• AVR Freaks

Hot!How to Read NOTME UDP packets

Author
electromotivated
Starting Member
  • Total Posts : 16
  • Reward points : 0
  • Joined: 2017/01/19 19:41:22
  • Location: 0
  • Status: offline
2019/06/27 06:32:42 (permalink)
0

How to Read NOTME UDP packets

Hey y'all, 
 
I've got an application using the KSZ8863 3-Port Ethernet Switch connected to two (2) PCs and the third port connected to a PIC32MX795F512H over the RMII port. I am sending UDP packets from one PC to the other, and "mirroring" them to the PIC32. I've configured the MAC in MHC such that it should accept Unicast Not-Me packets. 
 
Mirrored packets look to be making it to the PIC32 platform just fine (probing of the RXDV pin shows pulses that are aligned with packets being sent). As such I am assuming the packets are making it to the PIC32 MAC RX buffer. The question is, how do I get them out to process them (i.e. how does one implement a sniffer socket)? 
a. From what I've seen the TCP/IP UDP socket functions are only bound to its local IP and Port address.
b. It has crossed my mind to use some of the MAC API calls directly, but in the spirit of good practice, I'm trying to stay away from using lower-level drivers unless necessary. 
 
FYI: I am using Harmony Framework 2.06
#1

10 Replies Related Threads

    rainad
    Super Member
    • Total Posts : 1190
    • Reward points : 0
    • Joined: 2009/05/01 13:39:25
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/06/27 09:27:09 (permalink)
    0
    If you want to implement a sniffer at the UDP level, then you need to adjust the TCPIP_UDP_Process function.
    Basically instead of discarding an unknown packet (that is not processed by the internal sockets) to call the process by your sniffer. Probably it makes sense to do the sniffing for all packets, meaning that the TCPIP_UDP_Process should call first the sniffer routine no matter what.
     
    However, the way it should be done is that a registration with the stack should be allowed, and all the received packets be passed to the external handler too. That will allow the most flexible way for an application to get access to the received packets. This will be added eventually but it's not there yet. Actually pretty simple to implement.
     
     
     
    #2
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/01 12:06:03 (permalink)
    0
    Thanks Rainad,
     
    When you say TCPIP_UDP_Process function, are you refering to the udp.c file or the app.c implementation. I am experimenting with the tcpip_udp_client_server example found in MHC v2.06.
     
    Sounds simple enough, but I'm really just getting started with networking and MHC. Really appreciate the help.
    #3
    rainad
    Super Member
    • Total Posts : 1190
    • Reward points : 0
    • Joined: 2009/05/01 13:39:25
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/03 04:40:25 (permalink)
    0
    At the app level is too late, because UDP traffic is handled in the UDP module and if there is no socket to receive a packet, that's discarded.
    So, something needs to be added in the UDP module itself.
    In TCPIP_UDP_Process(), the last code sequence is:
     
    if(ackRes != TCPIP_MAC_PKT_ACK_NONE)
    { // unknown/error; discard it.
    _UDP_RxPktAcknowledge(pRxPkt, ackRes);
    }
     
    You can change it to something like this:
     
    if(ackRes != TCPIP_MAC_PKT_ACK_NONE)
    { // unknown/error; discard it.
    mySpyPktHandler(pRxPkt);
    _UDP_RxPktAcknowledge(pRxPkt, ackRes);
    }
     
    That will call your function where you can take a look at this packet.
    You still need to acknowledge the packet after that.
     
    #4
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/03 05:57:13 (permalink)
    0
    Thanks Rainad! 
     
    This should get me started just fine!
    #5
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/05 12:22:20 (permalink)
    0
    Ok, follow up question here:
     
    Port Mirroring using the KSZ8863 has been verified to work. However, it has also been found that UDP Packets sent from one PC to another PC are being encapsulated in ESP IPSec Protocol (as seen from WireShark sniffing). Otherwise, when UDP packets are addressed to the PIC32, UDP packets are sent unchanged as UDP.
        * I believe packets from one PC to another PC ARE being mirrored to the PIC32, however since they are being encapsulated in ESP they are not being processed by TCP_UCP_Process() in udp.c, which would make since if the Protocol value in the IPv4 Packet is being changed from value 17 (UDP) to some other value
        * How do we disable this ESP encapsulation?
     
    Any thoughts would be much appreciated!
    #6
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/05 13:20:58 (permalink)
    0
    Update:
    I solved the ESP issue. I was using UDP port 4500 which apparently is associated with ESP. Changing to another port the UDP packets are being sent unaltered, as seen using WireShark. However, these "mirrored" packets are not being processed in TCPIP_UDP_Process(). I'm certain that the PIC32 MAC is receiving the mirrored packets, as the nRxOkPackets parameter from the terminal command "macinfo" continuously increases when UDP packets are streamed to the sniff port. Any idea why these mirrored UDP packets are not being picked up for processing?
    #7
    rainad
    Super Member
    • Total Posts : 1190
    • Reward points : 0
    • Joined: 2009/05/01 13:39:25
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/08 10:06:49 (permalink)
    0
    If the UDP packets are intended for the PIC32 network interface (IP address) or broadcast/multicast and to an open UDP socket then they should be processed.
    Do you see something else?
    Please provide some details.
     
    #8
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/08 11:00:35 (permalink)
    0
    So the UDP packets aren't specifically address to the PIC32. Here's the general setup:
     
    1. KSZ8863 Ethernet Switch with PC1 on KSZ Port 1, PC2 on KSZ Port 2, and the PIC32 on Port 3 (RMII)
    2. KSZ registers are set so that RX on Port 1 is mirrored to Port 2 
    3. In MHC, External MAC RX Filters are set to accept Broadcast/Multicast, Unicast, and Not-me Unicast
     
    What I want to do is stream UDP packets from PC1 to PC2, and have those packets also mirrored to the PIC32. I have verified that streaming UDP packets from PC1 to PC2 is also being mirrored to PIC32, as the MacRxOk count increases when I stream from PC1 to PC2. This count does not increase when streaming from PC2 to PC1, showing me that the mirror configuration is working as expected. 
     
    However, when the PIC32 receives these mirrored packets, the TCPIP_UDP_Process() function is not being called. The packets are being processed by the MAC as far as I can tell though. I added a terminal print to the _TCPIPProcessMacPackets() in tcpip_manager.c file, this prints the MAC Packet Type. So while, UDP_Process is not called, I do get a terminal print with a value of 0x800 (corresponding to a Ethernet Type of IPv4) from the terminal print statement I added to _TCPIPProcessMacPackets(), so I am definitely receiving the mirrored packets at the MAC level. 
     
    Perhaps my understanding is wrong, but I would assume that mirrored UDP packets would still be processed by the UDP routines, specifically TCPIP_UDP_Process() as you suggested earlier. Are mirrored packets processed as raw ethernet or IPv4 packets and not UDP packets? 
     
    So, I guess in short, how does one handle mirrored packets? I'm not sure how I would instantiate a UDP socket for this purpose as the destination IP address would not match what is actually contained in the mirrored packets. 
     
    Thanks again!
    #9
    rainad
    Super Member
    • Total Posts : 1190
    • Reward points : 0
    • Joined: 2009/05/01 13:39:25
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/09 06:37:42 (permalink)
    0
    If those packets are not intended for your host, and they do not reach the UDP module, probably they are discarded in the IPv4. Most likely because they are not intended for that host network interface.
    You should move your spy code to ipv4.c::TCPIP_IPV4_Process() and check what happens.
     
    #10
    electromotivated
    Starting Member
    • Total Posts : 16
    • Reward points : 0
    • Joined: 2017/01/19 19:41:22
    • Location: 0
    • Status: offline
    Re: How to Read NOTME UDP packets 2019/07/12 06:07:33 (permalink)
    0
    Thanks, 
     
    I changed the TCPIP_IPV4_Process(), in ipv4.c, by adding 'pktAccepted = true' right before anything gets discarded to ensure all packets get passed. Then in udp.c, I add a function call in TCPIP_UDP_IPV4Process(), which checks the src ip/port to determine if this is a packet I want to sniff, and if so the function will changed the dest port to a port number of a open and valid socket. I used this approach to expose the UDP API for data extraction without having to write a new parser. 
    Thanks again!
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 4.5