4

I'm trying to get the TCP header of a TCP connection in C++11. Reading through already existing StackOverflow questions (here, here, here and here) it seems like I have to open a RAW_SOCKET or to write a Linux Kernel Module (LKM) to have access to it.

From what I've understood, opening a raw socket means handling the whole TCP protocol (handshake, window size, etc...). Is there a way to obtain the TCP header and let the kernel manage the TCP protocol (either "by hand" or with some framework)?

I know I could use libpcap for capturing the packets, but this would mean for my application making somehow a match from the incoming packet in the TCP socket and the captured packet from libpcap. While this is a possible solution, it'd be a cumbersome one (and I wouldn't like to do that).

Any help is appreciated, thank you!

Polpetta
  • 495
  • 1
  • 3
  • 13
  • I had to write a poor-mans-tcpdump a while ago (on Solaris, but should not matter). I succeeded with just headers in /usr/include and the `TCP/IP` book. But if I was to do the same now I would certainly try to use http://www.tcpdump.org/, either as a library or as an inspiration (look the the source code and do the same). – bobah Oct 04 '18 at 08:28
  • Thanks for the tip! Is your project open source? Can I have a look at it? It'd really help – Polpetta Oct 04 '18 at 08:32
  • Unfortunately it’s a prop code. But do try looking at the headers, they map 1-to-1 to the protocol stack entities, really not a problem to make sense of. – bobah Oct 04 '18 at 08:35
  • Maybe a two connection approach? One raw-socket connects to remote, one raw socket at first internal connection end, and a TCP socket a the other internal end. You get all the TCP handling at the second internal end, while any messages at the raw ends are just forwarded to their respective counterparts (while incoming remote messages can be inspected for TCP headers). Certainly not most efficient approach, but should be rather easy to implement... – Aconcagua Oct 04 '18 at 08:40
  • @Aconcagua Sorry, I don't get it. Why do I need to use 3 sockets? Could I use only two of them (one raw socket for remote, and another one for internal)? – Polpetta Oct 04 '18 at 08:51
  • The sockets are just the *ends* of a connection, and actually, you have two sockets per connection; one of the four, though, is at remote side, so that one is invisible for you. Additionally, your internal connection needs a *raw* end and a *TCP* end. Even if it *was* possible to use just one socket, how could you have it in raw and TCP mode at the same time? – Aconcagua Oct 04 '18 at 08:58

1 Answers1

1

A "quick and dirty" approach might be using two connections, an external connection to the remote host and a pure internal one. Sure, this won't be the most efficient approach, but is easy (and fast) to implement (the core feature of QAD "solutions"...): 

socket ext_raw  ------- socket remote, TCP (likely, at least)
socket int_raw  ---
                   |    (loop back connection)
socket int_tcp  ---

Any incoming messages at ext_raw and int_raw are just forwarded from one to the other (while incoming messages on ext_raw can be inspected for TCP headers), whereas all the normal TCP handling is done by the internal TCP socket. So in a way, you'll be tunneling the TCP connection through your two raw sockets...

Aconcagua
  • 24,880
  • 4
  • 34
  • 59