6.1. Hellopacket¶
6.1.1. Introduction¶
Every language needs a “helloworld”. Haka, being as much a language as a network tool, needs its own helloworld, called “hellopacket”.
This “hellopacket” reads a pcap file and prints a couple of tcp/ip fields of each packet in the file.
6.1.2. How-to¶
Launch hakapcap with a pcap file and a lua script file as arguments.
$ cd <haka_install_path>/share/haka/sample/hellopacket
$ hakapcap hellopacket.pcap hellopacket.lua
Hakapcap will first dump infos about registered dissectors and rules and then process the pcap file, outputing information on each packet (packet source and destination, connection establishment, etc.):
info core: load module 'packet/pcap.ho', Pcap Module info core: setting packet mode to pass-through info core: loading rule file 'hellopacket.lua' info core: initializing thread 0 info dissector: register new dissector 'raw' info pcap: opening file 'hellopacket.pcap' info dissector: register new dissector 'ipv4' info dissector: register new dissector 'tcp' info dissector: register new dissector 'tcp-connection' info core: 1 rule(s) on event 'ipv4:receive_packet' info core: 1 rule(s) on event 'tcp-connection:new_connection' info core: 2 rule(s) registered info core: starting single threaded processing info pcap: progress 10,23 % info Hello: packet from 192.168.10.1 to 192.168.10.99 info Hello: TCP connection from 192.168.10.1:47161 to 192.168.10.99:3000 info alert: id = 1 time = Wed Apr 23 15:13:40 2014 severity = low description = A simple alert !!!! info Hello: packet from 192.168.10.99 to 192.168.10.1 info Hello: packet from 192.168.10.1 to 192.168.10.99 info Hello: packet from 192.168.10.1 to 192.168.10.99 info Hello: packet from 192.168.10.99 to 192.168.10.1 info Hello: packet from 192.168.10.1 to 192.168.10.99 info Hello: packet from 192.168.10.99 to 192.168.10.1 info Hello: packet from 192.168.10.1 to 192.168.10.99 info core: unload module 'Pcap Module'
Each new connection and each packet is properly logged. The pcap file is a standard format that can be opened by various network tools, including wireshark.
Below is the content of the hellopacket.lua file:
------------------------------------
-- Loading dissectors
------------------------------------
-- Each dissector provides hooks to intercept and modify packets.
-- We need ipv4 to intercept incoming packets
-- We need tcp to intercept new connections
local ipv4 = require('protocol/ipv4')
local tcp_connection = require('protocol/tcp_connection')
-- Log info about incoming ipv4 packets
haka.rule{
-- Rule evaluated whenever a new ipv4 packet is received
hook = ipv4.events.receive_packet,
-- Evauation function taking ipv4 packet structure
-- as argument
eval = function (pkt)
-- All fields are accessible through pkt variable.
-- See the Haka documentation for a complete list.
haka.log("packet from %s to %s", pkt.src, pkt.dst)
end
}
-- Log info about connection establsihments
haka.rule{
-- Rule evaluated at connection establishment attempt
hook = tcp_connection.events.new_connection,
-- Rule evaluated at connection establishment attempt
eval = function (flow, tcp)
-- Fields from previous layer are accessible too
haka.log("TCP connection from %s:%d to %s:%d", tcp.ip.src,
tcp.srcport, tcp.ip.dst, tcp.dstport)
-- Raise a simple alert for testing purpose
haka.alert{
description = "A simple alert",
severity = "low"
}
end
}