Developing applications that directly access layers of the ISO/OSI model can be a difficult task, frequently requiring non-standard packet formatting. Help is at hand, however, in the form of the WinPcap and libnet libraries, which put the programmer in total control of the content being sent out into the network.

Developing applications that directly access layers of the ISO/OSI model can be a difficult task, frequently requiring non-standard packet formatting. Help is at hand, however, in the form of the WinPcap and libnet libraries, which put the programmer in total control of the content being sent out into the network.

It works fine on my computer is the answer a troubled user is most likely to get from a network administrator. While the administrator is usually right and the problem occurs because the user fails to follow instructions correctly, even the most adept of admins will sometimes find that something fails to work even though they in are in exactly the same situation as the user.

If the configuration is not at fault and all known error possibilities have been eliminated, the only thing to do is reach deeper into the network. Network problems can be identified using such applications as Ethereal or Analyzer which make it possible to capture, filter and identify packets arriving at particular hosts within a network. Such sniffers help an administrator discover what is currently being sent over the network to specific hosts, thus making it possible to determine the likely source of problems.

If the problem turns out to be more serious and requires in-depth analysis, it may be necessary to write a custom, dedicated sniffer application that will make it possible to track down the flaw by analysing complex correlations between data arriving from various remote sources. Creating a sniffer is not an easy task, with the main problem being getting hold of a network library to support operations on the required level of the ISO/OSI model. Depending on the scale of the problem, the application might require access to the link layer, but it may also need to operate directly on Ethernet frames. For simpler cases, it is enough to use a high-level transport layer library.

Figure 1. Layers in the ISO/OSI model and their corresponding protocols

 

The library is the key

Working with a high-level network interface has many advantages, most notably the ease of use and flexibility of data transfer mechanisms. However, many administrators will likely find that a high-level API does not provide full control of the data being sent, not to mention support for packet sniffing or raw network frame analysis.

The problem of controlling the data being sent can be solved in a number of ways. The simplest approach is to use raw network sockets, but this does not provide control over all the packet options, as some header fields are filled in by the socket driver. A convenient way to deal with this problem is to use the WinPcap library, available at http://www.winpcap.org/.

WinPcap not only allows low-level read and write access to network devices, but also supports advanced filtering of the data being captured and statistics logging for particular interfaces. Another useful feature is the ability to write packets directly to disk at kernel level, which results in a significant performance increase by avoiding costly system calls.

While its interface is clear and usable enough, WinPcap offers no support for crafting higher-level packets. Help is at hand, however, in the form of the libnet library (http://www.packetfactory.net/libnet/) which makes is possible to easily prepare packets for higher-layer protocols - from ARP, IP and TCP to such exotic protocols as VRRP - and send them out into the network independently of the TCP/IP driver.

Figure 2. Protocols supported by libnet

sum:

0 €