[erlang-questions] low level packet access from erlang

Michael Santos michael.santos@REDACTED
Sun Jul 7 15:37:23 CEST 2013

On Wed, Jul 03, 2013 at 02:11:50PM -0400, Garry Hodgson wrote:
> On 06/05/2013 09:23 AM, Michael Santos wrote:
> >Ask away and if you have any comments/suggestions, please let me know!
> i'm happily using tun now to intercept and inspect packets, but

Glad to hear you are making some progress!

> any that i modify get dropped as malformed when i send them.
> wireshark tells me the checksums are wrong. and indeed, i
> don't get what i expect from pkt:checksum():
> classify( <<4:4, _IHL:4, _TypeOfService:8, _TotalLength:16,
>         _Identification:16, _FlagX:1, _FlagD:1, _FlagM:1,
> _FragmentOffset:13,
>         _TTL:8, ?IPPROTO_TCP:8, _HeaderCheckSum:16,
>         _SrcAddr:32, _DestAddr:32, _Rest/binary>> = Raw ) ->
>     { IPv4, IpPayload } = pkt:ipv4( Raw ),
>     { Tcp, TcpPayload } = pkt:tcp( IpPayload ),
>     TestSum = pkt:checksum( [ IPv4, Tcp, TcpPayload ] ),
>     alog:debug( "classify: computed = ~b, actual = ~b", [ TestSum,
> Tcp#tcp.sum ] ),
> ...
> =INFO REPORT==== 3-Jul-2013::14:04:02 ===
> {log,debug,"classify: computed = 43987, actual = 52256",r3@REDACTED}
> any idea what i'm doing wrong?
> thanks

There were a few bugs: TCP options were left out of the record to binary
conversion and the length of the payload was left out of the checksum.
Should be fixed now, thanks for letting me know!

Also, use pkt:makesum/1 to calculate the checksum. This should work:

    TestSum = pkt:makesum( [ IPv4, Tcp, TcpPayload ] ),

You may still see some checksum mismatches if your system uses TCP
checksum offloading.

> -- 
> Garry Hodgson
> AT&T Chief Security Office (CSO)
> "This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

More information about the erlang-questions mailing list