Merge pull request #4 from wiseaidev/chap-1-part-4

add part 4 of chapter 1

Author: wiseaidev

chapter-1/chapter-1.ipynb

@@ -748,7 +748,7 @@
     "\n",
     "Examining this structure, we discern that the first 8 bits represent the type, followed by the subsequent 8 bits housing the ICMP code. Notably, the originating IP header of the message that triggered the response is encapsulated within the ICMP message, presenting an opportunity for validation.\n",
     "\n",
-    "### Integration of ICMP Decoding\n",
+    "#### Integration of ICMP Decoding\n",
     "\n",
     "Now, let's seamlessly integrate the decoding of ICMP packets into our existing packet-sniffing framework. The augmentation of our sniffer encompasses the implementation of an ICMP structure beneath the established IP structure. The following code snippet imports necessary modules and initializes the ICMP structure to facilitate the decoding process when ICMP packets are detected.\n",
     "\n",
@@ -1009,6 +1009,268 @@
     "\n",
     "In conclusion, broadening our decoding capabilities beyond ICMP to encompass TCP and UDP marks a pivotal step in comprehending the diverse landscape of network protocols. Each protocol brings its own set of challenges and nuances, and by expanding our analysis toolkit, we empower ourselves to gain a holistic understanding of the complex communication patterns shaping the digital world."
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "7972e4b1-813d-45bd-bd9a-f741db2d9482",
+   "metadata": {},
+   "source": [
+    "### 1.6 Decoding TCP packets\n",
+    "\n",
+    "Decoding TCP packets involves understanding the complexities of the [**Transmission Control Protocol (TCP)**](https://en.wikipedia.org/wiki/Transmission_Control_Protocol), a fundamental protocol in the transport layer of the [**Internet Protocol Suite**](https://en.wikipedia.org/wiki/Internet_protocol_suite). Unlike [**ICMP**](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol), which is connectionless, TCP provides a reliable, connection-oriented communication channel. Understanding the structure of TCP packets entails parsing the various fields within the TCP header, each conveying essential information about the communication session.\n",
+    "\n",
+    "The TCP header includes crucial components such as the source and destination port numbers, which identify the endpoints of the communication. The sequence and acknowledgment numbers play a pivotal role in ensuring the ordered and reliable delivery of data. Flags within the TCP header signify the nature of the packet, indicating whether it is a data segment, a connection request (SYN), an acknowledgment (ACK), or other control messages. By decoding these flags, we gain insights into the state of the TCP connection and the ongoing communication process.\n",
+    "\n",
+    "> 3.1.  Header Format\n",
+    "> \n",
+    ">   TCP segments are sent as internet datagrams.  The Internet Protocol\n",
+    ">   header carries several information fields, including the source and\n",
+    ">   destination host addresses [2].  A TCP header follows the internet\n",
+    ">   header, supplying information specific to the TCP protocol.  This\n",
+    ">   division allows for the existence of host level protocols other than\n",
+    ">   TCP.\n",
+    "> \n",
+    ">   TCP Header Format\n",
+    "                           \n",
+    "     0                   1                   2                   3   \n",
+    "     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 \n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |          Source Port          |       Destination Port        |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |                        Sequence Number                        |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |                    Acknowledgment Number                      |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |  Data |           |U|A|P|R|S|F|                               |\n",
+    "    | Offset| Reserved  |R|C|S|S|Y|I|            Window             |\n",
+    "    |       |           |G|K|H|T|N|N|                               |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |           Checksum            |         Urgent Pointer        |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |                    Options                    |    Padding    |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "    |                             data                              |\n",
+    "    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n",
+    "\n",
+    ">                            TCP Header Format\n",
+    ">\n",
+    ">          Note that one tick mark represents one bit position.\n",
+    ">\n",
+    ">                               Figure 3.\n",
+    ">\n",
+    ">  Source Port:  16 bits\n",
+    ">\n",
+    ">    The source port number.\n",
+    ">\n",
+    ">  Destination Port:  16 bits\n",
+    ">\n",
+    ">    The destination port number.\n",
+    ">\n",
+    ">\n",
+    ">\n",
+    ">\n",
+    ">                                                               [Page 15]\n",
+    "\n",
+    "[**Excerpt from rfc793 Page 15**](https://www.ietf.org/rfc/rfc793.txt)\n",
+    "\n",
+    "Furthermore, the decoding process extends to examining optional fields within the TCP header, such as the Window Size and Urgent Pointer. The Window Size reflects the amount of data a sender can transmit before expecting an acknowledgment, contributing to flow control. The Urgent Pointer, when utilized, points to urgent data within the packet, enabling timely processing by the receiver. Understanding these optional fields enhances the comprehension of the nuanced behaviors and optimizations implemented within the TCP protocol.\n",
+    "\n",
+    "Deciphering TCP packets provides valuable insights into various applications that heavily rely on TCP, including web browsing, file transfers (via protocols like FTP), and email (via protocols like SMTP). By analyzing the content of TCP packets, one can uncover patterns in data transmission, detect anomalies, and troubleshoot network-related issues. This in-depth analysis of TCP communication contributes to a holistic understanding of the diverse and interconnected aspects of networking protocols.\n",
+    "\n",
+    "Now, let's decode TCP packets using the **`socket2`** crate in Rust which involves establishing a raw socket connection, capturing packets, and dissecting the TCP headers. As we have previously learned, the `socket2` crate provides low-level access to socket functionality, allowing for fine-grained control over network communication. Below is a simplified example illustrating the basic steps for decoding TCP packets using `socket2`:\n",
+    "\n",
+    "```rust\n",
+    "use std::mem::MaybeUninit;\n",
+    "use std::net::SocketAddr;\n",
+    "use std::net::{IpAddr, Ipv4Addr};\n",
+    "\n",
+    "// Constants for TCP and IP headers size\n",
+    "const TCP_HEADER_SIZE: usize = 20;\n",
+    "const IPV4_HEADER_SIZE: usize = 20;\n",
+    "\n",
+    "struct TCP {\n",
+    "    source_port: u16,\n",
+    "    destination_port: u16,\n",
+    "    sequence_number: u32,\n",
+    "    acknowledgment_number: u32,\n",
+    "    data_offset: u8,\n",
+    "    reserved: u8,\n",
+    "    flags: u16,\n",
+    "    window_size: u16,\n",
+    "    checksum: u16,\n",
+    "    urgent_pointer: u16,\n",
+    "}\n",
+    "\n",
+    "impl TCP {\n",
+    "    fn new(buffer: &[u8]) -> Self {\n",
+    "        // Parse the TCP header fields from the buffer\n",
+    "        let source_port = u16::from_be_bytes([buffer[0], buffer[1]]);\n",
+    "        let destination_port = u16::from_be_bytes([buffer[2], buffer[3]]);\n",
+    "        let sequence_number = u32::from_be_bytes([buffer[4], buffer[5], buffer[6], buffer[7]]);\n",
+    "        let acknowledgment_number =\n",
+    "            u32::from_be_bytes([buffer[8], buffer[9], buffer[10], buffer[11]]);\n",
+    "        let data_offset = (buffer[12] >> 4) * 4; // The top 4 bits represent the data offset\n",
+    "        let reserved = buffer[12] & 0b00001111;\n",
+    "        let flags = u16::from_be_bytes([buffer[13], buffer[14]]);\n",
+    "        let window_size = u16::from_be_bytes([buffer[15], buffer[16]]);\n",
+    "        let checksum = u16::from_be_bytes([buffer[17], buffer[18]]);\n",
+    "        let urgent_pointer = u16::from_be_bytes([buffer[19], buffer[20]]);\n",
+    "\n",
+    "        TCP {\n",
+    "            source_port,\n",
+    "            destination_port,\n",
+    "            sequence_number,\n",
+    "            acknowledgment_number,\n",
+    "            data_offset,\n",
+    "            reserved,\n",
+    "            flags,\n",
+    "            window_size,\n",
+    "            checksum,\n",
+    "            urgent_pointer,\n",
+    "        }\n",
+    "    }\n",
+    "}\n",
+    "\n",
+    "fn sniff(address: SocketAddr) {\n",
+    "    let socket_protocol = if cfg!(target_os = \"windows\") {\n",
+    "        0\n",
+    "    } else {\n",
+    "        6 // TCP\n",
+    "    };\n",
+    "\n",
+    "    let sniffer = socket2::Socket::new(\n",
+    "        socket2::Domain::IPV4,\n",
+    "        socket2::Type::RAW,\n",
+    "        Some(socket2::Protocol::from(socket_protocol)),\n",
+    "    )\n",
+    "    .unwrap();\n",
+    "\n",
+    "    sniffer.bind(&address.into()).unwrap();\n",
+    "\n",
+    "    let mut buffer: [MaybeUninit<u8>; 65535] = unsafe { MaybeUninit::uninit().assume_init() };\n",
+    "    loop {\n",
+    "        // Receive a TCP packet\n",
+    "        let _length = sniffer.recv_from(&mut buffer).unwrap();\n",
+    "        let raw_buffer: &[u8] =\n",
+    "            unsafe { std::slice::from_raw_parts(buffer.as_ptr() as *const u8, buffer.len()) };\n",
+    "\n",
+    "        // Process the TCP packet\n",
+    "        if size >= IPV4_HEADER_SIZE + TCP_HEADER_SIZE {\n",
+    "            let tcp_header =\n",
+    "                TCP::new(&raw_buffer[IPV4_HEADER_SIZE..IPV4_HEADER_SIZE + TCP_HEADER_SIZE + 1]);\n",
+    "            // Print or process TCP header information\n",
+    "            println!(\"Source Port: {}\", tcp_header.source_port);\n",
+    "            println!(\"Destination Port: {}\", tcp_header.destination_port);\n",
+    "            println!(\"Sequence Number: {}\", tcp_header.sequence_number);\n",
+    "            println!(\n",
+    "                \"Acknowledgment Number: {}\",\n",
+    "                tcp_header.acknowledgment_number\n",
+    "            );\n",
+    "            println!(\"Data Offset: {}\", tcp_header.data_offset);\n",
+    "            println!(\"Reserved: {}\", tcp_header.reserved);\n",
+    "            println!(\"Flags: {}\", tcp_header.flags);\n",
+    "            println!(\"Window Size: {}\", tcp_header.window_size);\n",
+    "            println!(\"Checksum: {}\", tcp_header.checksum);\n",
+    "            println!(\"Urgent Pointer: {}\", tcp_header.urgent_pointer);\n",
+    "        }\n",
+    "    }\n",
+    "}\n",
+    "\n",
+    "fn main() {\n",
+    "    let socket = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 12345);\n",
+    "\n",
+    "    sniff(socket);\n",
+    "}\n",
+    "```\n",
+    "\n",
+    "This example sets up a raw socket, binds it to a local address (in this case, the loopback address), and enters a loop to continuously capture and process TCP packets. The `TCP` struct encapsulates the relevant fields from the TCP header, and the `sniff_tcp_packets` function initializes the socket and processes incoming TCP packets. Keep in mind that decoding TCP packets often involves additional considerations, such as handling variable-length options within the TCP header."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 3,
+   "id": "027eeef8-a33b-42e7-a388-9987b99aab7e",
+   "metadata": {},
+   "outputs": [
+    {
+     "name": "stderr",
+     "output_type": "stream",
+     "text": [
+      "   Compiling decoding-tcp-packets v0.1.0 (/home/mahmoud/Desktop/Rust Book Dark/dark-web-rust/chapter-1/decoding-tcp-packets)\n",
+      "    Finished dev [unoptimized + debuginfo] target(s) in 0.26s\n"
+     ]
+    },
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "\n",
+      "Protocol: TCP 52.200.215.80 -> 192.168.1.8\n",
+      "Version: 69\n",
+      "Header Length: 52 TTL: 60\n",
+      "Source Port: 443\n",
+      "Destination Port: 42436\n",
+      "Sequence Number: 3205079071\n",
+      "Acknowledgment Number: 1443482503\n",
+      "Data Offset: 32\n",
+      "Reserved: 0\n",
+      "Flags: 4097\n",
+      "Window Size: 63162\n",
+      "Checksum: 24832\n",
+      "Urgent Pointer: 1\n"
+     ]
+    },
+    {
+     "data": {
+      "text/plain": [
+       "()"
+      ]
+     },
+     "execution_count": 3,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "// The following command will execute the sniffer.\n",
+    "// Set your sudo password below by replacing 'your-passowrd' accordingly\n",
+    "\n",
+    "let command = \"cd decoding-tcp-packets && cargo build && echo 'your-passowrd' | sudo -S sudo setcap cap_net_raw+ep target/debug/decoding-tcp-packets && target/debug/decoding-tcp-packets\";\n",
+    "\n",
+    "if let Err(err) = execute_command(command) {\n",
+    "    eprintln!(\"Error executing command: {}\", err);\n",
+    "}\n",
+    "\n",
+    "// Just open your web browser and surf the internet"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "9e338373-00d9-4c60-9c29-e4ac6d60fdac",
+   "metadata": {},
+   "source": [
+    "The decoded information from the captured TCP packet reveals a communication exchange involving the IP address **52.200.215.80**, which is attributed to Amazon Web Services (AWS) Elastic Compute Cloud (EC2). [**AWS EC2**](https://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud) is a scalable cloud computing service that provides virtual servers in the cloud, allowing users to run applications and host various types of workloads. The presence of a TCP packet suggests a data transfer or communication event between the AWS EC2 instance, acting as the source (**52.200.215.80**), and our local machine with the destination IP address **192.168.1.8**.\n",
+    "\n",
+    "The identification of the TCP protocol in the \"**Protocol: TCP**\" field signifies that the communication adheres to the principles of Transmission Control Protocol, a foundational aspect of reliable data transmission over networks. The source port **443** and destination port **42436** provide insight into the specific application layer protocols in use. Port 443 is commonly associated with HTTPS, the secure variant of the HTTP protocol used for secure communication over the internet. The arbitrary destination port 42436 suggests that the communication may involve a dynamically assigned port for the client-side of the connection, our local machine.\n",
+    "\n",
+    "Examining the TCP flags, the value **4097** (binary 1000000000001) indicates that this is an **ACK** (Acknowledgment) packet. ACK packets are crucial for ensuring reliable data transfer and confirming the receipt of previously sent packets. The sequence and acknowledgment numbers, 3205079071 and 1443482503, respectively, reveal the progression of the data exchange. The data offset of 32, when multiplied by 4, yields a header length of 128 bytes, providing an extensive structure for encapsulating the TCP information. The window size of 63162 signifies the amount of data (in bytes) that can be sent before an acknowledgment is expected, contributing to the flow control mechanisms in TCP.\n",
+    "\n",
+    "Now that we have successfully decoded both ICMP and TCP packets, the subsequent phase in our network analysis efforts involves the complex process of decoding UDP (User Datagram Protocol) packets. [**UDP**](https://en.wikipedia.org/wiki/User_Datagram_Protocol), unlike TCP, operates as a connectionless and stateless protocol, prioritizing speed and simplicity over the robust reliability mechanisms inherent in TCP. As we delve into UDP packet decoding, we encounter a different set of challenges and nuances. UDP packets lack the elaborate handshaking and acknowledgment mechanisms found in TCP, making their decoding a more direct and, in some ways, more challenging task.\n",
+    "\n",
+    "The UDP decoding process necessitates a sharp understanding of the UDP header structure, including crucial fields such as source and destination ports, length, and checksum. The source and destination ports denote the application processes communicating over UDP, providing insight into the specific services involved in the data exchange. The length field specifies the total length of the UDP packet, aiding in proper segmentation and reassembly. The checksum field serves as a verification mechanism to ensure the integrity of the UDP packet during transmission.\n",
+    "\n",
+    "In our decoding journey, we must meticulously extract and interpret these UDP header fields, considering the contextual relevance of each piece of information within the broader network communication. The absence of a formal connection setup and teardown process in UDP introduces unique challenges, as deciphering the intent and context of UDP packets relies heavily on the payload data and its interpretation within the specific application layer protocol.\n",
+    "\n",
+    "As we extend our decoding capabilities to encompass UDP packets, we aim to uncover the underlying dynamics of real-time and efficient data communication. UDP is frequently employed in scenarios where low latency and rapid data transmission are paramount, such as in multimedia streaming, online gaming, and other time-sensitive applications. Therefore, our UDP decoding endeavors not only contribute to a comprehensive understanding of network traffic but also enable us to distinguish the diverse applications and services thriving within the network ecosystem. In navigating the intricacies of UDP packet decoding, we embark on a journey to unravel the rich tapestry of communication protocols that form the backbone of modern networking, further enhancing our ability to comprehend and analyze the multifaceted landscape of data transmission in diverse network environments."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "f3229384-bc07-47ac-b644-cbb95c61e097",
+   "metadata": {},
+   "outputs": [],
+   "source": []
   }
  ],
  "metadata": {

chapter-1/decoding-tcp-packets/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "decoding-tcp-packets"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+socket2 = {version = "0.5.5", features = ["all"]}
+