[Courses] [Security] netstat status field

[Hamster]

Raven,

I hope this big OOOHHHHHHHH AAHHHHHH!!!! shows that I now understand perfectly, and thank you again!!!

That makes much more sense too now about the winxp raw sockets issue....

H


> Heya --
> 
> Quoth Hamster (Mon, Mar 11, 2002 at 05:43:18PM +0100):
> > I'm still a bit confuzzed by something though. If raw mode packets are not passing through the normal tcp/ip encapsulation bizzo, then how/what/who is encapsulating the packet with the headers that include (amongst all the other info) destination address, and the checksum footers?
> 
> 	The application that takes the data from the raw socket has to
> do it.  It puts a lot more responsibility on that program to create
> correctly formed headers, etc.  It's not that those headers don't get
> created -- if they didn't, you're right, the packet wouldn't be able to
> go anywhere.  It's that they get made by the program taking data from
> the socket, rather than the TCP/IP stack in the kernel.
> 
> 	Most programs find it easier to let the kernel do their packet
> mangling for them.  But a lot of security programs can use raw sockets
> and write their own packets.  The TCP/IP stack in the kernel is written
> so that it makes good packets, and sends out good packets appropriate to
> the connection.  But sometimes (stress testing, nmapping) you want to
> make bad packets, to see if your remote system can handle that without
> erroring horribly.  For things like this, you want to bypass the
> kernel's TCP/IP stack.  
> 
> > I am reasonably familiar with the normal 7 layer osi model, and am curious how something bypasses this (esp the network layer).
> 
> 	It doesn't bypass IP.  It's just a matter of which program
> writes the packet headers.  Normally it's the kernel.  With raw sockets,
> it can be something else.  RavensPacketMakerDaemon or whatever the
> programmer chooses to write.
> 
> 	Does that make more sense?
> 
> Cheers,
> Raven