[Courses] [Security] netstat status field

[Raven, corporate courtesan]

Heya --

Quoth Hamster (Mon, Mar 11, 2002 at 05:43:18PM +0100):
> I'm still a bit confuzzed by something though. If raw mode packets are not passing through the normal tcp/ip encapsulation bizzo, then how/what/who is encapsulating the packet with the headers that include (amongst all the other info) destination address, and the checksum footers?

	The application that takes the data from the raw socket has to
do it.  It puts a lot more responsibility on that program to create
correctly formed headers, etc.  It's not that those headers don't get
created -- if they didn't, you're right, the packet wouldn't be able to
go anywhere.  It's that they get made by the program taking data from
the socket, rather than the TCP/IP stack in the kernel.

	Most programs find it easier to let the kernel do their packet
mangling for them.  But a lot of security programs can use raw sockets
and write their own packets.  The TCP/IP stack in the kernel is written
so that it makes good packets, and sends out good packets appropriate to
the connection.  But sometimes (stress testing, nmapping) you want to
make bad packets, to see if your remote system can handle that without
erroring horribly.  For things like this, you want to bypass the
kernel's TCP/IP stack.  

> I am reasonably familiar with the normal 7 layer osi model, and am curious how something bypasses this (esp the network layer).

	It doesn't bypass IP.  It's just a matter of which program
writes the packet headers.  Normally it's the kernel.  With raw sockets,
it can be something else.  RavensPacketMakerDaemon or whatever the
programmer chooses to write.

	Does that make more sense?

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work