0

I need to intercept/redirect TCP and UDP packets that have its payloads matching some regex patterns and also get original destination address and port.

I can't just redirect TCP and UDP packets to my application by the use of DSTNAT on firewall (and splice() if don't match patterns) because that wouldn't allow me to get their original destination addresses and ports from before they are changed/translated.

So I read about divert sockets and they look promising. I'm in doubt however, as I couldn't find anywhere how much an application can read of a packet received on a divert socket. Is it possible to read entire packet (including TCP and UDP payload) or just its headers? Is entire packet sent to divert socket or just first received fragment (maybe limited by MTU/MRU or how much send() could push on single call on other end...)?

If it matters, the firewall I'm going to use for diverting packets is ipfw.

Tiago.SR
  • 349
  • 4
  • 16
  • A packet contains both the destination and source layer-3 addresses in its header. The port numbers would be in the layer-4 header in the layer-3 payload, assuming the layer-4 protocol uses ports numbers as layer-4 addresses (not all do). Any packet will have the layer-3 and layer-4 addresses, if you know how to read them, and that varies by the protocols used. A packet larger than any MTU in the path will be fragmented by some layer-3 protocols, e.g. IPv4, or dropped, e.g. IPv6, but fragments will be reassembled by the layer-3 protocol. – Ron Maupin Oct 30 '16 at 05:39
  • I'm not sure with ipfw. But with OpenBSD pf you can create a `divert-to` rule to some local socket and get the original recipient on the accepted TCP socket by simply calling `getsockname()`. With UDP you would need `recvmsg()` with `IP_RECVDSTADDR` etc to get the original target. – Steffen Ullrich Oct 30 '16 at 08:26
  • Ok, so it's clear I can read layer-3 and layer-4 headers. But what about reading UDP/TCP payload? An example: can I read HTTP messages while using divert sockets? – Tiago.SR Oct 30 '16 at 20:06

0 Answers0