I'm playing around with netfilter hooks in a kernel module. And I want to be able to capture packets created by scapy.
Both the hooks, and also the packet generation via scapy are running on the same physical host. It seems that none of the available netfilter hooks is able to capture the packet.
I also tried to send the same packet from inside a VM but this does not work either.
I suspect that the problem is related to everything running over loopback iterface since it is all on the same box.
I could of course go with two physical hosts, but this is unfortunately not possible right now :(
static unsigned int out_hook(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
sock_buff = skb;
if (!sock_buff) {
return NF_ACCEPT;
} else {
ip_header = (struct iphdr *)skb_network_header(sock_buff);
if (!ip_header) {
return NF_ACCEPT;
} else {
if (ip_header->protocol == IPPROTO_TCP) {
th = (struct tcphdr *)(skb_transport_header(sock_buff)+sizeof(struct iphdr));
printk(KERN_INFO "[LOCAL_OUT] %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", ip_header->saddr & 0x000000FF, (ip_header->saddr & 0x0000FF00) >> 8,(ip_header->saddr & 0x00FF0000) >> 16,(ip_header->saddr & 0xFF000000) >> 24, th->source, ip_header->daddr & 0x000000FF, (ip_header->daddr & 0x0000FF00) >> 8,(ip_header->daddr & 0x00FF0000) >> 16,(ip_header->daddr & 0xFF000000) >> 24, th->dest);
unsigned int len = sock_buff->len - sizeof(struct tcphdr) - sizeof(struct iphdr);
printk(KERN_INFO "\t [skbuf->len]=%d", sock_buff->len);
printk(KERN_INFO "\t [skbuf->data_len]=%d", sock_buff->data_len);
return NF_ACCEPT;
} else {
return NF_ACCEPT;
}
}
}
}
The above is the hook.
#!/usr/bin/env python
import sys
sys.path.append('/usr/local/bin')
import time
from threading import Thread
from scapy.all import *
from hashlib import sha1, md5
import random
import crypt
conf.iface='wlan0'
packet = IP(dst="192.168.0.104") / TCP(sport=1234, dport=2222) / Raw("testtest")
send(packet)
The above is the send.py
Sniffing with Scapy