Hello everybody :)
While, a friend of mine and I, were playing with SOCK_RAW socket type
(family AF_INET) on both loopback and dummy interfaces we got a strange
behaviour.
This is the scenario:
raw0 is socket(AF_INET, SOCK_RAW, IPPROTO_RAW) used to build/inject the
packet.
raw1 is socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) used to read ICMP
packet.
We send a spoofed (i.e. IP_HDRINCL is on [well, this is the default w/
SOCK_RAW, however) ICMP packet through raw0 socket;
The relevant hdr's fields are:
In ip hdr src == 1.2.3.4
dst == 127.0.0.1
In icmp hdr type == 8 (ECHO)
code == 0
id == getpid()
no data.
We read through raw1 socket, getting ICMP packet by the kernel.
Running tcpdump on lo we see obviously
1.2.3.4 icmp > 127.0.0.1 echo request
no reply (right)
But when we read through raw1 (matching the right id) we get something
like this:
1) 1.2.3.4 icmp > 127.0.0.1 echo request (sent by us)
2) 127.0.0.1 icmp > 127.0.0.1 echo reply !!!! (processed by the kernel)
Now: should we get this stuff ?! I mean the line number 2.
Any advice ?
Now we try on dummy0 iface. iface's ipaddress 192.168.1.1
same scenario.
This time running tcpdump -i dummy0 -n we get both stuff:
1.2.3.4 icmp > 192.168.1.1 echo request
192.168.1.1 icmp > 192.168.1.1 echo reply
And we get the same through raw1 socket.
Is all this right and why ? :)
I don't looked at the sources yet.
I'm sorry, but I don't have too much time right now
(but I'll do it asap).
Thanx a lot to everybody :))
bye bye
-- gg sullivan
P.S.
Have a nice day/night !
Could you CC also to [EMAIL PROTECTED] and [EMAIL PROTECTED]
any answer please ?
--
Lorenzo Cavallaro `Gigi Sullivan' <[EMAIL PROTECTED]> -- ITALY
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
