NetTool

NetTool

Purpose

The purpose of the NetTool project is to demonstrate the use of raw structures and memory maps to achieve raw ethernet, ip, arp, icmp, tcp, and udp input and output. The demonstration tool can ping, identify, and perform a TCP port scan of a host connected via ethernet.

Program

Import programNetTool

This is a low-level network debugging utility that utilizes raw packet i/o to construct and deconstruct tcp, udp, ipv4, arp, and icmp packets over ethernet.

Memory Maps

NetTool provides C++ structure memory maps for numerous on-wire formats, including Ethernet, IP, TCP, UDP, ICMP, and ARP. In order for them to work nicely in the host environment, accompanying functions are provided to fix the endianness of the memory so that the stuructures can be created and used easily.

IP

Import program

Data Fields

unsigned  version :4
  4 bits that contain the version, that specifies if it's an IPv4 or IPv6 packet,
unsigned  header_bytes_div4 :4
  4 bits that contain the Internet Header Length which is the length of the header in multiples of 4 bytes (eg. 5 means 20 bytes).
unsigned  tos :8
  8 bits that contain the Type of Service, also referred to as Quality of Service (QoS), which describes what priority the packet should have,
u16   packet_bytes
  16 bits that contain the total length of the IP packet (datagram) in bytes,
u16   fragment_id
  16 bits that contain an identification tag to help reconstruct the packet from several fragments,
unsigned  unused_0 :1
  3 bits that contain a zero, a flag that says whether the packet is allowed to be fragmented or not (DF: Don't fragment), and a flag to state whether more fragments of a packet follow (MF: More Fragments)
unsigned  fragment_offset :13
  13 bits that contain the fragment offset, a field to identify position of fragment within original packet
unsigned  ttl :8
  8 bits that contain the Time to live (TTL) which is the number of hops (router, computer or device along a network) the packet is allowed to pass before it dies (for example, a packet with a TTL of 16 will be allowed to go across 16 routers to get to its destination before it is discarded),
unsigned  protocol :8
  8 bits that contain the protocol (TCP, UDP, ICMP, etc...) 0x01 ICMP 0x06 TCP 0x11 UDP
u16   header_checksum
  16 bits that contain the Header Checksum, a number used in error detection,
IP_Address   source
  32 bits that contain the source IP address,
IP_Address   destination
  32 bits that contain the destination address.
unsigned char  data []
  Zero-length field for memory mapping the packet data.

The demo program interprets IP version 4 (IPv4) packets and processes them based on their protocol. If they are TCP, UDP, or ICMP, they are processed further.

TCP

Import program

Data Fields

u16   source_port
  Source port (1-65535)
u16   destination_port
  Destination port (1-65535)
u32   sequence_number
  TCP Sequence number (initial one if SYN set)
u32   acknowledge_number
  TCP Acknowledge number (valid if ACK set)
unsigned  data_offset_bytes_div4 :4
  Length of this header (20) divided by 4 (should be 5)
unsigned  unused_0 :4
  Unused, should be zero.
unsigned  fin :1
  connection FINished (no more data from sender)
unsigned  syn :1
  SYNchronize sequence numbers.
unsigned  rst :1
  ReSeT the connection.
unsigned  psh :1
  PuSH to receiving application.
unsigned  ack :1
  ACKnowledge fiend is significant.
unsigned  urg :1
  URGent field is significant.
unsigned  ece :1
  ECn Echo.
unsigned  cwr :1
  Congestion Window Reduced.
u16   window_size
  TCP Maxumum window size (8192 is good)
u16   checksum
  TCP checksum (computed with pseudo header)
u16   urgent_pointer
  Urgent pointer (valid if URG set)
unsigned char  data []
  Memory map for data if no options are set.

TCP packets are processed and a TCP port scan can be performed by adding a line with "portscan" to the command text file.

UDP

Import program

Data Fields

u16   source_port
  Source port (1-65535)
u16   destination_port
  Destination port (1-65535)
u16   length
  Entire datagram size in bytes.
u16   checksum
  Checksum.
u8   data []
  Data memory map.

UDP packets are processed by the dmeo program, but not used.

ICMP

Import program

Data Fields

u8   type
  type of ICMP message
u8   code
  code number associated with certain message types
u16   id
  ID value, returned in ECHO REPLY.
u16   sequence
  Sequence value to be returned with ECHO REPLY.
u8   data []
  Data memory map.

The demo program can (by adding "ping" on a line by itself to the command file) send a ping every 30 seconds to the host computer.

ARP

Import program

Data Fields

u16   hardware_type
  0x0001 for ethernet
u16   protocol_type
  0x0800 for IPv4
u8   hardware_length
  Bytes. Ethernet is 6.
u8   protocol_length
  Bytes. IPv4 is 4.
u16   operation
  Operation. 1 for request, 2 for reply or announce.
u8   sender_hardware_address [6]
  Generator of the request or reply.
u8   sender_protocol_address [4]
  All zeroes for an ARP probe.
u8   target_hardware_address [6]
  Announce - same as SHA.
u8   target_protocol_address [4]
  Announce - Same as TPA.

The demo program interprets ARP requests and announces in order to determine an IP address for itself and to instruct the host how to communicate with the device. When the host announces an IP address, the next IP address is chosen and used as the device IP.

Demo Program

Hardware

The only peripheral used by the demo program is an ethernet jack. One can be obtained from SparkFun. The Cool Components Workshop Board also has the necessary parts on it. The configuration, logging, and status reports are all available through the MBED flash drive when attached to any computer via USB.

PC Setup

The demo program does not emulate DHCP, so the interface that is connected to the MBED via ethernet should be configured with a static IP address. Consult your operating system documentation for how to do this.

Configuration

The demonstration program reads a file off of the MBED flash drive called "ntcmd.txt" which has the following general format:

# comment
command

The known commands are:

  1. ping
  2. portscan
  3. identify

Commands

ping

The ping command sends a ping to the attached host every 30 seconds and writes the status of its replies to the file "ping.txt" for each ping (the file is overwritten every time).

portscan

The port scan command sends a TCP connection request to every legal port on the attached host system and writes the results of the port scan to the file "portscan.txt".

identify

The identify command writes the host IP address and MAC address to the file "identity.txt".

Log

All major actions and status reports by the tool are written to "nettool.log".