Network Tool Development with hping3by Federico Biancuzzi
In 1998, Salvatore Sanfilippo, also known as antirez, presented a new network scanner based on the IP ID field. While working as a security researcher, he started learning C to develop a tool called hping. That tool, then called hping2, is so good that it's still No. 6 in the Top 75 Security Tools of the Nmap Hackers mailing list.
However, Salvatore was not satisfied with the code, and he started a new project.
The result is so good that it could influence the way network security specialists
work. Until today, we have used tools such nmap or hping2 for specific tasks--automated scans with nmap, manual probes with hping2, and so on. People who
needed particular features had only two options: writing a patch for an
existing tool or developing a brand-new tool, probably based on
Maybe hping3 will revolutionize this approach. It's everything from a simple tool to a complete and scriptable framework for network analysis. The secret is the inclusion of a Tcl interpreter that interacts with the C core. Anyone, even a newbie programmer, can develop one of the famous nmap scan types with a simple Tcl script. The revolution has passed from writing a famous tool to developing a means of creating infinite features.
Federico Biancuzzi recently interviewed Salvatore by email about the
Could you present yourself?
Sure. Hello, I'm Salvatore Sanfilippo, an Italian open source developer in my spare time, mainly interested in security and programming languages. I'm 27 and work as a freelance consultant developing applications for my customers. Most applications are web-related, or low-level things like microcontrollers and network daemons.
How did your interest in network security start?
It all started when I installed Linux for the first time and joined IRC; this was around 1997 IIRC, I started with lame things like IRC wars :) Fortunately, after some time I got more interested in the technical side of the game, and started to study protocols and security. At some point I moved to Milan to work for a security company, where I found a lot of interesting people to talk with and to experiment with some new ideas. I didn't last more than four or five months in Milan because I'm from the south of Italy (Sicily) and found Milan not very good in terms of quality of life, but I learned many interesting things during this period.
If I'm not wrong, hping was your first open source project and one of your first programming projects. What have your learned developing the first version of hping?
When I wrote the first version of hping I had only five months of experience with the C language, so there was a lot to learn ... the first thing I discovered was the world of Unix system calls, and how a simple program like the first hping.c was only able to work on Linux and not on other Unix systems we had in the lab at Milan.
hping was also an experience regarding user interfaces. The first hping did less than many other programs already available, like the powerful ipsend, but the user interface was different, because hping is like ping in that everyone knows and can use it: you can see the replies from the target host, and to modify outgoing packets you just have to add or change command-line switches.
In my successive programming I have always tried to pay attention to user interfaces. I actually think that reinventing the wheel is not a bad idea if there is an effort to make programs simpler to use and more intuitive.
Why have you chosen the GNU General Public License to distribute your code?
Because I learned a lot using and looking at GPL code, and at the same time I don't like the idea that third parties can redistribute modified binary-only versions of hping.
What types of differences are there in the development process and code organization between hping2 and hping3?
The main difference is probably that hping2 was conceived as a tool, while hping3 adds to this tool a development system, something like a scriptable TCP/IP implementation in userspace. Another difference is that hping2 evolved incrementally, while in hping3 there was somewhat a goal from the beginning. At the moment, hping3 includes the support for hping2 command-line options; however, I'd like to remove that code from the C core and provide the same compatibility layer as an .htcl script.
About the code organization, hping3 is mainly a collection of libraries that may live apart from hping itself; hping2 instead is in the form of a single program that's very hard to reuse for something different.
From the user point of view, hping3 should be both simpler and more powerful, assuming that there will be two different classes of users. Programmers will be able to exploit the full power of a real programming language and a flexible packet construction/analysis sytem. On the other hand, it should be much easier for nondevelopers [to] run hping3 scripts developed by others than to use hping2. For example, one could develop a hping3 script to audit a firewall without doing all the common stuff by hand.
Why have you chosen Tcl?
Because I like "programmable programming languages" like Tcl and Lisp a lot. The programmer is free to reinvent the language, write new control structures, and so on. Tcl is very powerful, but for some reason few programmers fully understand it, so it's often regarded as a toy language. I use Tcl for everything not involving low-level things or speed. For the rest, I tend to use C.