1

Each process is assigned with port number when using network resource. A process can only send and receive network data from its assigned port number.

How kernel allows security programs like IDS, IPS and Wireshark receive all network data that do not belong to them? What system calls or library routines involved that allow this?

Improve this question
4
  • This question is way too broad and sounds like it is soliciting an illegal act. Voting to close. Commented Apr 3, 2014 at 1:38
  • Why does it soliciting an illegal act? I just do not understand how security programs can have access to network data that do not belong to them. This question is continuation of these questions: 1 and 2 Commented Apr 3, 2014 at 1:42
  • And programming questions (of that kind) are off-topic here anyway. The short answer is: You need a raw socket. Commented Apr 3, 2014 at 1:45
  • How does raw socket allow a program to receive network data that do not belong to it? In my knowledge, a process is assigned with port number and only receive network data from that port number. How does the kernel allow this? Commented Apr 3, 2014 at 1:52

1 Answer 1

Reset to default
2

It's not so much how as why...

The point of port numbers is to restrict and delimit incoming data which is already available to the system, so it is not that a raw socket has special powers bestowed by the kernel in as much as it the reverse: a normal (i.e., not raw) IP socket has the special power of being specifically addressable.

As an analogy, consider a stained glass window as an IP port numbered socket and a transparent window as a raw socket. It is not that the latter receives more information, it's that it filters out less. The analogy also makes light of the situation in so far as it is not the kernel which creates the situation, it is the physical nature of networking. The kernel does not go out of its way to get the information any more than a window goes out of its way to get sunlight: the sunlight is already there and comes from outside the system.

Improve this answer
6
  • Does it mean a program can be setup to receive network data from any port number? And it is by using raw socket? Commented Apr 3, 2014 at 2:28
  • I believe so, yes. I haven't done it as this would count as "reinventing the wheel" in a very obvious and probably inefficient way. Commented Apr 3, 2014 at 2:34
  • What does it mean by 'reinventing the wheel'? Commented Apr 3, 2014 at 2:35
  • If you want to receive data on a specific port, use an port numbered socket. They're already implemented. Another analogy: if you have two phone lines in your house, would you pay more or less if both lines received the same thing, or better yet, everything within your area code? "Reinventing the wheel" means you pay for the later and then implement a filter so that you can make and receive normal calls. Why bother to do that when a normal phone line will do it for you? Getting everyone's calls on one line would not be considered useful for most purposes. Commented Apr 3, 2014 at 2:42
  • Getting everyone's calls on one line would not be considered useful for most purposes - but useful for security programs to analyze network data, right? Are there any preventive method to allow/disallow ports to a program? Does application layer firewall do this? The idea is to allow/disallow ports for program like Wireshark to receive network data. Are there any methods to prevent non-root user to write program that uses network socket especially the raw socket? Commented Apr 3, 2014 at 2:52

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.