1 files changed, 97 insertions, 0 deletions
diff --git a/Documentation/KnownIssues b/Documentation/KnownIssues
new file mode 100644
index 0000000..eb17a3f
--- /dev/null
+++ b/Documentation/KnownIssues
@@ -0,0 +1,97 @@
+netsniff-ng's known issues:
+///////////////////////////
+
+Q: When I perform a traffic capture on the Ethernet interface, the PCAP file is
+   created and packets are received but without 802.1Q header. If I use
+   tshark, I get all headers but netsniff-ng removes 802.1Q headers. Is that
+   normal behavior?
+A: Yes and no. The way how VLAN headers are handled in PF_PACKET sockets by the
+   kernel is somewhat problematic [1]. The problem in the Linux kernel is that
+   some drivers already handle VLAN, others not. Those who handle it have
+   different implementations, i.e. hardware acceleration and so on. So in some
+   cases the VLAN tag is even stripped before entering the protocol stack, in
+   some cases probably not. Bottom line is that the netdev hackers introduced
+   a "hack" in PF_PACKET so that a VLAN ID is visible in some helper data
+   structure that is accessible from the RX_RING. And then it gets really messy
+   in the user space to artificially put the VLAN header back into the right
+   place. Not mentioning about the resulting performance implications on that
+   of /all/ libpcap tools since parts of the packet need to be copied for
+   reassembly. A user reported the following, just to demonstrate this mess:
+   Some tests were made with two machines, and it seems that results depends on
+   the driver ...
+
+    1) AR8131
+        * ethtool -k eth0 gives "rx-vlan-offload: on"
+        -> wireshark gets the vlan header
+        -> netsniff-ng doesn't get the vlan header
+
+        * ethtool -K eth0 rxvlan off
+        -> wireshark gets twice the same vlan header (like QinQ even though
+           I never sent QinQ)
+        -> netsniff-ng gets the vlan header
+
+    2) RTL8111/8168B
+        * ethtool -k eth0 gives "rx-vlan-offload: on"
+        -> wireshark gets the vlan header
+        -> netsniff-ng doesn't get the vlan header
+
+        * ethtool -K eth0 rxvlan off
+        -> wireshark gets the vlan header
+        -> netsniff-ng doesn't get the vlan header
+
+    Even if we would agree on doing the same workaround as libpcap, we still
+    will not be able to see QinQ, for instance, due to the fact that only /one/
+    VLAN tag is stored in this kernel helper data structure. We think that
+    there should be a good consensus on the kernel space side about what gets
+    transferred to the userland.
+
+    [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
+
+    Update (28.11.2012): the Linux kernel and also bpfc has built-in support
+    for hardware accelerated VLAN filtering, even though tags might not be
+    visible in the payload itself as reported here. However, the filtering
+    for VLANs works reliable if your NIC supports it. bpfc example for filtering
+    for any tags:
+
+	_main:
+	 ld #vlanp
+	 jeq #0, drop
+	 ret #-1
+	drop:
+	 ret #0
+
+   Filtering for a particular VLAN tag:
+
+	_main:
+	 ld #vlant
+	 jneq #10, drop
+	 ret #-1
+	drop:
+	 ret #0
+
+   Where 10 is VLAN ID 10 in this example. Or, more pedantic:
+
+	_main:
+	 ld #vlanp
+	 jeq #0, drop
+	 ld #vlant
+	 jneq #10, drop
+	 ret #-1
+	drop:
+	 ret #0
+
+Q: When I start trafgen, my kernel crashes! What is happening?
+A: We have fixed this ``bug'' in the Linux kernel under commit
+   7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 (http://bit.ly/PcH5Nd). Either
+   update your kernel to the latest version, e.g. clone and build it from
+   git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git or don't
+   start multiple trafgen instances at once resp. start trafgen with flag -A
+   to disable temporary socket memory tuning! Although trafgen's mechanism is
+   written in a correct manner, some probably Linux internal side-effects
+   cause the tigger of the BUG macro. Why tuning? In general, if not otherwise
+   specified, the netsniff-ng suite tries to get a good performance on default.
+   For instance, this includes things like tuning the system's socket memory,
+   enabling the BPF JIT compiler, migrating the NIC's interrupt affinity and
+   so on. If you don't want netsniff-ng to do this, look at the relevant cmd
+   line options that disable them with ``--help'' and explicitly specify them
+   on the program start.