2

I'm creating a kind of access point.

I capture all packets, of all the types, from my machine, in order to prioritize them before forwarding them, according to the default Quality of Service (QoS) classes.

By calling socket with the ETH_P_ALL parameter , I can get all incoming packets of any protocol type:

    if ((sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) == ERROR)  {
        perror("socket");
        exit(1);
    }

By using ethhdr, iphdr, tcphdr and udphdr structs I can't retrieve information on which application sent each packet.

However, both Voip and SNMP use UDP, and I don't know which of the two sent me UDP package.

I'd like to know which applications are sending the UDP packets, so I may follow the QoS classes and forward some packets (e.g. conversational voice) before others (e.g. e-mail).

In order to recognize the protocol, should I use the list of TCP and UDP port numbers?

kdopen
  • 8,032
  • 7
  • 44
  • 52
elmazzun
  • 1,066
  • 2
  • 18
  • 44
  • "*should I use the list of TCP and UDP port numbers*": Without (trying to) inspect the packets' payload you probably have no other possibility. – alk Apr 22 '15 at 15:37

1 Answers1

2

You cannot tell for sure which application sent a packet - Only the sender itself knows this. If I understand correctly, what you want is to detect which protocol is being used. Then you have 2 possibilities:

  1. Assume an application based on the destination port set on the TCP/UDP packet - the list of TCP/UDP port numbers or your /etc/services (if you're on Linux/Unix/OSX/etc) might be of help;

  2. Analyse the packet contents and match it against known protocol signatures (like an IDS does - see Snort rules for example). Note you may need some form of conntrack to make this work reliably;

jweyrich
  • 31,198
  • 5
  • 66
  • 97
  • Option two is an expensive one. Also doing so might raise ethic objections. – alk Apr 22 '15 at 15:41
  • @alk: quite expensive indeed. As for the other point, while I agree, I must ask: How does a NGFW do this without raising ethic objections? The only answer I know (currently) is: User terms and conditions + privacy policy. – jweyrich Apr 22 '15 at 17:12
  • Could you suggest me some interesting papers or docs about how IDS recognize protocol signatures? Sincerly, I don't know where to start. – elmazzun Apr 22 '15 at 21:28
  • @elmazzun I don't recall any good papers/docs right now, but I'd suggest looking into [Snort's manual](http://manual.snort.org/) or maybe [other Snort documents](https://www.snort.org/documents) – jweyrich Apr 24 '15 at 18:41
  • Thank you, I'll start from there. – elmazzun Apr 25 '15 at 08:16