Rewriting Live TCP/IP (Layer 4) (i.e. Socket Layer) Streams

Question

I have a simple problem which I'm sure someone here has done before...

I want to rewrite Layer 4 TCP/IP streams (Not lower layer individual packets or frames.) Ettercap's etterfilter command lets you perform simple live replacements of Layer 4 TCP/IP streams based on fixed strings or regexes. Example ettercap scripting code:

 if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "gzip")) {
       replace("gzip", "    ");
       msg("whited out gzip\n");
    }
 }

 if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "deflate")) {
       replace("deflate", "       "); 
       msg("whited out deflate\n");
    }
 } 

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833

I would like to rewrite streams based on my own filter program instead of just simple string replacements. Anyone have an idea of how to do this? Is there anything other than Ettercap that can do live replacement like this, maybe as a plugin to a VPN software or something?

I would like to have a configuration similar to ettercap's silent bridged sniffing configuration between two Ethernet interfaces. This way I can silently filter traffic coming from either direction with no NATing problems. Note that my filter is an application that acts as a pipe filter, similar to the design of unix command-line filters:

 >[eth0] <----------> [my filter] <----------> [eth1]<

My filter will be a userspace Python function.

What I am already aware of, but are not suitable:

• Tun/Tap - Works at the lower packet layer, I need to work with the higher layer streams.

• Ettercap - I can't find any way to do replacements other than the restricted capabilities in the example above.

• Hooking into some VPN software? - I just can't figure out which or exactly how.

• libnetfilter_queue - Works with lower layer packets, not TCP/IP streams.

Again, the rewriting should occur at the transport layer (Layer 4) as it does in this example, instead of a lower layer packet-based approach. Exact code will help immensely!

Thanks!

Answer 1

Ettercap is seemingly an open source project, since it is hosted on SourceForge. Perhaps you should look at how it does it.

Answer 2

It looks like you would be able to write an ettercap plugin that loads filters written in python. Or write your custom filter in C instead.

Answer 3

Why not just access DATA.data directly with whatever filters you want?

I don't think you have to use search() you'll just have to build your own analyzer / state machine.

e.g.

for (int i = 0; i < DATA.len; i++) { if ( DATA.data[i] == 'c' ) { DATA.data[i] = q } }

Final Thoughts; (1) I don't know that DATA.len exists but seems likely there's something. (2) I know I replicated your search / replace but wanted to show how you may be able to do the equiv. 'manually'. You can get fancy w/ stuff later. (3) If you were to adjust the length of the packet (or even the contents for that matter) you probably need to consider shifting window sizes / CRC checks, etc. e.g. DATA.data[i] = "cc" would overwrite two characters (possibly not what you want) or would change the side of the packet. I'd assume there are some library calls to set things right again.

Answer 4

PyPCAP is worth checking out since this all hinges around libpcap underneath to begin with. Cut out the middle man!

Answer 5

Since Ettercap is opensource you can change its source code to do what you want. Running your own C code to rewrite a TCP stream should be relatively easy. The hard work has already been done.

Take a look at the etterfilter man page to get started. Search in the source code for the filter engine (apparently it's a JIT interpreter).

I would also try to mail this question to the etterfilter authors, maybe they like stackoverflow :-)

Note: to use Python instead of C, see http://docs.python.org/release/2.5.2/ext/embedding.html

Answer 6

Take a look on Scapy, or another packet crafting tool. There are not much of this type out there.

PS: I actually want to add this support to BPF (Berkeley Packet Filter), taking advantage of the new zero-copy buffers. But I haven't had time to work on it yet. BPF is one layer below the firewalls, so it's the best place to build this support. If someone is interested in helping or donating, please drop me a message.

Answer 7

At the time I was writing a network traffic analysis tool using libpcap for the capture and libnids for the stream assembly.

I haven't tried reinjecting traffic, but you can use TAP to forward traffic to a user program that will use libnids to assemble the packets, put out streams to a filter code, then take the stream and disassemble them (I'm pretty sure libnids has this capability as well) and reinject them into where you need it to go.

If you want python, pynids seems to do what you need, but I have no experience with it.