Part I: Introduction

1
Introduction to Raw Sockets
2
TCP/IP Stack
67 Bootp DHCP
69
53
161
25
23
21
TCPPort
UDPPort
OSPF89
EGP8
Port address
17
6
protocol
2
1
IP address
frametype
MAC address
3
What can raw sockets do?

• Bypass TCP/UDP layers
• Read and write ICMP and IGMP packets
• ping, traceroute, multicast daemon
• Read and write IP datagrams with an IP protocol
  field not processed by the kernel
• OSPF
• user process versus kernel
• Send and receive your own IP packets with your
  own IP header using the IP_HDRINCL socket option
• can build and send TCP and UDP packets
• testing, hacking
• only superuser can create raw socket though
• You need to do all protocol processing at
  user-level

4
User TCP
User UDP
IGMP
ICMP (ping, etc)
TCP
TCP
UDP
RAW
RAW
port
port
port
ICMP
UDP stack
TCP stack
echotimestamp
port
2
port
89
1
17
6
17 UDP 6 TCP 1 ICMP 2 IGMP 89 OSPF
5
Creating a Raw Socket
int sockfd sockfd socket(AF_INET, SOCK_RAW,
protocol)
IPPROTO_ICMP IPPROTO_IGMP
const int on 1 setsockopt (sockfd,
IPPROTO_IP, IP_HDRINCL, on,
sizeof(on)

• Can we use bind() with raw sockets?
• rare, no concept of port
• Can we use connect() with raw sockets?
• rare, only foreign ip address

6
Raw Socket Output

• Sending raw socket packets by sendto or sendmsg
• If IP_HDRINCL option not set (i.e. header is not
  included), the starting address of the data in
  sendto() specifies the first byte following the
  IP header
• If IP_HDRINCL option set, the starting address of
  data in sendto() specifies the first byte of the
  IP header.
• IP Header fields modified on sending by
  IP_HDRINCL
• IP Checksum Always filled in.
• Source Address Filled in when zero.
• Packet Id Filled in when zero.
• Total Length Always filled in.
• Example see Stevens code under ping/send_v4.c,
  ping/send_v6.c

7
Raw Socket Input

• Received TCP/UDP packets are NEVER passed to raw
  sockets. If needed, link layer is the place.
• Receiving raw packets by recvfrom() or recvmsg()
• Most ICMP packets are passed to all matching ICMP
  raw sockets except a few exceptions
• ICMP echo request, timestamp request
• All IGMP packets are passed to all matching raw
  sockets
• All IP datagrams with a protocol field not
  processed by the kernel (e.g. OSPF) are passed to
  all matching raw sockets
• The entire datagram, including the IP header, is
  passed to the raw socket. Fragments are
  assembled first.
• Example stevens code in ping/readloop.c and
  ping/proc_v4.c

8
Scatter read and gather writeVectored IO
include ltsys/uio.hgt readv(int fd, const struct
iovec iov, int iovcnt) writev(int fd, const
struct iovec iov, int iovcnt)
struct iovec void iov_base / addr. Of
buffer / size_t iov_len / size of buffer
/

• Send and receive from one or more buffers with a
  single function call

9
sendmsg and recvmsg most general of all the IO
functions
recvmsg(int sock, struct msghdr msg, int
flags) sendmsg(int sock, struct msghdr msg, int
flags)
MSG_PEEK MSG_WAITALL
struct msghdr void msg_name / address if
socket is unconnected/ socklen_t msg_namelen
/ size of above / struct iovec msg_iov
int msg_iovlen void msg_control /
ancillary data / socklen_t msg_controllen
int msg_flags / returned status by recvmsg /
scatter gather read/write buffer
MSG_TRUNC MSG_CTRUNC. MSG_EOR (end of
record) MSG_OOB
10
ICMP Format
subtype
11
Ping Program

• Create a raw socket to send/receive ICMP echo
  request and echo reply packets
• Install SIGALRM handler to process output
• Sending echo request packets every t seconds
• Build ICMP packets (type, code, checksum, id,
  seq, sending timestamp as optional data)
• Enter an infinite loop processing input
• Use recvmsg() to read from the network
• Parse the message and retrieve the ICMP packet
• Print ICMP packet information, e.g., peer IP
  address, round-trip time
• Source code Stevens under ping/

12
Traceroute program

• Create a UDP socket and bind source port
• To send probe packets with increasing TTL
• For each TTL value, use timer to send a probe
  every three seconds, and send 3 probes in total
• Create a raw socket to receive ICMP packets
• If timeout, printing
• If ICMP port unreachable, then terminate
• If ICMP TTL expired, then printing hostname of
  the router and round trip time to the router
• Source code Stevens traceroute/

13
Limitations

• Loss of Reliability
• No ports
• Non Standard Communications
• No automatic ICMP
• No Raw TCP or UDP
• Must have root (or administrator) privilege

14
When to use

• When you need to control the IP header
• applications like Ping and Traceroute
• not all fields can be set using the IP APIs
• Network Address Translation
• Firewalls
• When your application requires optimum network
  speed
• one level above the Link Layer
• if you need reliability, you must build it into
  your application

15
Windows and Raw Sockets

• WinSock 2.0 allows windows programmers to build
  advanced applications
• Firewalls
• Network Address Translation
• Packet Filtering
• SYN Flood protection
• Security
• IPSec support
• VPN Clients
• Network Administration
• Packet Sniffers/Analyzers
• Pathway Analyzers (ping and traceroute)