I have a simple custom ping program echo request / echo reply....Server part is deployed in Linux and client is in Windows machine....
Both client and server side programatically calculating ICMP check sum and setting it ..All are ok .
Now I want to enable ICMP check sum offload to Network card for Server module ....I have already enabled it using ethtool
I can see for TCP, Check sum offloading happening ......But when I comment out ICMP check sum calculation part from server program hoping Network card will do for me But I am not getting any Echo reply....Though Server is receiving Echo request....It must be for wrong check sum packet being dropped...
Can anybody show me the way.
Thank you
As far as i know the NIC checksum offloading can only mangle IP/TCP/UDP frames.
I don't think ICMP frame is covered.
Related
I'm playing around with Libpcap trying to send a ping but whenever I send the requests they are never responded to, no errors given and it looks identical to a regular ping sent through the ping utility.
The left packet is sent through ping on the terminal and the right through my app. As far as I can tell the data field is optional so I don't include it, and the identifier/sequence numbers can be random, so they are randomised.
Am I missing something obvious here?
I notice you haven't validated your IP header checksum. Are you sure it is in fact correct? If it isn't the next router will silently drop the packet which is consistent with what you've seen. Wireshark should be able to validate the ip header checksum for you if you switch it on.
I need a solution for NAT traversal to transmit RDP data across the internet. I came across the following tool and it's really amazing - pwnat.
I have tried it with the two different machines behind different router, but i am unable to make it work as explained in the above link. So is pwnat still working and if yes what could I have done wrong? It would be very helpful for me.
Note: I am using a Windows machine for testing and downloaded the Windows version from the following link:
http://www.sumitgupta.net/pwnat-windows-complied-version/
No.
I assume you know how it worked:
the server sent ICMP echo request packets to the fixed address(for example, 1.2.3.4) where no echo replies wouldn't be returned from, the client, pretending to be a hop on the Internet, sent an ICMP Time Exceeded packet to the server, expected the NAT in the front of the server to forward the ICMP time exceeded message to the server.
The picture above is from the homepage of pwnat, it's on the premise that client is not behind NAT and the original payload in time exceeded message is typically not checked by NAT implementations. If both client and server are behind NAT like this,
=========================================================================================
| CLIENT | <---> | NAT-C | <---> { internet } <---> | NAT-S | <---> | SERVER |
=========================================================================================
It rarely works nowadays mainly for 2 reasons below:
When the server sends ICMP echo request packets to the fixed address, according to RFC 3022, the identifier field in ICMP echo request header will be uniquely mapped to a query identifier of the registered IP address by NAT-S so that it can route future ICMP Echo Replies with the same query ID to the sender, so ICMP header in ICMP Query packets must be modified to replace the query ID and ICMP header checksum. RFC 3022 ICMP error packet modifications section:
In a NAPT setup, if the IP message embedded within ICMP happens to be
a TCP, UDP or ICMP Query packet, you will also need to modify the
appropriate TU port number within the TCP/UDP header or the Query
Identifier field in the ICMP Query header.
But the client doesn't know the external query ID(the code in pwnat use 0 as the identifier of original request), it sends an ICMP Time Exceeded packet to the server, even if the packet can reach NAT-S in front of the server, NAT-S can't find the active mapping for the embedded packet, most of NAT implementations will drop it.
Moreover, according to rfc 5508, when the NAT-C receives the ICMP Error packet from the Private Realm, NAT-C uses the packet embedded within the ICMP Error message (i.e., the IP packet from the client to the server) to look up the NAT Session to which the embedded packet belongs. If NAT-C does not have an active mapping for the embedded packet, the NAT-C SHOULD silently drop the ICMP Error packet. It means the ICMP Time Exceeded packet from the client wouldn't arrive at NAT-S.
So pwnat only works with basic NAT devices(rfc 1631 describes) which do simple address translation, won't work with any NAPT device which has robust NAPT implementation. And This paper does mention this problem.
I have a packet capture and I'm trying to find out which program a download was made with, where would I go in the packet to find this information?
Thanks all!
Instead of looking for answers within the packet, you may want to look at which port the download was done through. That could give you more information, and faster
I assume you know the destination ip address from where the file is downloaded. If it's something that you can catch while it's happening or you can trigger it then you could use netstat to determine the PID of the program that is handling that socket after filtering the netstat output based on the destination ip address.
Then you could use ps on Linux or TaskManager on Windows to know which program has that PID.
On windows: How to determine which program uses or blocks specific transmission control protocol ports in Windows
Alternative if the packet capture it's all you got and it's not a recurring event then if the download was done via HTTP you could check the headers of the HTTP request for info about the client in the User-Agent header.
Hope it helps.
I would like to capture the "incoming" interface and "outgoing" interface for packets transiting through a software switch (assume it has 10 ports and I want to know which of those 10 interfaces a particular packet came from). I can't seem to find any way to get "tcpdump -i any" to output the arriving or outgoing interfaces. It only gives fields of the packet. Is there any other derivative of tcpdump (like tshark perhaps?) which will enable extracting the port information? The intention is tracing a packet flow path through a network. Regards.
tcpdump 4.10 should include this feature (hasn't been released as of today).
Meanwhile you can use Sebastian Haas's script.
I recently found the ping command on the mac. I used to it casually ping my rails heroku app. I was wondering if this type of ping, from the terminal, increases the total number of hits the website gets (obviously not unique hits).
ping is a network command not using the port 80 or http protocol.
So there's no way it can count towards a rails application hit.
More info :
http://wiki.answers.com/Q/Which_port_is_used_by_Ping_command
The ping command only pings the host, it is a network tool to check connectivity between machines, it is a different protocol from HTTP, please read this, it may help you understand a bit better what is ping http://en.wikipedia.org/wiki/Ping_%28networking_utility%29 and what is his uses.
Cheers
What Anthony said above is true. Ping uses ICMP which is lower in the stack than an http request going over port 80. Ping only sends a single packet, expecting a single packet in response which is rather small (I think 64bytes round trip).
This can however generate load on the box running your server. So be wary of excess use as you could inadvertently cause a denial of service :)