1
1
10101010010001001101001112012-02-09 10:28:41
Computer networks
1010101001000100110100111, 2012-02-09 10:28:41

Detecting IP packets inside a data stream?

Sometimes, in the process of debugging network applications, it becomes necessary to analyze the contents of packets using binary / hex exchange logs, and at the same time, a specialized program for analysis may not be at hand.
Moreover, manually generating a binary file (compatible with the "snapshot" format supported by the analyzer) containing "raw" network packets is often much more difficult than manually "parsing" these packets.
Or, a situation arises when it is simply not possible to intercept some network packets using such programs.
For example, I was never able to "set" Microsoft Network Monitor on a locally installed Apache.
Even the special LoopBack interface driver that I installed did not help, in the hope that it would help NetMon to intercept local network packets, such as PING 127.0.0.1 and the like.
However, the newly-created VPN tunnel, which allows sending "raw" IP packets to the network, is listened by NetMon without any problems (despite the fact that it, like Apache, is raised locally).

The code below allows you to find the positions of the beginning of possible headers of version 4 IP packets in the $raw_data block of "raw" data.

<?php<br>
$mask="/[E-O](?=.{8}[\x01\x06\x11])/s";<br>
$res=preg_match_all($mask, $raw_data, $result, PREG_OFFSET_CAPTURE);<br>
foreach ($result[0] as $rrr)<br>
  echo $rrr[1],"\r\n";<br>
This detection method is quite crude and gives a lot of false positives, so it is also desirable to check the results more carefully.
Header checksum check completely solves this problem.
function checksum($data, $bool=false) <br>
    { <br>
    if (strlen($data) & 1)<br>
      $data .= "\x00"; <br>
    $bit = unpack("n*", $data); <br>
    $sum = array_sum($bit); <br>
    while ($sum >> 16) <br>
      $sum = ($sum >> 16) + ($sum & 0xffff); <br>
    if ($bool) return ($sum===0xffff);<br>
    return pack("n", ~$sum);<br>
    } <br>
Actually the question: It is also necessary to detect IP version 6
packet headers . Can anyone suggest the easiest way to do this?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
DmZ, 2012-02-10
@DmZ

In general, you won't be able to simply find an IPv6 packet.
If there are Ethernet headers, then you can look at the "type" and version of the internal protocol. (In any case, this will allow almost 100% detection of IPv4 / IPv6 packets)
In the case of PPP, you will have to analyze both the connection setup and configuration (IPCP / IP6CP) - you won’t get off with one regeexp :(
Maybe it’s easier to look at normal tools like Wireshark?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question