Forem: Michael Kaisanov The latest articles on Forem by Michael Kaisanov (@michael_kasianov). https://forem.com/michael_kasianov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F934269%2F4ec8137a-0774-4416-a5f1-eba79861d2e7.png Forem: Michael Kaisanov https://forem.com/michael_kasianov en Packet Sniffer in Elixir Michael Kaisanov Sun, 02 Oct 2022 21:45:23 +0000 https://forem.com/michael_kasianov/packet-sniffer-in-elixir-1hg https://forem.com/michael_kasianov/packet-sniffer-in-elixir-1hg <p>There is no time to explain, let's create a simple sniffer on Elixir!</p> <p>The source code lives <a href="https://github.com/mike-kasianov/sniffer_example">here</a>.</p> <p>OTP 22.0 release added a new socket module and now Erlang developers have the same socket power as C-developers (+/- 10 volts). Let's try it out.</p> <p>Disclaimer: Erlang's socket is a wrapper around OS's socket. Thus I give links for implementation of POSIX functions in the Linux's source code to provide proofs and show how the code looks like. But in another OS the code may look different and placed somewhere else. But the general concept should be the same.</p> <p>So, let's say we're going to listen for raw packets at the device driver (OSI Layer 2). To achieve this there are some steps to be done:</p> <ul> <li>Create a socket</li> <li>Read data from the socket</li> <li>Bind the socket to the interface (optional)</li> <li>Set promiscuous mode (optional)</li> </ul> <h2> Create a socket </h2> <p>The way to do this is to call <a href="https://www.erlang.org/doc/man/socket.html#open-3">:socket.open/3</a>. There are few variants of this function but we will use one with "open(Domain, Type, Protocol)" arguments. This function is a binding for a standard POSIX's C function named <a href="https://man7.org/linux/man-pages/man2/socket.2.html">socket</a>.</p> <p>Socket creation works this way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="ss">:socket</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">domain</span><span class="p">,</span> <span class="n">socket_type</span><span class="p">,</span> <span class="n">protocol</span><span class="p">)</span> </code></pre> </div> <p>The <code>domain</code> variable must be equal to <code>17</code>.<br> This is a communication domain constant that specifies what kind of data we expect to receive from the OS. In the current situation "17" stands for raw low-level packets. <a href="https://man7.org/linux/man-pages/man7/packet.7.html">Read more</a>. The constant is defined <a href="https://github.com/torvalds/linux/blob/v5.18/include/linux/socket.h#L195">here</a>.</p> <p>The <code>socket_type</code> must have <code>:raw</code> value. It means we are interested in raw packets.</p> <p>The <code>protocol</code> specifies what kind of packets we're interested in. Since we're interested in all types we use <a href="https://github.com/torvalds/linux/blob/v5.18/include/uapi/linux/if_ether.h#L131">ETH_P_ALL</a> constant. There is one more thing to mention about the value. The value must be passed into the :socket.open/3 in network byte order (<a href="https://en.wikipedia.org/wiki/Endianness">big-endian</a>). My processor has little-endian encodings so if I don't convert this value I would get an error.</p> <p>So, let's see how the socket creation looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="n">domain</span> <span class="o">=</span> <span class="mi">17</span> <span class="n">protocol</span> <span class="o">=</span> <span class="mh">0x0003</span> <span class="c1"># Convert the protocol to a network byte order</span> <span class="o">&lt;&lt;</span><span class="n">protocol_host</span><span class="p">::</span><span class="n">big</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">integer</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span><span class="o">&gt;&gt;</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="n">protocol</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">integer</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span><span class="o">&gt;&gt;</span> <span class="p">{</span><span class="ss">:ok</span><span class="p">,</span> <span class="n">socket</span><span class="p">}</span> <span class="o">=</span> <span class="ss">:socket</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">domain</span><span class="p">,</span> <span class="ss">:raw</span><span class="p">,</span> <span class="n">protocol_host</span><span class="p">)</span> </code></pre> </div> <h2> Read data from the socket </h2> <p>OK, the socket is created and now it's time to read some data. There are a few ways to read but let's focus on <a href="https://www.erlang.org/doc/man/socket.html#recvfrom-3">:socket.recvfrom/3</a>. The documentation describes this function pretty well. In short it sounds like "Hello, OS. Please give me data for this socket. If there is no data let me know when it comes". When the data is available it returns it. Otherwise it sends a message to a socket owner process when data is available.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="k">defmodule</span> <span class="no">Sniffer</span> <span class="k">do</span> <span class="kn">use</span> <span class="no">GenServer</span> <span class="err">…</span> <span class="k">defp</span> <span class="n">socket_recieve</span><span class="p">(</span><span class="n">socket</span><span class="p">)</span> <span class="k">do</span> <span class="k">case</span> <span class="ss">:socket</span><span class="o">.</span><span class="n">recvfrom</span><span class="p">(</span><span class="n">socket</span><span class="p">,</span> <span class="mi">1500</span><span class="p">,</span> <span class="ss">:nowait</span><span class="p">)</span> <span class="k">do</span> <span class="p">{</span><span class="ss">:ok</span><span class="p">,</span> <span class="p">{</span><span class="n">source</span><span class="p">,</span> <span class="n">data</span><span class="p">}}</span> <span class="o">-&gt;</span> <span class="no">GenServer</span><span class="o">.</span><span class="n">cast</span><span class="p">(</span><span class="n">self</span><span class="p">(),</span> <span class="p">{</span><span class="ss">:socket_data</span><span class="p">,</span> <span class="n">source</span><span class="p">,</span> <span class="n">data</span><span class="p">})</span> <span class="p">{</span><span class="ss">:select</span><span class="p">,</span> <span class="n">_select_info</span><span class="p">}</span> <span class="o">-&gt;</span> <span class="ss">:ok</span> <span class="p">{</span><span class="ss">:error</span><span class="p">,</span> <span class="n">reason</span><span class="p">}</span> <span class="o">-&gt;</span> <span class="no">GenServer</span><span class="o">.</span><span class="n">cast</span><span class="p">(</span><span class="n">self</span><span class="p">(),</span> <span class="p">{</span><span class="ss">:socket_error</span><span class="p">,</span> <span class="n">reason</span><span class="p">})</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>The <code>socket</code> is our socket we’ve created earlier. The <code>1500</code> is a buffer size for new data. And the <code>:nowait</code> atom says that we don’t want to wait for data and want this function to return something immediately.</p> <p>Let’s review the possible result this function produces.<br> The first clause matches the successful result, i.e. the data is ready, The <code>source</code> variable is a map that describes where the <code>data</code> came from.</p> <p>The second clause basically means “I don’t have any data right now, but I'll let you know when it comes.”</p> <p>The last clause is an error handler.</p> <p>Now let’s see the callbacks implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="k">defmodule</span> <span class="no">Sniffer</span> <span class="k">do</span> <span class="o">...</span> <span class="k">def</span> <span class="n">handle_cast</span><span class="p">({</span><span class="ss">:socket_data</span><span class="p">,</span> <span class="n">source</span><span class="p">,</span> <span class="n">data</span><span class="p">},</span> <span class="n">socket</span><span class="p">)</span> <span class="k">do</span> <span class="no">IO</span><span class="o">.</span><span class="n">puts</span><span class="p">(</span><span class="err">“</span><span class="no">Hurray</span><span class="p">,</span> <span class="n">we</span> <span class="n">have</span> <span class="n">a</span> <span class="n">new</span> <span class="n">packet</span><span class="err">”</span><span class="p">)</span> <span class="n">socket_recieve</span><span class="p">(</span><span class="n">socket</span><span class="p">)</span> <span class="p">{</span><span class="ss">:noreply</span><span class="p">,</span> <span class="n">socket</span><span class="p">}</span> <span class="k">end</span> <span class="k">def</span> <span class="n">handle_cast</span><span class="p">({</span><span class="ss">:socket_error</span><span class="p">,</span> <span class="n">reason</span><span class="p">},</span> <span class="n">socket</span><span class="p">)</span> <span class="k">do</span> <span class="no">IO</span><span class="o">.</span><span class="n">inspect</span><span class="p">(</span><span class="n">reason</span><span class="p">,</span> <span class="ss">label:</span> <span class="s2">"Something goes wrong :-("</span><span class="p">)</span> <span class="p">{</span><span class="ss">:noreply</span><span class="p">,</span> <span class="n">socket</span><span class="p">}</span> <span class="k">end</span> <span class="k">def</span> <span class="n">handle_info</span><span class="p">({</span><span class="ss">:"$socket"</span><span class="p">,</span> <span class="n">socket</span><span class="p">,</span> <span class="ss">:select</span><span class="p">,</span> <span class="n">_select_handle</span><span class="p">},</span> <span class="n">socket</span><span class="p">)</span> <span class="k">do</span> <span class="no">IO</span><span class="o">.</span><span class="n">puts</span><span class="p">(</span><span class="err">“</span><span class="no">Knock</span> <span class="n">knock</span> <span class="n">new</span> <span class="n">data</span> <span class="n">is</span> <span class="n">available</span> <span class="n">to</span> <span class="n">pick</span> <span class="n">up</span><span class="err">”</span><span class="p">)</span> <span class="n">socket_recieve</span><span class="p">(</span><span class="n">socket</span><span class="p">)</span> <span class="p">{</span><span class="ss">:noreply</span><span class="p">,</span> <span class="n">socket</span><span class="p">}</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> Bind the socket to an interface </h2> <p>If you start reading data from a socket without any limits you find that data comes from different sources like loopback device, different network devices, from docker etc. To limit this behavior we can bind the socket to a special device like ethernet or wifi card. To achieve this just use <a href="https://www.erlang.org/doc/man/socket.html#bind-2">:socket.bind/2</a> function.</p> <p>The second argument of the <code>bind</code> function is a socket address. For a raw packets it seems the <code>:socket.bind/2</code> does not accept the <code>sockaddr_ll</code> type as address so let’s implement it ourselves. The C definition of the <code>sockaddr_ll</code> type you can find <a href="https://man7.org/linux/man-pages/man7/packet.7.html">here</a>. It’s just a C struct. A C struct looks like a data type but basically it’s a blob of binary data. Since it’s just a binary we can build it ourselves. By the way we don’t need to fill all the values to create a binding for a socket. Only <code>sll_protocol</code> and <code>sll_ifindex</code> fields are required, the rest fields should are empty.<br> The <code>sll_protocol</code> is the same as we know from the Create a socket section. But <code>sll_ifindex</code> is special for every machine.</p> <p><code>ifindex</code> stands for Interface Index. You can see the list of all available network interfaces on your machine using command line <code>ip addr</code>. There are interface names like <code>eth0</code>, <code>wlp1s0</code>, etc and their indexes. Erlang has a similar function to retrieve such a list <a href="https://www.erlang.org/doc/man/net.html#if_names-0">:net.if_names()</a>. Notice that indexes in OS and Erlang may be different.</p> <p>The <code>if_index</code> definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="n">if_index</span> <span class="o">=</span> <span class="mi">1</span> </code></pre> </div> <p>or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="p">{</span><span class="ss">:ok</span><span class="p">,</span> <span class="n">if_index</span><span class="p">}</span> <span class="o">=</span> <span class="ss">:binary</span><span class="o">.</span><span class="n">bin_to_list</span><span class="p">(</span><span class="err">“</span><span class="n">eth0</span><span class="err">”</span><span class="p">)</span> <span class="o">|&gt;</span> <span class="ss">:net</span><span class="o">.</span><span class="n">if_name2index</span><span class="p">()</span> </code></pre> </div> <p>Now we have values to build sockaddr_ll struct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="n">sll_protocol</span> <span class="o">=</span> <span class="mh">0x0003</span> <span class="n">sll_ifindex</span> <span class="o">=</span> <span class="n">if_index</span> <span class="n">sll_hatype</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">sll_pkttype</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">sll_halen</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">sll_addr</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="mi">0</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span><span class="o">-</span><span class="n">unit</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span><span class="o">&gt;&gt;</span> </code></pre> </div> <p>The C sockaddr_ll struct representation on Erlang:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="n">addr</span> <span class="o">=</span> <span class="o">&lt;&lt;</span> <span class="n">sll_protocol</span><span class="p">::</span><span class="n">big</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">16</span><span class="p">),</span> <span class="n">sll_ifindex</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">32</span><span class="p">),</span> <span class="n">sll_hatype</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">16</span><span class="p">),</span> <span class="n">sll_pkttype</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="n">sll_halen</span><span class="p">::</span><span class="n">native</span><span class="o">-</span><span class="n">unsigned</span><span class="o">-</span><span class="n">size</span><span class="p">(</span><span class="mi">8</span><span class="p">),</span> <span class="n">sll_addr</span><span class="p">::</span><span class="n">binary</span> <span class="o">&gt;&gt;</span> </code></pre> </div> <p>And finally the second argument for “:socket.bind/2” is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> sockaddr = %{ family: @af_packet, addr: addr } :ok = :socket.bind(socket, sockaddr) </code></pre> </div> <p>That’s it. Now the socket is bound to a specific network interface.</p> <h2> Set promiscuous mode </h2> <p>What is promiscuous mode? In this mode a net interface controller does not filter any traffic and allows you to do this. For example you have a laptop and a smartphone connected to Wif-Fi. When promiscuous mode is off the laptop sees only traffic aimed at it. But when it is on it’s possible to monitor packets sent to smartphone also.</p> <p><strong>NOTE</strong>: The promiscuous mode consumes CPU so turn it off when you’re done. On Ubuntu you can check if any network adapter is in promiscuous mode using the command <code>ip addr | grep PROMISC</code>. And turn it off <code>ip link set eth0 promisc off</code>.</p> <p>To turn promiscuous mode on just use <a href="https://www.erlang.org/doc/man/socket.html#ioctl-4">:socket.ioctl/4</a> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="n">if_name</span> <span class="o">=</span> <span class="ss">:binary</span><span class="o">.</span><span class="n">bin_to_list</span><span class="p">(</span><span class="err">“</span><span class="n">eth0</span><span class="err">”</span><span class="p">)</span> <span class="ss">:ok</span> <span class="o">=</span> <span class="ss">:socket</span><span class="o">.</span><span class="n">ioctl</span><span class="p">(</span><span class="n">socket</span><span class="p">,</span> <span class="ss">:sifflags</span><span class="p">,</span> <span class="n">if_name</span><span class="p">,</span> <span class="p">%{</span><span class="ss">promisc:</span> <span class="no">true</span><span class="p">})</span> </code></pre> </div> <h3> Permissions </h3> <p>The usage of a raw packets scanning and promiscuous mode requires privileged access. It could be sudo or Linux capabilities.<br> To set up proper Linux capabilities you need to know where the beam.smp file is located. It should be somewhere on Erlang directory like erlang/24.3.3/erts-12.3.1/bin/beam.smp.<br> To set up capabilities use <code>setcup</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>setcap cap_net_raw,cap_net_admin<span class="o">=</span>ep ERLANG_PATH/erts-VERSION/bin/beam.smp </code></pre> </div> <h2> That’s it </h2> <p>I described some pitfalls people may face trying to use raw socket on Erlang. The code is placed on <a href="https://github.com/mike-kasianov/sniffer_example">GitHub</a>.</p> <p>Thanks for reading and have fun!</p> elixir erlang socket network