Difference between revisions of "Socket"

From Hackepedia
Jump to navigationJump to search
 
(→‎Divert sockets: update functionality across OS's)
 
(37 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Sockets are an API for IPC or network communication with a [[process]].  For IPC Unix domain sockets are used, for network communication INET sockets are preferred.  Sockets provide a [[descriptor]] to a process with which data or control data can be exchanged with the kernel.
+
Sockets are an API for [[IPC]] or network communication with a [[process]].  For IPC Unix domain sockets are used, for network communication INET sockets are preferred.  INET sockets work on [[OSI]] layer 3 and above.  Lower layer access is provided by [[bpf]] the Berkeley packet filter.  Sockets provide [[descriptors]] to a process with which data or control data can be exchanged with the kernel.
 +
 
 +
 
  
 
=== Unix domain sockets ===
 
=== Unix domain sockets ===
Line 10: Line 12:
  
 
notice the 's' indicating that this file is a socket.
 
notice the 's' indicating that this file is a socket.
 +
  
  
 
=== INET sockets ===
 
=== INET sockets ===
  
In order to communicate with the [[Internet]] a program can communicate with it via the Kernel which has a built-in [[internet stack]].
+
[[Image:socket.jpg]]
 +
 
 +
In order to communicate with the [[Internet]] a program can communicate with it via the [[Kernel]] which has a built-in [[internet stack]].  Common protocols that one can talk via sockets are [[TCP]] and [[UDP]] as well as [[ICMP]] which is grouped into the raw mode of sockets.  When a program is a TCP server the common sequence of [[syscall]]s are socket(2), bind(2), listen(2), and accept(2).  When a program is a TCP client the common sequence of [[syscall]]s are socket(2), connect(2).  [[TCP]] and [[UDP]] sockets have [[ports]] to identify them.  On a system one can use [[netstat]] to see this.  In UNIX only [[root]] can bind to ports less than 1024 the rest is available for all users.  This is shown here as an example:
 +
 
 +
$ id
 +
uid=1000(pbug) gid=1000(pbug) groups=1000(pbug), 0(wheel), 5(operator)
 +
$ nc -l 1023
 +
nc: Permission denied
 +
$ nc -l 1024
 +
^C
 +
$
 +
 
 +
 
 +
When a server is listening on a certain port it's difficult to regulate who connects to this port. Early implementations messed with [[TCP Wrappers]] which allowed one to set up a simple whitelist or blacklist of who can connect.  This didn't cover UDP though and it was still required that the program accepted the connection before closing it.  This means that someone could stealth scan a port and know that it was listening.  [[Firewall]]s allowed finer control and aren't as revealing over open ports.  [[BSD]] has ipfw, ipfw2, ipf and pf as firewalls.
 +
 
 +
 +
$ fstat | grep traceroute
 +
pbug    traceroute 18184  wd /usr    6310091 drwxr-xr-x  r    2048
 +
pbug    traceroute 18184    0 /        84995 crw--w----  rw    ttyp1
 +
pbug    traceroute 18184    1 /        84995 crw--w----  rw    ttyp1
 +
pbug    traceroute 18184    2 /        84995 crw--w----  rw    ttyp1
 +
pbug    traceroute 18184    3* internet raw icmp 0xfffffe800f85d678
 +
pbug    traceroute 18184    4* internet raw reserved 0xfffffe801bc73688
 +
 
 +
 
 +
Raw sockets are restricted to the superuser ([[root]]) only.  When writing to raw sockets you can manipulate the [[IP]] header which you cannot do with simple [[TCP]] or [[UDP]] sockets ([[setsockopt]] are an exception but require superuser ([[root]]) permissions).  The [[traceroute]] program uses raw sockets in a UNIX system.  It is possible to read from raw sockets, ie. if you specified a specific protocol you can read any packets that arrive for that protocol.  In [[BSD]] and if the protocol is [[ICMP]] the ICMP types echo request (8), timestamp request (13) and address mask request (17) are not passed from the [[kernel]] to the socket.  Similarely [[TCP]] and [[UDP]] protocols are not passed to a raw socket, these must use stream or dgram sockets or be read from the [[OSI]] datalink layer (see [[bpf]]).
 +
 
 +
=== Divert sockets ===
 +
 
 +
[[FreeBSD]] has a way to read/manipulate/write [[OSI]] layer 3 packets which have been diverted from the [[ipfw]] software.  This type of socket is limited to [[FreeBSD]].
 +
 
 +
[[OpenBSD]] has divert sockets which can be diverted with the [[Pf]] packet filter.  It does IPv6 diverts too.
 +
 
 +
[[Linux]] has divert sockets too which may have once been limited to only BSD, this is no longer the case.  It is available on debian derived linux.  Referenced here: http://manpages.ubuntu.com/manpages/hardy/man4/divert.4.html
 +
 
 +
=== Packet sockets ===
 +
 
 +
[[Linux]] has a way to read [[OSI]] layer 2 frames by means of SO_PACKET sockets.  This is limited only to Linux.  [[Natally]] uses packet sockets.
 +
 
 +
=== How do I see Internet traffic ===
 +
 
 +
A packet [[sniffer]] is a tool that allows one to see packets carried through the [[network interface]] of a host computer.
 +
 
 +
If all one wants to see is packets or bytes transferred [[netstat]] and/or [[ifconfig]] will do.

Latest revision as of 03:48, 15 October 2011

Sockets are an API for IPC or network communication with a process. For IPC Unix domain sockets are used, for network communication INET sockets are preferred. INET sockets work on OSI layer 3 and above. Lower layer access is provided by bpf the Berkeley packet filter. Sockets provide descriptors to a process with which data or control data can be exchanged with the kernel.


Unix domain sockets

When a Unix domain socket is set up it is bound to the local systems filesystem. The path it can be bound to is limited to 103 characters (see /usr/include/sys/un.h) instead of the filesystem limit of 1023 characters. This means that a socket should be set up close to the root perhaps in /tmp (as sshd does). Unix domain sockets make preferred IPC in OpenBSD because of the availability of the getpeereid syscall which allows a daemon to check the credentials of who is connecting to the socket. A socket in the filesystem looks like this:

$ ls -l /tmp/ssh*
total 0
srwxr-xr-x  1 pbug  wheel  0 Oct  8 11:27 agent.1327

notice the 's' indicating that this file is a socket.


INET sockets

Socket.jpg

In order to communicate with the Internet a program can communicate with it via the Kernel which has a built-in internet stack. Common protocols that one can talk via sockets are TCP and UDP as well as ICMP which is grouped into the raw mode of sockets. When a program is a TCP server the common sequence of syscalls are socket(2), bind(2), listen(2), and accept(2). When a program is a TCP client the common sequence of syscalls are socket(2), connect(2). TCP and UDP sockets have ports to identify them. On a system one can use netstat to see this. In UNIX only root can bind to ports less than 1024 the rest is available for all users. This is shown here as an example:

$ id
uid=1000(pbug) gid=1000(pbug) groups=1000(pbug), 0(wheel), 5(operator) 
$ nc -l 1023
nc: Permission denied
$ nc -l 1024
^C
$ 


When a server is listening on a certain port it's difficult to regulate who connects to this port. Early implementations messed with TCP Wrappers which allowed one to set up a simple whitelist or blacklist of who can connect. This didn't cover UDP though and it was still required that the program accepted the connection before closing it. This means that someone could stealth scan a port and know that it was listening. Firewalls allowed finer control and aren't as revealing over open ports. BSD has ipfw, ipfw2, ipf and pf as firewalls.


$ fstat | grep traceroute
pbug     traceroute 18184   wd /usr     6310091 drwxr-xr-x   r     2048
pbug     traceroute 18184    0 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    1 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    2 /         84995 crw--w----  rw    ttyp1
pbug     traceroute 18184    3* internet raw icmp 0xfffffe800f85d678
pbug     traceroute 18184    4* internet raw reserved 0xfffffe801bc73688


Raw sockets are restricted to the superuser (root) only. When writing to raw sockets you can manipulate the IP header which you cannot do with simple TCP or UDP sockets (setsockopt are an exception but require superuser (root) permissions). The traceroute program uses raw sockets in a UNIX system. It is possible to read from raw sockets, ie. if you specified a specific protocol you can read any packets that arrive for that protocol. In BSD and if the protocol is ICMP the ICMP types echo request (8), timestamp request (13) and address mask request (17) are not passed from the kernel to the socket. Similarely TCP and UDP protocols are not passed to a raw socket, these must use stream or dgram sockets or be read from the OSI datalink layer (see bpf).

Divert sockets

FreeBSD has a way to read/manipulate/write OSI layer 3 packets which have been diverted from the ipfw software. This type of socket is limited to FreeBSD.

OpenBSD has divert sockets which can be diverted with the Pf packet filter. It does IPv6 diverts too.

Linux has divert sockets too which may have once been limited to only BSD, this is no longer the case. It is available on debian derived linux. Referenced here: http://manpages.ubuntu.com/manpages/hardy/man4/divert.4.html

Packet sockets

Linux has a way to read OSI layer 2 frames by means of SO_PACKET sockets. This is limited only to Linux. Natally uses packet sockets.

How do I see Internet traffic

A packet sniffer is a tool that allows one to see packets carried through the network interface of a host computer.

If all one wants to see is packets or bytes transferred netstat and/or ifconfig will do.