kernel (net/dns_resolver), which
apparently upcalls into user space, but I'd avoid dealing with DNS in
the kernel at all.

Just pass the IP address to user space and let it deal with it. There
are plenty of DNS libraries available. Odds are you need to pass the
resulting information to user space anyway, so you're not really losing
anything.

What are you trying to accomplish anyway?

Regards,
Kristof

Linux Kernel Module program to obtain domain name from IP

[Kristofer Hallin]

There's a research project called Name Based Sockets where this have been
done.

Take a look at: https://www.sics.se/projects/name-based-sockets

If you search for name based sockets on Google you will find a kernel
module and user space code doing this.
On 8 Jul 2014 15:07, "Kristof Provost" <kristof@sigsegv.be> wrote:

> On 2014-07-08 20:19:09 (+0800), shhuiw <shhuiw@163.com> wrote:
> > DNS loopkup should use UDP packet, and you have to construct UDP request
> > based on your captured IP addresses in your module.
> DNS can actually use both TCP and UDP.
>
> > And you have to use DNS server fallback lists and time-out control if
> some DNS
> > server cannot work well.
>
> Yeah. Doing DNS lookups (forward or reverse) is complicated.
> There's a dns_query function in the kernel (net/dns_resolver), which
> apparently upcalls into user space, but I'd avoid dealing with DNS in
> the kernel at all.
>
> Just pass the IP address to user space and let it deal with it. There
> are plenty of DNS libraries available. Odds are you need to pass the
> resulting information to user space anyway, so you're not really losing
> anything.
>
> What are you trying to accomplish anyway?
>
> Regards,
> Kristof
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140708/551cdf87/attachment.html 

Linux Kernel Module program to obtain domain name from IP

[Hettiarachchige Hasitha Shan]

Thank you for your responses sirs and the advice. My target is to,

1. Intercept SYN packet
2. Obtain the destination IP address
3. Resolve the TLD of that IP
4. then bind each packet to queues depending on the TLD

I will check on nslookup, open DNS client utilities and dns_resolver libraries as you experts suggested :)

Best Regards,
H. Hasitha Shan



Date: Tue, 8 Jul 2014 15:20:16 +0200
Subject: Re: Re: Linux Kernel Module program to obtain domain name from IP
From: kristofer.hallin@gmail.com
To: kristof at sigsegv.be
CC: kernelnewbies at kernelnewbies.org; shhuiw at 163.com; sudipm.mukherjee at gmail.com; hh_shan at live.com

There's a research project called Name Based Sockets where this have been done.
Take a look at: https://www.sics.se/projects/name-based-sockets
If you search for name based sockets on Google you will find a kernel module and user space code doing this.
On 8 Jul 2014 15:07, "Kristof Provost" <kristof@sigsegv.be> wrote:

On 2014-07-08 20:19:09 (+0800), shhuiw <shhuiw@163.com> wrote:

> DNS loopkup should use UDP packet, and you have to construct UDP request

> based on your captured IP addresses in your module.

DNS can actually use both TCP and UDP.



> And you have to use DNS server fallback lists and time-out control if some DNS

> server cannot work well.



Yeah. Doing DNS lookups (forward or reverse) is complicated.

There's a dns_query function in the kernel (net/dns_resolver), which

apparently upcalls into user space, but I'd avoid dealing with DNS in

the kernel at all.



Just pass the IP address to user space and let it deal with it. There

are plenty of DNS libraries available. Odds are you need to pass the

resulting information to user space anyway, so you're not really losing

anything.



What are you trying to accomplish anyway?



Regards,

Kristof



_______________________________________________

Kernelnewbies mailing list

Kernelnewbies at kernelnewbies.org

http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140708/161231b7/attachment.html