Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Monitor Packet and change dest IP if it matches an IP 1

Status
Not open for further replies.

BleedingEdge

Technical User
Jul 14, 2005
10
US
Well that says it all. This sounds more like a hacker tool then a real tool, but anyway.

I need a program that will monitor all outgoing packets, and if the IP matches a certain IP, it changes the IP and then continues sending it.

I've searched for Packet editing, IP rerouting, change routing tables, I can't seem to find the right thing. The quasi-code would look like this:

IF DESTIP = xxx.xxx.xxx.xxx THEN SET DESTIP = xx.xx.xx.xx

This is some kind of layer 3 program. Is it a router? Or route table issue? A packet monitor/changer? An LSP proggy linked to the IP stack? I don't know what can do this, or if it can be done. I don't really even know what to search for.
Any help would be great. Thanks

(P.S. if you're wondering WHY I need this, it is basically to change an external IP into an internal IP for the sake of server administration of sorts. If the packet is left as-is when testing locally, it closes my client. And if I permenently change the external IP, then all outside connections can't do anything. So if I can get the packet to never leave the local machine, that's what I need. It needs to circle back to me and not go external, and all I have to do is change that destination IP. Unless my thinking is wrong.)
 
Is this using particular ports? Have you looked at running a NAT (Network Address Translation) solution?

Basically what it would do is redirect any external IP's to an internal IP (can be narrowed down to specific ports if you needed).

SimonD.

The real world is not about exam scores, it's about ability.

 
Are you trying to connect to your own machine without sending the packet out on the net? If so, why not just install the MSLoopback adapter and connect to 127.0.0.1 (its installed by default on their newer OSs).

Otherwise, if you know anyone who is familiar with Perl, you use Net::RawIP to do just what you asked to do. I've used it before to modify traffic for testing.

But I personally prefer SimonDavies' response. It is, after all, exactly what NAT does.


pansophic
 
Well let me see if I can describe the network, it's actually a friend of mine, not my own network. But it's like this:

He DOES have a router/firewall.
ALL outside traffic needs to come through as normal, which means he can't do any NAT based changes, or else the outside connections will reroute as well. I'm thinking all the changes have to be on the PC itself, behind the router.

There IS ports involved. And that is port 7777.

Here is the setup, it is a server that runs 6 services as a whole. So when a client connects, the 1st service sends back the IP address of the next service (69.92.x.x external) on port 7777. The client then contacts this, which comes back to a different internal IP. From start to finish it looks like this:

192.168.0.20 -> 69.92.x.x:7777 -> 192.168.0.40

The external address is my own router. So it basically goes out and comes back. If I can keep it from going out, and just go strait 192.168.0.20 -> 192.168.0.40 then that is what I want.

I will look into the Perl thing. Thanks fellas
 
I have to ask WHY? The only protocol that I can think of that uses multiple sockets for a single connection is FTP, and that mode has been deprecated for many years as it was determined to be inefficient and unnecessary.

The application should determine the purpose of the data, and all of it should be transmitted over a single socket.

BTW, there are always ports involved if you are using TCP or UDP.


pansophic
 
Let me sum up the crux of the situation without getting into to many details.

He runs a game server for an MMORPG game. Similar to WOW etc...
The game "server", as a whole, is actually 6 sepparate services such as a "log" server and "authentication" server and so on.
All 6 services currently run on 1 box, but they don't "have" to, they can run on multiple PCs. So each server has its IP and port set, for them to communicate to each other, and to clients.

When a client connects from outside his network (i.e. runs the game), everything is just peachy.
BUT, when he runs the game himself, from inside the network, there seems to be trouble. The game is trying to run by sending packets which are directed as the external IP just like anybody else, but for some reason, with this data going out and and back in like this, causes random disconnects and other behavior.

My original thinking, and his, is to simply find ALL packets heading to 69.92.x.x and turn them back into an internal IP 192.168.0.40, and thus the packet never leave the network, but instead communicates directly with the server.

The IPs and ports for the services are stored in their settings files, and cannot be changed client side. So he can't change the IPs just for himself, nor can he change the router. Both these areas would be global for all users. Unless the router has some way to redirect based on source IP, I don't know.

Hope that helps get you the idea. I've got a thread like this on another forum as well, and it would seem that this is not a common thing to do, as nobody has just a "oh yea, well use this program yada yada". Must be an odd thing to need.

Thanks, keep em coming!
 
If you want to do that then why not try redirecting the entry via the hosts file?

an entry like this should work.

69.92.x.x local computername

I have redirected specific websites to point to other destinations using this method before and it does work.

Good luck.

SimonD.

The real world is not about exam scores, it's about ability.

 
SimonDavies, you took the words out of my mouth, however I would have done it as:

192.168.x.x local_computer_name

So that all requests for his server will resolve to the local IP address.


pansophic
 
Pansophic, the reason I chose this was because he said that the gaming client looked for the external address and can't be changed.

SimonD.

The real world is not about exam scores, it's about ability.

 
Do you know that it looks for an external address, or an external domain and the external address is the result? Putting in a host entry and running Ethereal will tell you very quickly.

192.168.x.x External_FQDN

Is it a big deal to have all packets route through the router? It would only add a couple of milliseconds to the hop if everything is operating normally. Since others would presumably be coming in from the Internet at 10s to 100s of milliseconds of delay, it can't be that much of a disadvantage.


pansophic
 
Well he has actually tried most every combination of entries in the hosts file, with no luck. I'll have to get an update from him.

The problem doesn't seem to be speed so much as other odd behavior like with random disconnects.

The network is pretty much like this image:

His client will internally connect to the game server, then the game server sends the external IP. Then it connects to the IP externally, which only comes back inside the network to the server. Then the server goes back outside the router again, which just comes back again to his client. So it's like there is more then one hop in and out the router while communicating. Which is redundant and may be part of the problem.

Hopefully that image explains it. This is what the network does now. He wants just the blue and red lines only. Basically.
 
Unfortunately, if the server sends its IP address, rather than its name, modifying the hosts file or any DNS records won't change a thing. does it have to send its IP rather than name? Probably faster for the gaming machines.

Have you looked at Ethereal dumps of the network traffic to verify that this problem is not network related, like a wireless NIC dropping packets?

Is the traffic UDP or TCP or a combination of both?

I would still use PERL and Net::RawIP to do this. It should be reasonably fast and should also be capable of changing the packets as they traverse the stack.


pansophic
 
As far as I know, it's TCP based.

Haven't run Ethereal, but there is no wireless, or long cable lengths. Internal networked PCs are just inches apart. The network is just router and hub. Though a new faster switch is on the way.

We are currently looking into the PERL thing. Know any premade scripts perchance? Otherwise we're starting from scratch, new language you know.

Thanks for your continued advice. Don't stop now!
 
I don't know of any premade scripts for this with Net::RawIP, but CPAN and Google are your friends. It is really an unusual sort of thing to be modifying the packets on the fly. Normally that is only accomplished through a NAT server. Those are normally routers or firewalls and definitely not running PERL.

I don't have the script that I used before either. I had a friend who is PERL literate write it, but I haven't seen that script in many years. Once I saw it, it was pretty simple, you would create a RawIP object and then manipulate it based on IP address. You'll be looping, comparing all packets until one matches. In your case, you will need to run this on the server, so expect some impact in response times.

Here is an example of using Net::RawIP, although this one is doing some complex pattern matching, but no modification.


I believe you will need libpcap as well as Net::RawIP. Are you running Windows? If so, there is a port of libpcap. If you are running Linux, it is already bundled with your distribution.


pansophic
 
Ok, now it's going to take some time trying all of this.

I downloaded a Windows binary to get the latest Perl on here, that appears to work.
I then downloaded the script you posted and tried to run it just to see what happens; as expected, it said it couldn't find the net::rawip include. So far so good.

So then I downloaded that module, and it comes in like 18 files and 2 folders. And I'm not sure how the Perl folder structure works, these these things are in their own folders.
The RawIP readme says what to type to install the module, when I run that, it says a bunch of stuff including lots of lines of "can't find such and such module" like user32.dll and so forth, with the description "probably harmless".

Anyhow, I got the "make" command to work, which just gave me another file called "makefile" that I have no idea what the do with.
I don't know the Perl folder structure or where to put all these files, cause they don't find each other automatically, and some have the same names so I can't overwrite. Argh
So I can't figure out, at least without studying first, how to get all this hooplah to work right. I'm more of a Visual Basic and PHP kinda guy.

By the way I don't expect to have help now with Perl programming. :) I'll stumble with it and see what I can do.
-------------

But back to the top again. Since this Perl script essentially does the same as a NAT, I wonder if a software based (advanced) firewall would do the same thing? Since I can't use host files or DNS-based solutions, would an installed software firewall allow me to forward the packets differently as they go out? Seems like it would be the same thing.
If so, know any good, minimalistic, firewalls with this sort of outgoing, forwarding, capabilities?

Otherwise, I guess I'm just going to have to find myself a crash course on Perl. ugh
 
According to what I have read, and I can't make any promises, because I don't use Windows routinely and certainly not for running PERL, you just have to:

Assuming that you are using ActiveState's PERL for Windows.


Had this to say:

ActiveState Perl comes with a command-line tool called PPM - the Perl Package Manager - that simplifies the process of installing Perl modules on NT. To get into the PPM, go to a DOS prompt, and type
ppm

You should now see a prompt that looks like:
PPM>

at which you can type commands. There are a large number of commands that you can use, and there is very good documentation for PPM that comes with your distribution of Perl, so I'll just talk about two of the functions - searching for a module, and installing that module.
To search for a module, use the search function:
Code:
search Time

The search should, by default, be case-insensitive, although you can configure this.
This will return a list of all the modules that matched this search, and the file that the module is contained in. You can then install the module with the install command
Code:
install Time-modules

PPM will take care of downloading and installing the module for you.


pansophic
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top