From owner-freebsd-net@FreeBSD.ORG  Sat Mar 22 02:47:10 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C054D1065673
	for <freebsd-net@freebsd.org>; Sat, 22 Mar 2008 02:47:10 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from outA.internet-mail-service.net (outA.internet-mail-service.net
	[216.240.47.224])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DD418FC1B
	for <freebsd-net@freebsd.org>; Sat, 22 Mar 2008 02:47:10 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160)
	by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP;
	Fri, 21 Mar 2008 19:48:19 -0700
Received: from julian-mac.elischer.org (localhost [127.0.0.1])
	by idiom.com (Postfix) with ESMTP id CA99F2D6011;
	Fri, 21 Mar 2008 19:47:09 -0700 (PDT)
Message-ID: <47E4732D.5050807@elischer.org>
Date: Fri, 21 Mar 2008 19:47:09 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213)
MIME-Version: 1.0
To: Alireza Torabi <alireza.torabi@gmail.com>
References: <cffd8c580803192006g4045258bxcf8fa10b322a640@mail.gmail.com>	<cffd8c580803200243u4465889m197d2a7ca6d0fff7@mail.gmail.com>	<slrnfu4g5d.1b5e.vadim_nuclight@hostel.avtf.net>	<cffd8c580803200357l686d6e40qb49b3ecadb734151@mail.gmail.com>	<slrnfu4hm4.1b5e.vadim_nuclight@hostel.avtf.net>	<cffd8c580803200427u62d8d3b9q208364a8a96de7ba@mail.gmail.com>	<20080321063517.GK85901@server.vk2pj.dyndns.org>	<cffd8c580803210402j7c3c0900h4e8f486be0c325c@mail.gmail.com>	<47E3FB93.1080501@elischer.org>	<cffd8c580803211823v6837031fp918a4dbcb3c507e6@mail.gmail.com>
	<cffd8c580803211825p4ff0e79lf208b3bc7c21a15b@mail.gmail.com>
In-Reply-To: <cffd8c580803211825p4ff0e79lf208b3bc7c21a15b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: bpf packet capture and SOCK_STREAM socket redirects...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2008 02:47:10 -0000

Ok I have read this again,

I think you are trying to hijack a session before the intended
target can start it up... but you have some problems.
The original packets will continue on to the intended server so it
will respond as well. And when the session you have created
starts talking, that original server is going to start sending you
lots of resets. They MAY or MAY NOT (depending on the client OS)
reset your session.

We do something almost exactly like this sometimes, but we have a 
mechanism to stop the original packets.

as long as the port is in promiscuous mode, you
should be able to jsut use ipfw add 100 fwd 127.0.0.1,1000 tcp from 
any to any 80 in recv em0 setup

where em0 is your span NIC and your dummy server is listening on port 
1000 on 127.0.0.1

It will respond faster than the remote server (assuming port 80 here)
and will supply a sequence number that the intended window will fail
to match.

you can force the interface into promiscuous mode in several ways..
including using netgraph and ifconfig.