Hi Perlmonks!

This problem is driving me up the wall.

I'm trying to do some packet crafting to send TCP SYN packets so I can add half-open scanning to my UBERSCAN utility, and I've come up against the weirdest problem.

I can't seem to send crafted TCP packets (or any other kind of raw packets) of more than 12 bytes!

It's definitely not the SYN packet itsself - If you delete the trailing "t" from $synpacket this test program sends TESTTESTTEST (exactly 12 bytes) and my packet sniffer picks it up no problem, and it's definitely not a real TCP packet! I've also tried this on other IP protocols, such as UDP under raw sockets with the same results.

I add one single, solitary byte my packet sniffer sees nothing, and Perl responds with an error like "Operation not supported", yet netstat picks up on activity generated by it, and even sometimes claims there are bytes on the wire.

I'm definitely running it as root, the only thing that fixes it is sending a packet of less than 13 bytes. It's nuts!

12 bytes: No problem, happy times, will send ANYTHING, even a dummy packet.
13 bytes, FAIL, sadface, won't even send a perfectly crafted SYN packet.

ALso, I can't seem to switch off IP_HDRINCL. The kernel is adamant that it's going to build the IP header itsself, which is fine by me except for this little problem.

What's going on, guys? I've tried it on 2 computers, both running Ubuntu Linux, and they both responded the same way. Again, I've also tried it with different IP protocols, IE UDP, etc. Is it my OS, is it Perl, or have I made a really silly mistake?

Here's the code - you have to run it as root, with the destination address as a rider, like so:
sudo perl raw_sock_problem.pl 192.168.1.1

Please help!

Batch McNulty 

#!/usr/bin/perl

use Socket;

my $dest_addr = @ARGV[0];
my $dest_port = 21332;

my $source_ip_addr = "0.0.0.0";    # (ie, myself) 
#my $source_ip_addr = "192.168.1.7"; # Doesn't matter whether I use 0.
+0.0.0 or my actual IP
my $source_port = 21573;

my $synpacket = "TESTTESTTESTt";    # Obviously this isn't a real SYN 
+packet
                                            # Delete the trailing lowe
+r case "t" and it works fine...

@source_addr_octets = split('\.', $source_ip_addr);
@dest_addr_octets = split('\.', $dest_addr);

my $mc_source_port = inet_aton($source_port);
my $count = 0;


$count = 0;
undef $mc_dest_addr;
until ($count == scalar(@dest_addr_octets))    {
    print "\n$count:$dest_addr_octets[$count]";
    $mc_dest_addr .= inet_aton($dest_addr_octets[$count]);
    $count++;
}

$count = 0;
$mc_destination = $dest_port;
$mc_destination .= $mc_dest_addr;

print "\n socketing...";
print "\n";
$sockfd = socket (SOCKET, AF_INET, SOCK_RAW, 6) or die "\n\n *** CAN'T
+ SOCKET! We root? Error:$! Sys:$@ *** \n \$source_port:$source_port \
+$dest_port:$dest_port\n";
#$sockfd = socket (SOCKET, AF_INET, SOCK_RAW, 17) or die "\n\n *** CAN
+'T SOCKET! We root? Error:$! Sys:$@ *** \n \$source_port:$source_port
+ \$dest_port:$dest_port\n";

$|=1;
my $broadcastAddr;    
my $custom_remote_host = inet_aton($dest_addr);
print STDOUT "\n remote_host:$dest_addr. \t remote_port:$dest_port";
    
my $response = $broadcastAddr = sockaddr_in($dest_port, $custom_remote
+_host); 

setsockopt(SOCKET, SOL_SOCKET, SO_SNDBUF, 16384) or die  "\n\n *** Can
+'t setsockopt on SO_SNDBUF! We root? Error:$! Sys:$@ *** \n\n";


$num_of_bytes = length($synpacket);
$mc_destination = pack('Sna4x8', AF_INET, $dest_port, $dest_addr);

my $server_port;
my $machine_code_addr = sockaddr_in($server_port, INADDR_ANY); 
bind (SOCKET, $machine_code_addr)    or die "\n\n Couldn't bind $machi
+ne_code_addr. Error:$! \n\n";



# Program WILL NOT SEND anything longer than 12 bytes.
# Try and you get an "Operation not supported" error!

$num_of_bytes = length ($synpacket);

print STDOUT  "\n Packet to be sent:$synpacket";
print STDOUT "\n num_of_bytes:$num_of_bytes";
print STDOUT  "\n";
print STDOUT  "\n PRESS ENTER TO START!";
print STDOUT  "\n";

my $nothing = <STDIN>;

print STDOUT  "\n";

for ($count == 0; $count < 35535; $count++)    {
    $result = send( SOCKET, $synpacket, $num_of_bytes, $broadcastAddr 
+);
    #$result = syswrite(SOCKET, $synpacket, $num_of_bytes);    # Gives
+ "Destination address required" error
    print STDOUT "\n count:$count ** Result:$result Error:$! Sys:$@ **
+ ";

}
print STDOUT "\n";
print STDOUT " ***********************\n * FINAL COUNT: $count * \n **
+********************\n";
print STDOUT "\n Result (bytes sent):$result Error:$! System:$@";
print STDOUT "\n";
close (SOCKET);
print "\n ";
print "\n Socket closed.";
print "\n";
die;

[download]

In reply to Can't send more than 12 bytes on raw socket! (not including IP header) by BatchMcNulty

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.