Difference between revisions of "Socket"

From Hackepedia
Jump to navigationJump to search
Line 30: Line 30:
 
When a server is listening on a certain port it's difficult to regulate who connects to this port. Early implementations messed with [[TCP Wrappers]] which allowed one to set up a simple whitelist or blacklist of who can connect.  This didn't cover UDP though and it was still required that the program accepted the connection before closing it.  This means that someone could stealth scan a port and know that it was listening.  [[Firewall]]s allowed finer control and aren't as revealing over open ports.  [[BSD]] has ipfw, ipfw2, ipf and pf as firewalls.
 
When a server is listening on a certain port it's difficult to regulate who connects to this port. Early implementations messed with [[TCP Wrappers]] which allowed one to set up a simple whitelist or blacklist of who can connect.  This didn't cover UDP though and it was still required that the program accepted the connection before closing it.  This means that someone could stealth scan a port and know that it was listening.  [[Firewall]]s allowed finer control and aren't as revealing over open ports.  [[BSD]] has ipfw, ipfw2, ipf and pf as firewalls.
  
Raw sockets are restricted to the superuser ([[root]]) only. When writing to raw sockets you can manipulate the [[IP]] header which you cannot do with simple [[TCP]] or [[UDP]] sockets ([[setsockopt]] are an exception but require superuser ([[root]]) permissions). The [[traceroute]] program uses raw sockets in a UNIX system. It is possible to read from raw sockets, ie. if you specified a specific protocol you can read any packets that arrive for that protocol. In [[BSD]] and if the protocol is [[ICMP]] the ICMP types echo request (8), timestamp request (13) and address mask request (17) are not passed from the [[kernel]] to the socket.  Similarely [[TCP]] and [[UDP]] protocols are not passed to a raw socket, these must be read from the [[OSI]] datalink layer (see [[bpf]]).
+
   
 +
$ fstat|grep traceroute
 +
pbug    traceroute 18184  wd /usr    6310091 drwxr-xr-x  r    2048
 +
pbug    traceroute 18184    0 /        84995 crw--w----  rw    ttyp1
 +
pbug    traceroute 18184    1 /        84995 crw--w----  rw    ttyp1
 +
pbug    traceroute 18184    2 /        84995 crw--w----  rw    ttyp1
 +
  pbug    traceroute 18184    3* internet raw icmp 0xfffffe800f85d678
 +
  pbug    traceroute 18184    4* internet raw reserved 0xfffffe801bc73688
 +
  pbug    traceroute 18184    5 -        -        none    -
  
  
 +
Raw sockets are restricted to the superuser ([[root]]) only.  When writing to raw sockets you can manipulate the [[IP]] header which you cannot do with simple [[TCP]] or [[UDP]] sockets ([[setsockopt]] are an exception but require superuser ([[root]]) permissions).  The [[traceroute]] program uses raw sockets in a UNIX system.  It is possible to read from raw sockets, ie. if you specified a specific protocol you can read any packets that arrive for that protocol.  In [[BSD]] and if the protocol is [[ICMP]] the ICMP types echo request (8), timestamp request (13) and address mask request (17) are not passed from the [[kernel]] to the socket.  Similarely [[TCP]] and [[UDP]] protocols are not passed to a raw socket, these must be read from the [[OSI]] datalink layer (see [[bpf]]).
  
 
=== How do I see Internet traffic ===
 
=== How do I see Internet traffic ===
  
 
tcpdump is a tool that allows one to see packets carried through the [[network interface]] of a UNIX computer.
 
tcpdump is a tool that allows one to see packets carried through the [[network interface]] of a UNIX computer.

Revision as of 05:02, 13 October 2005

Sockets are an API for IPC or network communication with a process. For IPC Unix domain sockets are used, for network communication INET sockets are preferred. INET sockets work on OSI layer 3 and above. Lower layer access is provided by bpf the Berkeley packet filter. Sockets provide descriptors to a process with which data or control data can be exchanged with the kernel.


Unix domain sockets

When a Unix domain socket is set up it is bound to the local systems filesystem. The path it can be bound to is limited to 103 characters (see /usr/include/sys/un.h) instead of the filesystem limit of 1023 characters. This means that a socket should be set up close to the root perhaps in /tmp (as sshd does). Unix domain sockets make preferred IPC in OpenBSD because of the availability of the getpeereid syscall which allows a daemon to check the credentials of who is connecting to the socket. A socket in the filesystem looks like this:

$ ls -l /tmp/ssh*
total 0
srwxr-xr-x  1 pbug  wheel  0 Oct  8 11:27 agent.1327

notice the 's' indicating that this file is a socket.


INET sockets

In order to communicate with the Internet a program can communicate with it via the Kernel which has a built-in internet stack. Common protocols that one can talk via sockets are TCP and UDP as well as ICMP which is grouped into the raw mode of sockets. When a program is a TCP server the common sequence of syscalls are socket(2), bind(2), listen(2), and accept(2). When a program is a TCP client the common sequence of syscalls are socket(2), connect(2). TCP and UDP sockets have ports to identify them. On a system one can use netstat to see this. In UNIX only root can bind to ports less than 1024 the rest is available for all users. This is shown here as an example:

$ id
uid=1000(pbug) gid=1000(pbug) groups=1000(pbug), 0(wheel), 5(operator) 
$ nc -l 1023
nc: Permission denied
$ nc -l 1024
^C
$ 


When a server is listening on a certain port it's difficult to regulate who connects to this port. Early implementations messed with TCP Wrappers which allowed one to set up a simple whitelist or blacklist of who can connect. This didn't cover UDP though and it was still required that the program accepted the connection before closing it. This means that someone could stealth scan a port and know that it was listening. Firewalls allowed finer control and aren't as revealing over open ports. BSD has ipfw, ipfw2, ipf and pf as firewalls.


$ fstat|grep traceroute
pbug     traceroute 18184   wd /usr     6310091 drwxr-xr-x   r     2048
pbug     traceroute 18184    0 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    1 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    2 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    3* internet raw icmp 0xfffffe800f85d678
pbug     traceroute 18184    4* internet raw reserved 0xfffffe801bc73688
pbug     traceroute 18184    5 -         -        none    -


Raw sockets are restricted to the superuser (root) only. When writing to raw sockets you can manipulate the IP header which you cannot do with simple TCP or UDP sockets (setsockopt are an exception but require superuser (root) permissions). The traceroute program uses raw sockets in a UNIX system. It is possible to read from raw sockets, ie. if you specified a specific protocol you can read any packets that arrive for that protocol. In BSD and if the protocol is ICMP the ICMP types echo request (8), timestamp request (13) and address mask request (17) are not passed from the kernel to the socket. Similarely TCP and UDP protocols are not passed to a raw socket, these must be read from the OSI datalink layer (see bpf).

How do I see Internet traffic

tcpdump is a tool that allows one to see packets carried through the network interface of a UNIX computer.