diff options
author | Daniel Borkmann <dborkman@redhat.com> | 2013-07-03 12:11:49 +0200 |
---|---|---|
committer | Daniel Borkmann <dborkman@redhat.com> | 2013-07-03 12:11:49 +0200 |
commit | 20425ad2544bd1d8fb2c2c17cfb0a71026816826 (patch) | |
tree | 432780da0cd7e039d0f9f2a42c5bd68ad72a4625 | |
parent | dcc8ef3866dd743e9bb230cd44b81a5373cf07ab (diff) |
man: netsniff-ng: elaborate on capturing netlink traffic
As nlmon's device setup has now been changed to use rtnl link setup,
give a full example on how to setup and teardown nlmon devices.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-rw-r--r-- | netsniff-ng.8 | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/netsniff-ng.8 b/netsniff-ng.8 index 0bc874b..15e744c 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -62,9 +62,7 @@ scheduled move to slower medias). You can then use mergecap(1) to transform all pcaps into a single large pcap. Thus, netsniff-ng then works multithreaded eventually. .PP -netsniff-ng can also be used to debug netlink traffic. On newer kernels one -needs to modprobe nlmon so that a ''netlink'' networking device appears that -can be used as an input device for netsniff-ng. +netsniff-ng can also be used to debug netlink traffic. .PP .SH OPTIONS .PP @@ -303,6 +301,20 @@ are not available. Read a pcap file from stdin and convert it into a trafgen(8) configuration file to stdout. .PP +.SS modprobe nlmon +.SS ip link add type nlmon +.SS ip link set nlmon0 up +.SS netsniff-ng -i nlmon0 -o dump.pcap -s +.SS ip link set nlmon0 down +.SS ip link del dev nlmon0 +.SS rmmod nlmon +In this example, netlink traffic is being captured. If not already done, a +netlink monitoring device needs to be set up before it can be used to capture +netlink socket buffers (iproute2's ip(1) commands are given for nlmon device +setup and teardown). netsniff-ng can then make use of the nlmon device as +an input device. In this example a pcap file with netlink traffic is being +recorded. +.PP .SH CONFIG FILES .PP Files under /etc/netsniff-ng/ can be modified to extend netsniff-ng's |