summaryrefslogtreecommitdiff
path: root/dissector.h
AgeCommit message (Collapse)AuthorFilesLines
2015-06-20netsniff-ng: Add dissector for Linux "cooked" packetsVadim Kochan1-1/+1
Added dissector_sll.c which uses sockaddr_ll to lookup & print higher L3 layer protocol. This dissector is mapped by LINKTYPE_LINUX_SLL link type. Sample output of dissected Netlink & Ethernet packets. Truncated manually some longer lines by "...": > nlmon0 20 1434193547s.717131169ns #6 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ] [ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)... > wlp3s0 52 1434194181s.436224709ns #9 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ] [ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ... ), CSum (0x1ef5) is ok ] [ Geo (local => Ukraine) ] [ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ... [ Chr .....w.Rj).. ] [ Hex XX XX XX XX XX XX XX XX XX XX XX XX ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-05-02netsniff-ng: Reorder packet number outputTobias Klauser1-4/+4
Change the position of the packet number in the packet header output such that we don't print two spaces between timestamp and number if no timestamp source is available. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-05-02netsniff-ng: Show packet numberVadim Kochan1-7/+11
Show the packet number as part of the dissector output. Example: > wlp3s0 107 1430159373s.693002029ns (#5) [ Eth MAC (6c:88:14:ac:51:e4 => 10:fe:ed:90:22:12), Proto (0x0800, IPv4) ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-27netsniff-ng nlmsg: Print netlink protocol nameVadim Kochan1-1/+2
nlmsg proto handler can't identify Netlink protocol from nlmsghdr, so sockaddr_ll can be used to get it. Also renamed [proto -> handler] member in pkt_buff struct, which is more understandable. Example: >U nlmon0 4756 1429891435s.14505747ns [ NLMSG Proto 0 (RTNETLINK), Len 1160, Type 0x0010 (0x10), Flags 0x0002 (MULTI), Seq-Nr 1429891436, PID 31613 ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [tklauser: Handle usage of NETLINK_SOCK_DIAG with pre 3.10 kernel headers, fix nl_proto2str() return value, formatting changes] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-23all: Fix libnl3 include pathTobias Klauser1-1/+1
The libnl3 examples [1] use <netlink/netlink.h> etc. and since pkg-config returns the paths including the libnl3 path component, we should specify our include paths relative to these ones, not /usr/include. [1] http://www.infradead.org/~tgr/libnl/doc/core.html#_linking_to_this_library Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-09dissector: Don't re-initialize packet_types arrayTobias Klauser1-1/+0
Both sparse and clang warn about the initializers overriding previous initialization of the packet_types array. Since every access of the packet_types array checks the value for NULL (the default value, since the array is static) and prints a "?" if it isNULL, we don't need the prior initialization with "?". Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-14dissector: check for correct netlink linktypeDaniel Borkmann1-1/+4
It's supposed to be LINKTYPE_NETLINK, not AF_NETLINK as otherwise the pkt_type fixup cannot be done correctly. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-14netsniff-ng: Restore tpacket v2 capturingTobias Klauser1-4/+4
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng: migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for capturing packets. This patch restores the possibility to capture using tpacket v2. For now this is just a fallback if the configure script doesn't detect tpacket v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this shouldn't change anything and they will continue using tpacket v3. For now this fix contains quite a bit of ugly #ifdefery which should be cleaned up in the future. Fixes #76 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-06-04dissector: Restore paket type if capturing from nlmon deviceTobias Klauser1-7/+22
The kernel sets the skb pkttype to PACKET_OUTGOING for all packets being sent through dev_queue_xmit_nit(). However, if capturing packets from an nlmon device, this causes the information on whether the netlink packet was sent to kernel- or userspace (PACKET_KERNEL/PACKET_USER) to be overwritten. A previous attempt by Daniel Borkmann to fix this in kernel space [1] by not overwriting the packet type for netlink packets was not regarded as the proper solution. [1] http://patchwork.ozlabs.org/patch/338612/ Thus, attempt to fix this in userspace by looking at the pid field of the netlink packet, which is always 0 for messages to kernel space [2]. [2] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-22built_in: Remove unnecessary #include <built_in.h> from several headersTobias Klauser1-1/+0
These are not needed in the headers themselves and are pulled in in the .c file where necessary. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-14dissector: Get rid of header dependency on pcap_io.hTobias Klauser1-1/+0
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead of pulling in this rather large header just for this, move the LINKTYPE_* #defines to an own header and include it where needed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-10dissector: display packet direction for tap'ing on netlink devices (nlmon)Daniel Borkmann1-6/+8
Linux kernel provides nlmon device (ARPHRD_NETLINK) driver that can tap on netlink traffic, e.g.: Setup: modprobe nlmon ip link add type nlmon ip link set nlmon0 up Capture: netsniff-ng -i nlmon0 ... (or -i any) Teardown: ip link set nlmon0 down ip link del dev nlmon0 rmmod nlmon Provide information about the packet direction (user space or kernel space), so that dissector will show that properly. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-06-17dissector: explicitly init arrayDaniel Borkmann1-10/+9
Use explicit form to initialize array. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-06-04xutils: eliminate xutils, move rest to epoll2Daniel Borkmann1-0/+2
Finally eliminate xutils.{c,h} and move the rest to epoll2. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-31ring: netsniff-ng: migrate capture only to TPACKET_V3Daniel Borkmann1-9/+20
Lets migrate capturing to TPACKET_V3, since it will bring a better performance due to fewer page cache misses caused by a higher density of packets, since now they are contigous placed in the ring buffer. It is said that TPACKET_V3 brings the following benefits: *) ~15 - 20% reduction in CPU-usage *) ~20% increase in packet capture rate *) ~2x increase in packet density *) Port aggregation analysis *) Non static frame size to capture entire packet payload Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-04-29dissector: show sw/hw timestamp sourceDaniel Borkmann1-2/+16
Now, with PF_PACKET's extension, we can see what kind of sw/hw timestamp is being reported to us [1]. Thus, report it in the dissector. [1] http://thread.gmane.org/gmane.linux.network/266878/ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-03-15all: import netsniff-ng 0.5.8-rc0 sourceDaniel Borkmann1-0/+64
We decided to get rid of the old Git history and start a new one for several reasons: *) Allow / enforce only high-quality commits (which was not the case for many commits in the history), have a policy that is more close to the one from the Linux kernel. With high quality commits, we mean code that is logically split into commits and commit messages that are signed-off and have a proper subject and message body. We do not allow automatic Github merges anymore, since they are total bullshit. However, we will either cherry-pick your patches or pull them manually. *) The old archive was about ~27MB for no particular good reason. This basically derived from the bad decision that also some PDF files where stored there. From this moment onwards, no binary objects are allowed to be stored in this repository anymore. The old archive is not wiped away from the Internet. You will still be able to find it, e.g. on git.cryptoism.org etc. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>