lc - Low Latency stdio <-> Layer 2 Filtering Bridge

lc [-l interface] [-m interface] [options]

Paketto Keiretsu 1.0

Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Netcat(n) does for Layer 4-7(TCP/UDP): Provide direct, bidirectional, streaming access to the network. Libcap/tcpdump syntax filters may be specified in either direction, but no filtering is enabled by default. Two separate syntaxes are supported; one accepts and emits libpcap dump format(raw binary w/ a fixed size file header and a fixed size packet header), the other accepts and emits simple hex w/ backslash line continuation. Several other features are also implemented; specifically, early work involving the embedding of cryptographic shared-secret signatures in the Ethernet Trailer is demonstrated.

-l interface

Sniff frames from this interface. "00" may be used in place of an explictly specified interface to imply sniffing from the first available interface.

-m interface

Spoof frames onto this interface. "00" may be used in place of an explicitly specified interface to imply spoofing onto the first available interface.

-p/-P filter

Specify a filter through which sniffed(-p) or spoofed(-P) frames will be matched against before they're allowed to pass through. The syntax is extraordinarily straightforward; see tcpdump documentation for examples. "not port 22", "tcp and ether src 00:11:22:33:44:55", "host www.doxpara.com", and "icmp or (udp and port 53)" are all valid filters.

-w sniff_file

Specify a file that sniffed frames should be written into, rather than simply being dropped onto stdout.

-r spoof_file

Specify a file that spoofed frames should be read from, rather than being extracted from stdin.

-t [h/p]

Specify the type of file that linkcat should operate against. -th emits and accepts packets in hexadecimal ASCII format, with end-of-line(w/o continuation) implying end of frame. -tp emits and accepts packets in raw libpcap mode, replete with libpcap file header, pkthdr structs, and raw binary data. The latter format has not been audited (by this author) for security breaches; the former has no out-of-band signaling aside from the implied end-of-frames. However, the HEX/ASCII format has a 3x data expansion penalty (obviously heavily compressible).

-o/-O m-n

Emit a byte range as an integer, presumably for phentropy(another component of the Paketto Keiretsu) to parse. Effectively, given an incoming frame, return the mth through the nth bytes as a hexadecimal integer preceeded by 0x. -o outputs the bytes in network order; -O outputs the bytes in reverse (presumably correct) order. This can be used to great effect for exacting the entropy of TCP Sequence Numbers(-p tcp -O 39-42) and other semi-random network fields. ( m - n ) must be equal to 1, 2, or 4 for phentropy 1.0 to correctly understand it.

-e

Output spoofed frame to stderr, as a hexdump. Occasionally useful.

-c num

Output no more than num characters to stdio at once. Overflow will be handled using the \ continuator.

-M key

Append a 20 byte Message Authentication Code (HMAC-SHA1) to the end of an outgoing frame before spoofing it onto the wire, using the SHA-1'd results of a user provided key. Since both IP and ARP are immune to and expect random content in the ethernet trailer, this does not interfere with normal operations. Security is limited to the entropy of the provided key, and direct replay attacks are entirely trivial in this implementation (though the content of the replayed packet may not be changed).

-L key

Verify that the last 20 bytes of every frame sniffed off the wire forms an HMAC-SHA1 hash of the supplied packet, or refuse to output said frame to its appropriate dump -- stdout or a file named via -w. This happens without any frame parsing, so theoretically it's possible to authenticate even broken traffic.

-S

Strip the HMAC-SHA1 hash upon verifying (i.e. don't propogate to future clients).

"any" device doesn't work right, yet. Oh, and the trailer crypto has serious issues when IP actually takes up the entire ethernet packet up to the MTU limit. I had thought jumboframe support was more widespread when I developed this tech. I had *no idea* how acrimonious the debate was. Still, trailer crypto outshines TCP options for sideband signatures... at least until Boneh's Weil Pairing work becomes a) available and b) fast. (Soon on both counts!)

This work has been done by Dan Kaminsky of DoxPara Research, who may be reached at dan@doxpara.com.