A
A
Alexey Shumkin2015-11-16 10:57:43
linux
Alexey Shumkin, 2015-11-16 10:57:43

What is the easiest way to replace raw TCP traffic (CentOS)?

There is the following situation:
A certain "iron" sensor communicates with the controller (a program whose sources are lost - this is problem number one))) ) via "raw" TCP: "packet" consists of a packet marker, [response] code of operation, data length, data, checksum.
Everything was fine until a new type of sensors was added, using the same protocol, only the data length increased by one byte. The controller program does not expect such a trick, and does not perceive such packets as correct (because due to the expectation of a certain packet length, at least the checksum does not match, which is interpreted incorrectly).
How do I see the solution:
Hang up a proxy that will replace traffic, replacing the packet length with the "correct" one and throwing out this extra byte, and, ideally, recalculate the checksum (simple addition of bytes), but not necessary, because this extra byte is still zero, i.e. does not affect the checksum.
A kind of MITM attack, only for the purpose of "fixing the broken".
Question:
What software can implement the plan? (everything is spinning on CentOS 6.6)
Let me remind you: the traffic is raw, not HTTP.
Also: the controller knows nothing about proxying, it connects directly via IP:port. Sensors (and, accordingly, connections), in the general case, are several.
Watched/triedmitmproxyin transparent proxy mode (iptables... --REDIRECT ..), but, as I understand it, it is designed for HTTP, because it’s not clear where to redirect traffic (although the use of Python scripts, oh, how they deliver!)
Almost fits netsed, but it has very simple replacements: line by line, without PCRE (in the meantime, I’m adding them to it (glory to open source!), Decided to ask the community a question)
Z.Y. Everything is urgently needed, there are no resources to rewrite the controller program for a new one.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
A
Alexey Shumkin, 2015-12-03
@ashumkin

Thanks everyone for the replies.
In general, as a result, netsed was finalized so that in traffic it was possible not only to replace a string with a string (in principle, since you can set hexadecimal character codes, then not only "strings"), but also to add (so far only zero ) and remove bytes at specified locations. Runs in transparent proxy mode, listens to the NETSED_PORT port and forwards to the sensor port (SENSOR_PORT; it is the same and fixed for all sensors).
Further, as suggested by dimoclus (almost: not DNAT, but REDIRECT)
In the "controller" settings, VIRT_PORT is specified as the sensor port.

A
alexxandr, 2015-11-16
@alexxandr

write your own simple C program as a proxy.

K
Kirill, 2015-11-16
@kshvakov

You have written "system developer", take any language for which there is a more or less simple library for working with tcp and write a proxy;)

M
Max, 2015-11-16
@MaxDukov

in a quick way, I would take tcpdump, capture the packet with it in pcap, then correct it (bash / python / pearl / whatever-you-own), then tcpreplay
tcpreplay
you only need to make the controller listen or send the sensor to different ports.

D
dimoclus, 2015-11-19
@dimoclus

If writing a TCP proxy does not cause problems, then traffic redirection is done like this:
If the problem is in finding / writing a TCP proxy, there is no ready-made solution here and, perhaps, the easiest way would be to replace the read / readv / recv / recvmsg / write / writev / send / sendmsg calls (which ones - I recommend determining through strace) using a self-written libraries and LD_PRELOAD.

S
Sergey N, 2015-11-26
@Albibek

If you know python, scapy is your best bet . It is quite simple, understandable, and knows exactly what you need - to catch packets, disassemble, change and send where necessary.
Maybe even get by with hexinject altogether

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question