5.1. Hellopacket¶

5.1.1. Introduction¶

Every language needs a “helloworld”. Haka, being as much a language as a network tool, needs its own helloworld, called “hellopacket”.

This “hellopacket” reads a pcap file and print a couple of tcp/ip fields of each packet in the file.

5.1.2. How-to¶

Launch hakapcap with a pcap file and a lua script file as arguments.

$ cd <haka_install_path>/share/haka/sample/hellopacket
$ hakapcap hellopacket.pcap hellopacket.lua

Hakapcap will first dump infos about registered dissectors and rules and then process the pcap file, outputing information on each packet (packet source and destination, connection establishment, etc.):

info  core: load module 'packet/pcap.ho'
    Pcap Module, Arkoon Network Security
info  core: loading rule file 'hellopacket.lua'
info  core: initializing thread 0
info  pcap: openning file 'hellopacket.pcap'
info  core: registering new dissector: 'ipv4'
info  core: registering new dissector: 'tcp'
info  core: registering new dissector: 'tcp-connection'
info  core: 1 rule(s) on hook 'ipv4-up'
info  core: 1 rule(s) on hook 'tcp-connection-new'
info  core: 2 rule(s) registered

info  core: starting single threaded processing

info  Hello: packet from 192.168.10.1 to 192.168.10.99
info  Hello: TCP connection from 192.168.10.1:47161 to 192.168.10.99:3000
info  Hello: packet from 192.168.10.99 to 192.168.10.1
info  Hello: packet from 192.168.10.1 to 192.168.10.99
info  Hello: packet from 192.168.10.1 to 192.168.10.99
info  Hello: packet from 192.168.10.99 to 192.168.10.1
info  Hello: packet from 192.168.10.1 to 192.168.10.99
info  Hello: packet from 192.168.10.99 to 192.168.10.1
info  Hello: packet from 192.168.10.1 to 192.168.10.99
info  core:  unload module 'Pcap Module'

Each new connection and each packet is properly logged. The pcap file is a standard format that can be opened by various network tools, including wireshark.

Below is the content of the hellopacket.lua file:

------------------------------------
-- This is an example lua file for the hellopacket tutorial
--
-- Use this file with hakapcap tool:
--
-- hakapcap hellopacket.pcap hellopacket.lua
--
------------------------------------

------------------------------------
-- Loading dissectors
------------------------------------
-- Each dissector provides hooks to intercept and modify packets.
-- We need ipv4 to intercept incoming packets
-- We need tcp to intercept new connectiosn
require('protocol/ipv4')
require('protocol/tcp')

------------------------------------
-- Log all incoming packets, reporting the source and destination IP address
------------------------------------
haka.rule{
    -- Intercept all ipv4 packet before they are passed to tcp
    hooks = { 'ipv4-up' },

    -- Function to call on all packets.
    --     self : the dissector object that handles the packet (here, ipv4 dissector)
    --     pkt : the packet that we are intercepting
    eval = function (self, pkt)
        -- All fields are accessible through accessors
        -- See the Haka documentation for a complete list.
        haka.log("Hello", "packet from %s to %s", pkt.src, pkt.dst)
    end
}

------------------------------------
-- Log all new connection, logging address and port of source and destination
------------------------------------
haka.rule{
    -- Intercept connection establishement, detected by the TCP dissector
    hooks = { 'tcp-connection-new' },
    eval = function (self, pkt)
        -- Fields from previous layer are accessible too
        haka.log("Hello", "TCP connection from %s:%d to %s:%d", pkt.tcp.ip.src,
            pkt.tcp.srcport, pkt.tcp.ip.dst, pkt.tcp.dstport)

        -- Raise a simple alert for testing purpose
        haka.alert{
            description = "A simple alert",
            severity = "low"
        }
    end
}

5.1.3. Going further¶

All fields can be accessed, read and modified. The fields are named similarly to wireshark. For example, you can get the IP version, ttl or proto simply by using pkt.version, pkt.ttl or pkt.proto.