Code raw sockets in C on Linux

24 Flares Filament.io 24 Flares ×

Raw tcp sockets in C

Raw sockets can be used to construct a packet manually inside an application. In normal sockets when any data is send over the network, the kernel of the operating system adds some headers to it like IP header and TCP header. So an application only needs to take care of what data it is sending and what reply it is expecting.

But there are other cases when an application needs to set its own headers. Raw sockets are used in security related applications like nmap , packets sniffer etc. In this article we are going to program raw sockets on linux using native sockets. Windows for example does not support raw socket programming directly. To program raw sockets on windows a packet crafting library like winpcap has to be used.

In this article we are going to do some raw socket programming by constructing a raw TCP packet and sending it over the network. Before programming raw sockets, it is recommended that you learn about the basics of socket programming in c.

Raw TCP packets

A TCP packet is constructed like this

Packet = IP Header + TCP Header + Data

The plus means to attach the binary data side by side. So when making a raw tcp packet we need to know how to construct the headers properly. The structures of all headers are established standards which are described in RFCs.

Ip header

The structure of IP Header as given by RFC 791

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The "Source Address" field stores the ip address of the system sending the packet and the "Destination Address" contains the ip address of the destination system. Ip addresses are stored in long number format. The "Protocol" field stores a number that indicates the protocol, which is TCP in this case.







Structure of tcp header

The structure of a TCP header as given by RFC 793

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

So we need to construct the headers according to the formats specified above.

Raw tcp sockets

Create a raw socket like this

int s = socket (AF_INET, SOCK_RAW, IPPROTO_TCP);

The above function call creates a raw socket of protocol TCP. This means that we have to provide the TCP header along with the data. The kernel or the network stack of Linux shall provide the IP header.

If we want to provide the IP header as well then there are 2 ways of doing this

1. Use protocol IPPROTO_RAW - This will allow to specify the IP header and everything that is contained in the packet.

int s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);

2. Set the IP_HDRINCL socket option to 1 - This is same as the above. Just another way of doing.

int s = socket (AF_INET, SOCK_RAW, IPPROTO_TCP);

int one = 1;
const int *val = &one;
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
	printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
	exit(0);
}

When using the IP_HDRINCL the protocol used in the socket function is effectively of no use.

In this example we are creating raw sockets where we specify the Ip header and TCP header. The packet that moves out of the machine actually has 1 more header attached to it called the Ethernet header. So the actual packet structure is somewhat like this.

Packet = Ethernet header + Ip header + TCP header + Data

Take a look at the packets sniffed by wireshark to understand this better. It is important to note here that the Ethernet header is provided by the OS kernel and we do not have to construct it. However it is possible to make such raw packets where we can even specify the ethernet header, but we shall look into those in a separate article.

Below is an example code which constructs a raw TCP packet with some data

Final Code

/*
	Raw TCP packets
	Silver Moon (m00n.silv3r@gmail.com)
*/
#include<stdio.h>	//for printf
#include<string.h> //memset
#include<sys/socket.h>	//for socket ofcourse
#include<stdlib.h> //for exit(0);
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h>	//Provides declarations for tcp header
#include<netinet/ip.h>	//Provides declarations for ip header

/* 
	96 bit (12 bytes) pseudo header needed for tcp header checksum calculation 
*/
struct pseudo_header
{
	u_int32_t source_address;
	u_int32_t dest_address;
	u_int8_t placeholder;
	u_int8_t protocol;
	u_int16_t tcp_length;
};

/*
	Generic checksum calculation function
*/
unsigned short csum(unsigned short *ptr,int nbytes) 
{
	register long sum;
	unsigned short oddbyte;
	register short answer;

	sum=0;
	while(nbytes>1) {
		sum+=*ptr++;
		nbytes-=2;
	}
	if(nbytes==1) {
		oddbyte=0;
		*((u_char*)&oddbyte)=*(u_char*)ptr;
		sum+=oddbyte;
	}

	sum = (sum>>16)+(sum & 0xffff);
	sum = sum + (sum>>16);
	answer=(short)~sum;
	
	return(answer);
}

int main (void)
{
	//Create a raw socket
	int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
	
	if(s == -1)
	{
		//socket creation failed, may be because of non-root privileges
		perror("Failed to create socket");
		exit(1);
	}
	
	//Datagram to represent the packet
	char datagram[4096] , source_ip[32] , *data , *pseudogram;
	
	//zero out the packet buffer
	memset (datagram, 0, 4096);
	
	//IP header
	struct iphdr *iph = (struct iphdr *) datagram;
	
	//TCP header
	struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
	struct sockaddr_in sin;
	struct pseudo_header psh;
	
	//Data part
	data = datagram + sizeof(struct iphdr) + sizeof(struct tcphdr);
	strcpy(data , "ABCDEFGHIJKLMNOPQRSTUVWXYZ");
	
	//some address resolution
	strcpy(source_ip , "192.168.1.2");
	sin.sin_family = AF_INET;
	sin.sin_port = htons(80);
	sin.sin_addr.s_addr = inet_addr ("1.2.3.4");
	
	//Fill in the IP Header
	iph->ihl = 5;
	iph->version = 4;
	iph->tos = 0;
	iph->tot_len = sizeof (struct iphdr) + sizeof (struct tcphdr) + strlen(data);
	iph->id = htonl (54321);	//Id of this packet
	iph->frag_off = 0;
	iph->ttl = 255;
	iph->protocol = IPPROTO_TCP;
	iph->check = 0;		//Set to 0 before calculating checksum
	iph->saddr = inet_addr ( source_ip );	//Spoof the source ip address
	iph->daddr = sin.sin_addr.s_addr;
	
	//Ip checksum
	iph->check = csum ((unsigned short *) datagram, iph->tot_len);
	
	//TCP Header
	tcph->source = htons (1234);
	tcph->dest = htons (80);
	tcph->seq = 0;
	tcph->ack_seq = 0;
	tcph->doff = 5;	//tcp header size
	tcph->fin=0;
	tcph->syn=1;
	tcph->rst=0;
	tcph->psh=0;
	tcph->ack=0;
	tcph->urg=0;
	tcph->window = htons (5840);	/* maximum allowed window size */
	tcph->check = 0;	//leave checksum 0 now, filled later by pseudo header
	tcph->urg_ptr = 0;
	
	//Now the TCP checksum
	psh.source_address = inet_addr( source_ip );
	psh.dest_address = sin.sin_addr.s_addr;
	psh.placeholder = 0;
	psh.protocol = IPPROTO_TCP;
	psh.tcp_length = htons(sizeof(struct tcphdr) + strlen(data) );
	
	int psize = sizeof(struct pseudo_header) + sizeof(struct tcphdr) + strlen(data);
	pseudogram = malloc(psize);
	
	memcpy(pseudogram , (char*) &psh , sizeof (struct pseudo_header));
	memcpy(pseudogram + sizeof(struct pseudo_header) , tcph , sizeof(struct tcphdr) + strlen(data));
	
	tcph->check = csum( (unsigned short*) pseudogram , psize);
	
	//IP_HDRINCL to tell the kernel that headers are included in the packet
	int one = 1;
	const int *val = &one;
	
	if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
	{
		perror("Error setting IP_HDRINCL");
		exit(0);
	}
	
	//loop if you want to flood :)
	while (1)
	{
		//Send the packet
		if (sendto (s, datagram, iph->tot_len ,	0, (struct sockaddr *) &sin, sizeof (sin)) < 0)
		{
			perror("sendto failed");
		}
		//Data send successfully
		else
		{
			printf ("Packet Send. Length : %d \n" , iph->tot_len);
		}
	}
	
	return 0;
}

//Complete

Compile and Run

Compile by program by doing a gcc raw_socket.c at the terminal. Remember to run the program with root privileges. Raw sockets require root privileges. Note the while loop in the above program. It has been put for testing purpose and should be removed if you dont intend to flood the target.

Use a packet sniffer like wireshark to check the output and verify that the packets have actually been generated and send over the network. Also note that if some kind of firewall like firestarter is running then it might block raw packets.

Resources

http://linux.die.net/man/7/raw
Last Updated On : 20th May 2013

Subscribe to get updates delivered to your inbox

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at m00n.silv3r@gmail.com. Or find him on

  • Ivan

    Thanks for the example. How do I send a complete http get request to a particular uri?

  • Vijay Kanta

    Wow, I knew a bit of socket programming with pure C, but this is taking it too deeper. Thanks for letting me know it even existed. :-)

  • John Lauro

    The code makes some architecture assumptions that will probably work 99% of the time, but isn’t completely portable. For example, the checksum calculation assumes short is 2 bytes, and will likely segfault on anything where it is larger.

    • http://www.binarytides.com/ Silver Moon

      yeah right, thanks for pointing it out. shall fix the code to be more portable and post soon.

  • patrick h

    Shouldn’t iph->tot_len be hton’d?

    Seems like there are several fields in the headers that need to be hton’d and they dont seem to be present in this example…

    does this example work? or am i missing something?

    • http://www.binarytides.com/ Silver Moon

      thanks for pointing it out. the total_length value should be passed through htons.
      the code works well because the kernel fills in the correct total length in the ip header.

  • http://www.facebook.com/mouad.djedidi Mouad Djedidi

    Thank you. Could you please provide a link of a client-server IPv6 UDP RAW packet example. I’m having a problem to send sockets with sendto().

    • http://www.binarytides.com/ Silver Moon

      I have not yet coded the ipv6 version of udp raw sockets in c.
      You need to google for it.

  • http://www.facebook.com/pawel.veselov Pawel Veselov

    Thank you!

    Why is it necessary to specify destination address in sendto(), if the packet header already has a destination address? What happens if they don’t match?

    • http://www.binarytides.com/ Silver Moon

      i am not sure about the exact mechanism. the destination address given in sendto is probably used to determine the network route the packet should take. the behaviour could vary across different systems like bsd, linux etc.

  • Salaj

    Segmentation Fault encountered on compiling it for SPEAr platform. What to do? Thanks

    • http://www.binarytides.com/ Silver Moon

      you have to debug the program and find out the exact point where the segmentation fault is occuring.
      the error might be occuring due to some kind of invalid memory access being done in the code.

  • http://www.codefortheweb.com Esdras Salazar

    Thanks for the explanation and for the code example.

  • Bruce Wayne

    Hey I also want to send some data,say a character string along with the datagram. What changes should I make to the code?

    Thanks. :)

    • Silver Moon

      I have updated the code to include data in the packet.
      Check it out.

      • Bruce Wayne

        I did it in a slightly different way. This one works too.
        Thanks a lot. :)
        You rock!!

        • Bruce Wayne

          I run your code and capture the packets using wireshark. But when I try to see the the data using the “follow TCP stream” option, it says “the packets in the capture file for that stream have no data”. I checked the code and everything seems to be fine.
          Is there any hidden reason for this happening?

  • hazem

    it gives me “[bad hdr length 0 - too short, < 20]" on tcpdump and packets dropped by kernel. what does that mean ?

    • Silver Moon

      are you setting the ip header fields correctly ?
      what does wireshark show ?

  • Raj

    Hey do you need to write an explicit code for receiving these packets on the client side or can wireshark capture them automatically?
    I am sending these packets over wlan0 and am not able to view these packets on wireshark for some reason.
    Could you help me with this?
    I would really appreciate any help you could provide.

    Thanks

    • http://www.binarytides.com Silver Moon

      wireshark will capture the packets. if wireshark is not showing any packets, check if some firewall is blocking
      the packets or not (this happens in most cases).

      • What up!!!

        Hey it worked. But I am trying to change the TOS values but those changes are not showing up on the packets captured on wireshark. If I change any other fields in the Ip header, it shows that but it is causing some problems with the TOS field.
        I basically want to set the priority of the packets that are going out of the machine. Am I on the right track?
        Please help me with this.

        Thanks.

      • Sanjeev

        And do you have any idea what changes are to be made in this code to make it work for UDP protocol rather than TCP?

        Thanks

        • Silver Moon

          change iph->protocol to 17. UDP protocol number is 17
          then replace tcp header with the udp header. rest is the data to be send

24 Flares Twitter 9 Facebook 0 Google+ 12 LinkedIn 3 StumbleUpon 0 Filament.io 24 Flares ×