I'm trying to create a small service that monitors and kills sockets which have the FIN flag. I can get them with tcpdump (I also tried tcp[13] & 1):
tcpdump "tcp[tcpflags] & tcp-fin != 0"
tcpkill is suppose to use the same interface as tcpdump, but it isn't working the same. I've tried a bunch of commands, but it should just be (-i eth0 optional):
tcpkill -9 "tcp[tcpflags] & tcp-fin != 0"
Which says (but nothing else, successful tcpkill outputs data):
tcpkill: listening on eth0 [tcp[tcpflags] & tcp-fin != 0]
Looking at the source, it should be passing the correct filter to pcap (between the [ ] brackets). Using a perl script with Net::Pcap I can determine the filter works fine. I don't know what I'm doing wrong, or if it's an older version of tcpkill/pcap that's an issue. Any help with tcpkill or help using perl's Net::Pcap to kill sockets would be appreciated. Thanks!
#!/usr/bin/perl
use strict;
use warnings;
use Net::Pcap;
my $err = '';
my $dev = 'eth0';
my ($address, $netmask);
Net::Pcap::lookupnet($dev, \$address, \$netmask, \$err);
my $pcap = Net::Pcap::open_live($dev, 1500, 1, 0, \$err);
my $filter;
Net::Pcap::compile($pcap, \$filter, "tcp[tcpflags] & tcp-fin != 0", 0, $netmask);
Net::Pcap::setfilter($pcap, $filter);
while(1)
{
Net::Pcap::loop($pcap, 1, \&process_packet, "packet found");
}
Net::Pcap::close($pcap);
sub process_packet
{
my($user_data, $header, $packet) = @_;
print "$user_data\n";
}
exit 0;
Best Answer
Looking at the source code for tcpkill, it uses libnet to generate a RST packet(s) to kill a given TCP connection. I'm not sure why it's not working (though verifying the PCAP version it was built against is a great place to start). You can also use tcpdump to look for the RST packets it should be sending out.
Regarding implementing the equivalent in Perl, I once had to do something sort of similar. Below is (untested!) code which might point you in the right direction.
tcpkill is more refined in terms of attempting to figure out the correct sequence number, which is what the -1..9 flags are for. Have you tried using different values for that flag?