How to get payload from struct sk_buff in netfilter kernel module linux

Question

I am writing a network filter kernel module on ubuntu 12.04 and kernel version is 3.2.0-23-generic.

my code is.

#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#undef __KERNEL__
#include <linux/netfilter_ipv4.h>
#define __KERNEL__

#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/fs.h>

static struct nf_hook_ops nfho;
MODULE_LICENSE("Proprietary");
MODULE_AUTHOR("vikas");

unsigned int hook_func(unsigned int hooknum, struct sk_buff * skb,
        const struct net_device * in, const struct net_device * out,
        int (*okfn)(struct sk_buff *))
{
    if (skb)
    {
        struct iphdr *iph = ip_hdr(skb);

        if (iph && iph->protocol && (iph->protocol == IPPROTO_TCP))
        {
            int index;
            char cValue[101];
            char *data;

            struct tcphdr *tcph = tcp_hdr(skb);

            data = (char *) ((unsigned char*) tcph + (tcph->doff * 4));

            printk(KERN_INFO "\n\ntcp hader address = %u", tcph);
            printk(KERN_INFO "TCP source : %hu, TCP  dest : %hu\n", ntohs(tcph->source), ntohs(tcph->dest));
            printk(KERN_INFO "TCP seq : %u, TCP ack_seq : %u\n", ntohl(tcph->seq), ntohl(tcph->ack_seq));
            printk(KERN_INFO "TCP doff : %d, TCP window : %hu\n", tcph->doff * 4, ntohs(tcph->window));
            printk(KERN_INFO "TCP check : 0x%hx, TCP urg_ptr : %hu\n", ntohs(tcph->check), ntohs(tcph->urg_ptr));
            printk(KERN_INFO "FLAGS=%c%c%c%c%c%c\n",
                    tcph->urg ? 'U' : '-',
                    tcph->ack ? 'A' : '-',
                    tcph->psh ? 'P' : '-',
                    tcph->rst ? 'R' : '-',
                    tcph->syn ? 'S' : '-',
                    tcph->fin ? 'F' : '-');
            printk(KERN_INFO "sending packet to : %pI4\n", &iph->daddr);
            //printk(KERN_INFO "data len : %d\n", (int) strlen(data));
            printk(KERN_INFO "DATA : %s\n", data);
            printk(KERN_INFO "tcp headerlen = %d\n", tcp_hdrlen(skb));
            unsigned char *tail = skb_tail_pointer(skb);
            unsigned char *end = skb_end_pointer(skb);
            printk(KERN_INFO "skb->head  = %u\n", skb->head);
            printk(KERN_INFO "skb->data  = %u\n", skb->data);
            printk(KERN_INFO "tail pointer  = %u\n", tail);
            printk(KERN_INFO "end pointer  = %u\n", end);
            printk(KERN_INFO "packet len  = %d\n", (int)skb->len);
            printk(KERN_INFO "skb data len  = %d\n", (int)skb->data_len);
            printk(KERN_INFO "header len  = %d\n", (int)skb->hdr_len);

            return NF_ACCEPT;
        }
    }
    return NF_ACCEPT;
}
        int init_module()
        {
            printk(KERN_INFO "Loading packet filter module...\n");
            nfho.hook = (nf_hookfn *) hook_func;
            nfho.hooknum = NF_INET_LOCAL_OUT;
            nfho.pf = PF_INET;
            nfho.priority = NF_IP_PRI_FIRST;

            if (nf_register_hook(&nfho))
            {
                printk(KERN_INFO "Error while registering packet filter.\n");
                return 1;
            }
            printk(KERN_INFO "The packet filter has been laoded successfully.\n");
            return 0;
        }

        void cleanup_module()
        {
            nf_unregister_hook(&nfho);
        printk(KERN_INFO "The packet filter has been un-laoded successfully.\n");
    }

I am looking for only outgoing packets but not getting paylod from packet in which ack and push flag set. address of skb->tail and skb->data is same.

my syslog result is,

Feb 22 12:41:14 udesktop kernel: [ 6037.039999] tcp hader address = 3083234568
Feb 22 12:41:14 udesktop kernel: [ 6037.040019] TCP source : 48530, TCP  dest : 3127
Feb 22 12:41:14 udesktop kernel: [ 6037.040021] TCP seq : 2624763273, TCP ack_seq : 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040023] TCP doff : 40, TCP window : 14600
Feb 22 12:41:14 udesktop kernel: [ 6037.040025] TCP check : 0x8285, TCP urg_ptr : 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040027] FLAGS=----S-
Feb 22 12:41:14 udesktop kernel: [ 6037.040030] sending packet to : x.x.x.x
Feb 22 12:41:14 udesktop kernel: [ 6037.040031] DATA :
Feb 22 12:41:14 udesktop kernel: [ 6037.040033] tcp headerlen = 40
Feb 22 12:41:14 udesktop kernel: [ 6037.040034] skb->head  = 3083234304
Feb 22 12:41:14 udesktop kernel: [ 6037.040036] skb->data  = 3083234548
Feb 22 12:41:14 udesktop kernel: [ 6037.040037] tail pointer  = 3083234608
Feb 22 12:41:14 udesktop kernel: [ 6037.040039] end pointer  = 3083234944
Feb 22 12:41:14 udesktop kernel: [ 6037.040041] packet len  = 60
Feb 22 12:41:14 udesktop kernel: [ 6037.040042] skb data len  = 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040044] header len  = 304
Feb 22 12:41:14 udesktop kernel: [ 6037.040805]
Feb 22 12:41:14 udesktop kernel: [ 6037.040807]
Feb 22 12:41:14 udesktop kernel: [ 6037.040808] tcp hader address = 2515565840
Feb 22 12:41:14 udesktop kernel: [ 6037.040812] TCP source : 48530, TCP  dest : 3127
Feb 22 12:41:14 udesktop kernel: [ 6037.040816] TCP seq : 2624763274, TCP ack_seq : 1452430989
Feb 22 12:41:14 udesktop kernel: [ 6037.040820] TCP doff : 32, TCP window : 229
Feb 22 12:41:14 udesktop kernel: [ 6037.040824] TCP check : 0x827d, TCP urg_ptr : 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040827] FLAGS=-A----
Feb 22 12:41:14 udesktop kernel: [ 6037.040830] sending packet to : x.x.x.x
Feb 22 12:41:14 udesktop kernel: [ 6037.040833] DATA : ^A
Feb 22 12:41:14 udesktop kernel: [ 6037.040836] tcp headerlen = 32
Feb 22 12:41:14 udesktop kernel: [ 6037.040838] skb->head  = 2515565568
Feb 22 12:41:14 udesktop kernel: [ 6037.040841] skb->data  = 2515565820
Feb 22 12:41:14 udesktop kernel: [ 6037.040844] tail pointer  = 2515565872
Feb 22 12:41:14 udesktop kernel: [ 6037.040846] end pointer  = 2515566208
Feb 22 12:41:14 udesktop kernel: [ 6037.040849] packet len  = 52
Feb 22 12:41:14 udesktop kernel: [ 6037.040851] skb data len  = 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040854] header len  = 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040966]
Feb 22 12:41:14 udesktop kernel: [ 6037.040968] tcp hader address = 2515557984
Feb 22 12:41:14 udesktop kernel: [ 6037.040971] TCP source : 48530, TCP  dest : 3127
Feb 22 12:41:14 udesktop kernel: [ 6037.040975] TCP seq : 2624763274, TCP ack_seq : 1452430989
Feb 22 12:41:14 udesktop kernel: [ 6037.040979] TCP doff : 32, TCP window : 229
Feb 22 12:41:14 udesktop kernel: [ 6037.040982] TCP check : 0x833c, TCP urg_ptr : 0
Feb 22 12:41:14 udesktop kernel: [ 6037.040990] FLAGS=-AP---
Feb 22 12:41:14 udesktop kernel: [ 6037.040991] sending packet to : x.x.x.x
Feb 22 12:41:14 udesktop kernel: [ 6037.040993] DATA : ^A
Feb 22 12:41:14 udesktop kernel: [ 6037.040994] tcp headerlen = 32
Feb 22 12:41:14 udesktop kernel: [ 6037.040995] skb->head  = 2515557376
Feb 22 12:41:14 udesktop kernel: [ 6037.040996] skb->data  = 2515557964
Feb 22 12:41:14 udesktop kernel: [ 6037.040997] tail pointer  = 2515558016
Feb 22 12:41:14 udesktop kernel: [ 6037.040998] end pointer  = 2515558016
Feb 22 12:41:14 udesktop kernel: [ 6037.040999] packet len  = 243
Feb 22 12:41:14 udesktop kernel: [ 6037.041000] skb data len  = 191
Feb 22 12:41:14 udesktop kernel: [ 6037.041001] header len  = 640

could any help me what is the right way to payload from outgoing packets. thanks.

EDIT I printed data in hex format from skb->data to skb->tail, which as given below:

data in ACK packet: 45 0 0 34 4c 73 40 0 40 6 6b fa c0 a8 0 fc c0 a8 0 a c0 4e c 37 84 50 39 35 d8 88 93 77 80 10 0 e5 82 7d 0 0 1 1 8 a 0 3f 75 46 0 0 0 0

data in ACK + PUSH packet: 45 0 0 d4 4c 74 40 0 40 6 6b 59 c0 a8 0 fc c0 a8 0 a c0 4e c 37 84 50 39 35 d8 88 93 77 80 18 0 e5 83 1d 0 0 1 1 8 a 0 3f 75 46 0 0 0 0

sorry its my mistake (skb->data + len of tcp header) and skb->tail gives same address. — vikas_saini, Feb 22 '17 at 07:23
There are a few ending braces missing in your `hook_func`. You may want to check those out. Maybe you could also fix the code indentation ... — dragosht, Feb 22 '17 at 07:29
Probably you forgot a `}` to close `hook_func` and a `}` to close `if (skb)`condition. In that case you should also add return at the end of the function. — LPs, Feb 22 '17 at 07:38
yes i forgot to add } to close hook_func. but after add } it still not work for me . — vikas_saini, Feb 22 '17 at 07:43
yes i printed payload from skb->data to skb->tail but according to result skb->tail address is same as the address given by the expression. data = (char *)((unsigned char*)tcph + (tcph->doff * 4));) where data is unsigned char*. — vikas_saini, Feb 22 '17 at 08:28
I'd also be careful about assuming that tail points to the end of the TCP payload. Depending on how the IP packet is encapsulated, there could be data after the TCP payload. — JimD., Feb 22 '17 at 08:47
(skb->data address + ip header len + tcp header len) = skb->tail, does it mean the packet has no payload? — vikas_saini, Feb 22 '17 at 09:58
@JimD. i have added data printed in hex format, there is no much difference in ack and ack + push contents. — vikas_saini, Feb 22 '17 at 10:38
Probably related: http://stackoverflow.com/questions/29553990/print-tcp-packet-data — Sam Protsenko, Feb 24 '17 at 17:28
"Feb 22 12:41:14 udesktop kernel: [ 6037.041000] skb data len = 191" indicates the existence of paged data since skb->data_len != 0. So you nee d also to read paged data to get the payload. — Coiby, Feb 06 '21 at 11:17

How to get payload from struct sk_buff in netfilter kernel module linux

0 Answers0