「Linux」通常是指兩部份:Linux Kernel 和 GNU userspace。
- WSL 1
- WSL 2
Virtual Box
- VirtualBox 虛擬機器安裝 Ubuntu Desktop 設定與使用教學 (2020/08/29)
- VirtualBox 安裝及使用
「Linux」通常是指兩部份:Linux Kernel 和 GNU userspace。
Virtual Box
struct sock_filter { /* Filter block */ __u16 code; /* Actual filter code */ __u8 jt; /* Jump offset for true */ __u8 jf; /* Jump offset for false */ __u32 k; /* Generic multiuse field depends on code */ };
code | 定址模式 | 說明 |
---|---|---|
Load | ||
ld | 1, 2, 3, 4, 10 | Load 32-bit into A |
ldi | 4 | Load word into A |
ldh | 1, 2 | Load half-word into A |
ldb | 1, 2 | Load byte into A |
ldx | 3, 4, 5, 10 | Load word into X |
ldxi | 4 | Load word into X |
ldxb | 5 | Load byte into X |
Store | ||
st | 3 | Store A into M[] |
stx | 3 | Store X into M[] |
Branch | ||
jmp | 6 | Jump to label |
ja | 6 | Jump to label |
jeq | 7, 8 | Jump on A == k |
jneq | 8 | Jump on A != k |
jne | 8 | Jump on A != k |
jlt | 8 | Jump on A < k |
jle | 8 | Jump on A <= k |
jgt | 7, 8 | Jump on A > k |
jge | 7, 8 | Jump on A >= k |
jset | 7, 8 | Jump on A & k |
ALU | ||
add | 0, 4 | A + <x> |
sub | 0, 4 | A - <x> |
mul | 0, 4 | A * <x> |
div | 0, 4 | A / <x> |
mod | 0, 4 | A % <x> |
neg | 無 | !A |
and | 0, 4 | A & <x> |
or | 0, 4 | A | <x> |
xor | 0, 4 | A ^ <x> |
lsh | 0, 4 | A << <x> |
rsh | 0, 4 | A >> <x> |
Miscellaneous | ||
tax | 無 | Copy A into X |
txa | 無 | Copy X into A |
Return | ||
ret | 4, 9 | Return |
定址模式 | Syntax | 說明 |
---|---|---|
0 | x/%x | Register X |
1 | [k] | BHW at byte offset k in the packet |
2 | [x + k] | BHW at the offset X + k in the packet |
3 | M[k] | Word at offset k in M[] |
4 | #k | Literal value stored in k |
5 | 4*([k]&0xf) | Lower nibble * 4 at byte offset k in the packet |
6 | L | Jump label L |
7 | #k,Lt,Lf | Jump to Lt if true, otherwise jump to Lf |
8 | #k,Lt | Jump to Lt if predicate is true |
9 | a/%a | Accumulator A |
10 | extension | BPF extension |
len skb->len proto skb->protocol type skb->pkt_type poff Payload start offset ifidx skb->dev->ifindex nla Netlink attribute of type X with offset A nlan Nested Netlink attribute of type X with offset A mark skb->mark queue skb->queue_mapping hatype skb->dev->type rxhash skb->hash cpu raw_smp_processor_id() vlan_tci skb_vlan_tag_get(skb) vlan_avail skb_vlan_tag_present(skb) vlan_tpid skb->vlan_proto rand prandom_u32()BPF 組合語言範例:
經過 bpf_asm 轉換成 bytecode:ldh [12] /* Load half word offset 12 into A */ jne #0x806, drop /* Jump to drop if != 0x0806 */ ret #-1 drop: ret #0
C 語言格式輸出方便複製貼上:$ ./bpf_asm foo 4,40 0 0 12,21 0 1 2054,6 0 0 4294967295,6 0 0 0,
$ ./bpf_asm -c foo { 0x28, 0, 0, 0x0000000c }, { 0x15, 0, 1, 0x00000806 }, { 0x06, 0, 0, 0xffffffff }, { 0x06, 0, 0, 0000000000 },
(Accelerated) VLAN w/ id 10:ldh [12] jne #0x800, drop ldb [23] jneq #6, drop ret #-1 drop: ret #0
ld vlan_tciicmp random packet sampling, 1 in 4
jneq #10, drop
ret #-1
drop: ret #0
ldh [12]SECCOMP filter example:
jne #0x800, drop
ldb [23]
jneq #1, drop
# get a random uint32 number
ld rand
mod #4
jneq #1, drop
ret #-1
drop: ret #0
ld [4] /* offsetof(struct seccomp_data, arch) */
jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
ld [0] /* offsetof(struct seccomp_data, nr) */
jeq #15, good /* __NR_rt_sigreturn */
jeq #231, good /* __NR_exit_group */
jeq #60, good /* __NR_exit */
jeq #0, good /* __NR_read */
jeq #1, good /* __NR_write */
jeq #5, good /* __NR_fstat */
jeq #9, good /* __NR_mmap */
jeq #14, good /* __NR_rt_sigprocmas
k */ jeq #13, good /* __NR_rt_sigaction */
jeq #35, good /* __NR_nanosleep */
bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
libpcap 是封包擷取的 C/C++ 函式庫,可以過濾網路界面或 pcap 檔的封包,存成 pcap 檔。
使用前都要開啟取得 pcap handle,此時可以設定過濾條件,然後才能讀取封包。封包讀取後可以作各種處理,包括存成 pcap 檔。
無論是網路界面或 pcap 檔,都需要開啟取得 pcap handle -- pcap_t。即使沒有者兩個來源,只是要產生過濾程式碼或寫 pcap 檔,也需要開啟一個「假」的。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Code | Option Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Option Value / / variable length, aligned to 32 bits / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / . . . other options . . . / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Code == opt_endofopt | Option Length == 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
wireshark 是功能強大的圖形界面網路分析程式。用 libpcap 或 winpcap 擷取封包
顯示過濾
#include <arpa/inet.h> // 轉換 IPv4 或 IPv6 數字位址 (表示字串) src_str 為二進位格式 addrptr int inet_pton( int family, // AF_INET 或 AF_INET6 const char *src_str, void *addrptr); // 回傳 1:成功、0:src_str 格式不是表示字串、–1 on error // 轉換二進位格式 addrptr 為表示字串 dst_str const char *inet_ntop( int family, const void *addrptr, char *dst_str, size_t len); // 回傳 指向 dst_str 的文字字串: 成功, NULL: 錯誤