I am looking for a way to detect if any incoming or outgoing network traffic is PPP (Point to Point). Is there a way that I can sniff for this type of traffic using the pcap library?
The reason I need to know if the traffic is PPP to validate a certain condition. That condition is if the DC (Demand-Circuit) bit in the Options Field of OSPF is enabled, then PPP must be enabled for that network. Only point-to-point networks receive the full benefit of OSPF Demand-Circuits (RFC 1793).
"Point-to-point", in RFC 1793, doesn't refer to particular types of traffic, it refers to particular types of networks. All traffic on, for example, a serial line running the Point-To-Point Protocol, is "point-to-point traffic"; no traffic on an Ethernet is "point-to-point". Non-point-to-point traffic could be tunneled over a point-to-point network, and point-to-point traffic could be tunneled over a non-point-to-point network, but, in the case of a tunnel, there will often be a network interface (in the software sense, e.g. what ifconfig -a would list in most UN*X systems or ipconfig/all would list on Windows) for the tunneled traffic, in addition to a network interface for the lower-level network's adapter.
On most UN*Xes, you can use the SIOCGIFFLAGS ioctl to get the flags for a network interface, and one of those flags is the IFF_POINTOPOINT flag, which would indicate whether the network for that interface is a point-to-point network or not.
On Windows, I can't find an ioctl to get the flags for a specific interface, but the SIO_GET_INTERFACE_LIST Winsock ioctl will return an INTERFACE_INFO structure with an iiFlags member that includes the IFF_POINTOPOINT flag.
Related
I know that MAC address is used for local routing and error free data transfer, but is it used regardless the transmission medium infrastructure? I know it is used for Ethernet, but is it used for fiber, copper...etc?
Also, do we use MAC address when routing traffic between two adjacent routers? If we do, does that mean we have MAC address over serial connections?
Thanks
MAC addresses are used in most IEEE 802 network technologies, like Ethernet (802.3) and Wifi (802.11), but not all technologies use them. For instance, Fibre Channel use a different and more modern address type, called World Wide Name. It's longer and can be 64-bits or 128-bits.
So, to answer your questions, a router can use MAC addresses if it forwards packets over Ethernet interfaces, regardless of the physical medium. But it could also use other technologies or even label-switching protocols like MPLS. A serial link does not have medium access control and therefore has no MAC layer.
is it used regardless the transmission medium infrastructure? I know it is used for Ethernet, but is it used for fiber, copper...etc?
You mix OSI layer 1 (transmission medium) and layer 2 (Ethernet). If we use Ethernet as our data link layer, Ethernet MAC addresses will be there regardless of transmission medium. More on that on Wikipedia:
https://en.wikipedia.org/wiki/OSI_model
do we use MAC address when routing traffic between two adjacent routers?
Yes, if the router are connected using Ethernet. Even if we use a back-to-back cable to connect two routers.
does that mean we have MAC address over serial connections?
For the most of serial connections we do not use Ethernet, but use other layer 2 protocols, like ppp, Frame-Relay or HDLC. Note, that all of those protocols use their own addressing, but it is just one or two bytes, not 6 as in the Ethernet MACs. More on those protocols on Wikipedia:
https://en.wikipedia.org/wiki/Point-to-Point_Protocol
https://en.wikipedia.org/wiki/High-Level_Data_Link_Control
https://en.wikipedia.org/wiki/Frame_Relay
I am a complete novice to this... I have a webcam behind my router, and it's configured to be accessible on a particular port (e.g. 30000) using a port forwarding configuration. It has a fixed IP in my network.
Using wireshark, I can see the camera responding to requests coming from within my network (i.e. another client), and this does not use port forwarding.
However, when I access the camera from outside my network (i.e. using external IP plus port), wireshark does not show anything (but I see the camera streaming on the client).
I use wireshark on ubuntu, eth0, and ip.addr == 192.168.x.y as filter
When the camera was streaming data to the internal client, were you also capturing packets with Wireshark on that same client? I'm guessing that you were, which is why you saw the data.
When the camera streams to a client on an external network, the stream flows through the router, but your client is likely plugged into another switch port on the back of your router, and the router doesn't forward the packets to that port, which is why you don't see them.
In order to observe the packets, you would need to configure your capture PC such that it can capture the packets. There are a few different methods to achieve this, for example, using a hub, a SPAN/mirror port on a managed switch if you have one, or a TAP. I would recommend reading the detailed information available on the Wireshark Ethernet capture setup wiki page, which describes several different methods for successfully capturing Ethernet frames and provides helpful pictures as well. Choose a capture scenario that best meets your needs (and $$ budget).
I would like to do a scan in a LAN network to find devices linked.
I'm developping an app in IOS for IPAD
How do I do???
Because those are mobile devices I will assume you want to find devices on a wireless network. Theoretically, since wifi uses shared medium for communication, you can passively listen for traffic flowing through the network and collect data about client without sending any packets. This is something that is commonly referred to as a promiscuous mode. In practice there is 99% chance that the network adapter driver will allow you only to get traffic destined for your MAC address. In that case you will need to resort to actively scanning the network subnet which is not 100% accurate and depending on how the network is implemented can be considered as a possible attack.
The simple way of scanning is sending ICMP requests (ping) to every IP address in the subnet and collecting data from those who send back the echo reply. This is not reliable because some hosts won't respond to ICMP echo request even if they are active. First thing you need is to find out your own IP address and the subnet mask, and calculate the range of possible addresses in your subnet. The range is obtained by using logical AND operator where operands are binary values of your IP address and subnet mask. This is an example from the program that calculates this for typical 192.168.1.1 subnet with 255.255.255.0 subnet mask (192.168.1.1/24 in CIDR notation):
Address: 192.168.1.1 11000000.10101000.00000001 .00000001
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
Network: 192.168.1.0/24 11000000.10101000.00000001 .00000000
Broadcast: 192.168.1.255 11000000.10101000.00000001 .11111111
HostMin: 192.168.1.1 11000000.10101000.00000001 .00000001
HostMax: 192.168.1.254 11000000.10101000.00000001 .11111110
Then you would iterate through the range and ping every address. Another thing you can consider is listening for broadcast traffic such as ARP and collecting some of the information that way. I don't know what are you trying to make but you can't get many useful information this way, except for vendor of a host's network adapter.
Check my LAN Scan on Github. It does exactly what you want.
I recently used MMLANScan that was pretty good. It discovers IP, Hostname and MAC Address.
Bonjour have been around since 2002, have a look at it!
I mean, just look at their current tagline:
Bonjour, also known as zero-configuration networking, enables automatic discovery of devices and services on a local network using industry standard IP protocols. Bonjour makes it easy to discover, publish, and resolve network services with a sophisticated, yet easy-to-use, programming interface that is accessible from Cocoa, Ruby, Python, and other languages.
I have gone through various udp based P2P Technology like Stun . I have implemented UDP/TCP hole punching recently for implementing p2p.
I found there are other technology as for like ICE,UPnP and teredo
Can any body tell me what is the difference between these technology.
Which one is the latest technology/protocol used for P2P in recent year.
It will good If any can provide comparative analysis on various UDP based P2P protocols.
Any link or suggestion will appreciated.
ICE stands for Interactive Connectivity Establishment. It is a protocol for NAT traversal (i.e., punching holes) supported by the IETF. There has been several reviews and evolutions of the RFC. Some may find the specifications overkill in general or unclear when it comes to performing TCP NAT traversal.
UPnP is a technology helping local devices finding each other and start communicating automatically. It implements IGD for NAT traversal, which allows remote configuration of the NAT/Router (when possible) to redirect WAN traffic to the device. Unfortunately, this method is a huge threat to security, since any application could hijack NATs/routers to let any undesirable traffic come in.
Teredo is not really related to P2P or NAT traveral. If you have an IPv6 device A on a ipv4 LAN (for example), it won't be able to connect using ipv6 to a remote ipv6 enabled device B located on the WAN. Teredo allows A to communicate with B with ipv6 by transporting ipv6 over ipv4. Teredo is massaging the frictions between ipv4 and ipv6, so to speak.
None of these technologies is 'dominating' P2P for now. It is still a boiling environment.
I live in a place with an oppressive network policy where everything is aggressively monitored. Among the many rules is a prohibition on using any device that generates Network Address Translation traffic (i.e. Wireless routers, vms...). They monitor network logs and disconnect anyone who uses such. Is there any way I can mask traffic (i.e the nat transltion generated by routers or virtual network devices) via encryption or the like so that it is indistinguishable from normal network traffic that would be generated by a single device using a single ip address to a monitor that is sniffing packets on the network?
(I already use a VPN to encrypt any sensitive traffic, but the NAT is applied post VPN encryption. )
I am not really sure why you need to dodge security, but one way to achieve this in your case is to use a trojan horse-like mecanism. Instead of having any peer or devices on your LAN trying to connect to the WAN, install some kind of application on a valid node behind the LAN to propagate traffic in an out of the LAN for other nodes. If necessary, have this node connect to another fix node on the WAN. Since it will use a valid connection, it won't be filtered.
Each device on your LAN should connect to the trojan node instead of trying to connect outside. The bandwidth will be slower, but this should work. That being said, this is most probably breaking the intentions of those who have implemented the security policy on your LAN. If they catch you, you're good for the electric chair...