lpt - The Linux Packet Tracer

Simulating an IP packet traversing the Linux kernel.

Content

  1. Content (this section)
  2. About
  3. Getting The Source
  4. Invokation
  5. How it works
  6. Todo

About

Troubleshooting network access problems can be error-prone and tedious. Overlooking rules in long and complex filter rules is too easy and failures caused by routing and NAT do the rest.

lpt simulates an IP packet traversing the Linux kernel and prints out what happens as it progresses through the security features of the kernel and quickly determine wether or not the packet will pass.

lpt was inspired by the Cisco ASA command line utility packet-tracer. It is not about Ciscos network simulator with the same name.

lpt works for IPv4 and IPv6. The corresponding protocol is automatically detected by the IP addresses provided.

↑ Top of page ↑

Getting the source

General

I use GIT repositories, hosted on sourceforge as my version control system of choice - and I recommend you read up on the Git documentation.

The webpage is hosted here and I use sourceforges Ticketsystem to keep track of bugs, etc. There is also a Mailinglist, currently not used by anyone but me, so I need some more advertisments for it :-)
(Note: you have to login to sourceforge in order to use the trackers and mailinglists)

If you wish to contribute to development, feel free. To get started, you're probably best off sending me an email, or just checking out repositories and sending me patches via git diff. The Patchtracker is also a good place to put diffs.

About GIT

GIT is a source code management tool. You must have a recent version of git installed on your system in order to get the sources of fgms. Cygwin and most modern linux distributions offer an installable git package that should work great.
On this page I describe how to get the sources with the (unix) command line client. If you use another operating system or client, I can't assist you. If you have experience with other operating systems/clients, feel free to send me a description of how you get the sources with it.

Prerequisites

lpt has only one dependency: iptables-dev
So simply installing the corresponding packet should suffice.

However, in order to compile the source into an executable file you need a working build environment preinstalled on your system:

Step 1 - creating a directory for the sources

cd /some/path

Step 2 - checking out the sources

# git clone git://git.code.sf.net/p/linuxpackettracer/code linuxpackettracer

Step 3 - compiling the source

Configure and compile the sources:

# cd lpt

# ./autogen.sh

# ./configure

# make

↑ Top of page ↑

Invocation

You can envoke lpt in different ways.
First you can simply execute it without any parameters, in which case all parameters are read from stdin.
Second: You can call it with the following commandline parameters:
lpt src-ifc tcp src-ip src-port dst-ip dst-port
lpt src-ifc udp src-ip src-port dst-ip dst-port
lpt src-ifc icmp src-ip icmp-type icmp-code [icmp-identifier|dst-ip]
lpt src-ifc rawip src-ip proto-id dst-ip

Example invocation

  koala #13 ./lpt eth0 tcp 141.1.1.1 23 217.78.131.44 80

lpt - Linux Packet Tracer
v0.2 (c) 2013-2015 Oliver Schroeder 

PHASE 1: checking source route
  ingress interface by route is eth0
  RESULT: ACCEPT

PHASE 2: checking mangle PREROUTING
  checking mangle: PREROUTING
  chain mangle: PREROUTING is empty
  RESULT: ACCEPT

PHASE 3: checking nat PREROUTING
  checking nat: PREROUTING
  chain nat: PREROUTING is empty
  RESULT: ACCEPT

PHASE 4: checking destination route
  egress interface by route is venet0
  destination is locallly connected.
  RESULT: ACCEPT

PHASE 5: checking mangle INPUT
  checking mangle: INPUT
  chain mangle: INPUT is empty
  RESULT: ACCEPT

PHASE 6: checking filter INPUT
  checking filter: INPUT
  matched by    rule   src: 0.0.0.0/0  dst: 0.0.0.0/0 target: STANDARD
  ACTION: check target 'STANDARD'	=>   checking filter: STANDARD
    rule   src: 0.0.0.0/0  dst: 217.78.131.44/32  -p tcp tcp dport 80 target: ACCEPT  RESULT: ACCEPTED by configured rule

PHASE 7: checking mangle OUTPUT
  checking mangle: OUTPUT
  chain mangle: OUTPUT is empty
  RESULT: ACCEPT

PHASE 8: checking nat OUTPUT
  checking nat: OUTPUT
  chain nat: OUTPUT is empty
  RESULT: ACCEPT

PHASE 9: checking destination reroute

PHASE 10: checking filter OUTPUT
  checking filter: OUTPUT
  matched by    rule   src: 0.0.0.0/0  dst: 0.0.0.0/0 target: STANDARD
  ACTION: check target 'STANDARD'	=>   checking filter: STANDARD
    rule   src: 0.0.0.0/0  dst: 217.78.131.44/32  -p tcp tcp dport 80 target: ACCEPT  RESULT: ACCEPTED by configured rule

PHASE 11: checking mangle POSTROUTING
  checking mangle: POSTROUTING
  chain mangle: POSTROUTING is empty
  RESULT: ACCEPT

PHASE 12: checking nat POSTROUTING
  checking nat: POSTROUTING
  chain nat: POSTROUTING is empty
  RESULT: ACCEPT

summary:
  src ip : 141.1.1.1 via eth0 gateway 217.78.131.41
  dst ip : 217.78.131.44 via venet0 locally connected
The packet is finally: ACCEPTED
completed!

  koala #14 

↑ Top of page ↑

How it works

LPT does not really create an IP packet and track its traces through the kernel. It reads in some basic parameters (source and destination IP address) and gets from the kernel the relevant information in the different stages. E.g. it reads the routing information to see where it would get routed, read in filter rules and parses them one by one etc.

↑ Top of page ↑

TODO

LPT is currently in ALPHA stadium, meaning that there still some points to work out:

↑ Top of page ↑


copyright © 1997-2018  Oliver Schroeder (remove XYZ)