![]() TCP/IP is comprised of two basic protocol types: TCP and UDP. The user is strongly encouraged however to research other published literature on the subject. For the uninitiated, a brief description of TCP/IP connection negotiation is given below. TerminologyIt is assumed that the reader is familiar with the basic operation of the TCP/IP protocol suite which includes IP and TCP header field functions and initial connection negotiation. These topics will not be covered in this document although the methods contained herein can be easily adopted to exploit these areas. Other areas of exploration where this information can be contained are varied and include such items as ICMP packets, routing control information, and UDP datagrams. Concealing locations of transmitted data by "bouncing" forged packets with encapsulated information off innocuous Internet sites.įor the purposes of this paper we will be manipulating the TCP/IP header information in such a way as to encode ASCII values for transmission to outside sources. Encapsulating encrypted or non-encrypted information within otherwise normal packets of information for secret transmission through networks that prohibit such activity ("TCP/IP Steganography"). Bypassing packet filters, network sniffers, and "dirty word" search engines. These methods can be used in a variety of areas such as the following: In the case of TCP/IP, there are a number of methods available whereby covert channels can be established and data can be surreptitiously passed between hosts. Method Three: The TCP Acknowledge Sequence Number Field "Bounce"Ī covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information. Method Two: Initial Sequence Number Field Method One: Manipulation of the IP Identification Field This paper attempts to illustrate these weaknesses in both theoretical and practical examples. ![]() The TCP/IP protocol suite has a number of weaknesses that allow an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets. (For that matter, you shouldn't need to be looking at the pcap format specification you should be using libpcap/WinPcap to read the pcap file, as that also means your program may be able to read some pcap-ng files as well, if it's using a sufficiently recent version of libpcap.Covert Channels in the TCP/IP Protocol Suite ![]() Or you might want to use an existing packet parsing library, such as libtrace for C or C++ or other libraries for other languages (I think they may exist for Perl, Python, C#, and Java, for example), as that may let you avoid doing a lot of the above. If the protocol is TCP, see RFC 793 for the format of the TCP header if the protocol is UDP, see RFC 768 for the format of the UDP header. See the IANA Protocol Numbers registry for the values of that field TCP is 6 and UDP is 17. If you want port numbers, you will have to check the "Protocol" field of the IPv4 header, or check the "Next header" field of the IPv6 header and handle extension headers, to determine what protocol is being carried on top of IP. See RFC 791 for the form of the IPv4 header see RFC 2460 for the form of the IPv6 header. You need to look at those headers to determine whether the packet is an IP packet if it is, then you need to parse the IPv4 or IPv6 header (depending on whether the headers indicate that it's an IPv4 or IPv6 packet, or, alternatively, on whether the "version" field in the header is 4 or 6 - the "version" field appears in the same location in the IPv4 and IPv6 header for LINKTYPE_RAW, you would have to look at the "version" field, as there are no headers in front of the IPv4 or IPv6 header) to find the source IP address. See the link-layer header type page for a list of the values for the network field in the file header and the corresponding format of the headers at the beginning of the packet data. As per what EJP said, you will have to parse the packet data yourself.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |