| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Both sparse and clang warn about the initializers overriding previous
initialization of the packet_types array. Since every access of the
packet_types array checks the value for NULL (the default value, since the
array is static) and prints a "?" if it isNULL, we don't need the prior
initialization with "?".
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It's supposed to be LINKTYPE_NETLINK, not AF_NETLINK as otherwise
the pkt_type fixup cannot be done correctly.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but
only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng:
migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for
capturing packets.
This patch restores the possibility to capture using tpacket v2. For now
this is just a fallback if the configure script doesn't detect tpacket
v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this
shouldn't change anything and they will continue using tpacket v3.
For now this fix contains quite a bit of ugly #ifdefery which should be
cleaned up in the future.
Fixes #76
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The kernel sets the skb pkttype to PACKET_OUTGOING for all packets being
sent through dev_queue_xmit_nit(). However, if capturing packets from an
nlmon device, this causes the information on whether the netlink packet
was sent to kernel- or userspace (PACKET_KERNEL/PACKET_USER) to be
overwritten.
A previous attempt by Daniel Borkmann to fix this in kernel space [1] by
not overwriting the packet type for netlink packets was not regarded as
the proper solution.
[1] http://patchwork.ozlabs.org/patch/338612/
Thus, attempt to fix this in userspace by looking at the pid field of
the netlink packet, which is always 0 for messages to kernel space [2].
[2] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
These are not needed in the headers themselves and are pulled in in the
.c file where necessary.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead
of pulling in this rather large header just for this, move the
LINKTYPE_* #defines to an own header and include it where needed.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Linux kernel provides nlmon device (ARPHRD_NETLINK) driver that
can tap on netlink traffic, e.g.:
Setup:
modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
Capture:
netsniff-ng -i nlmon0 ... (or -i any)
Teardown:
ip link set nlmon0 down
ip link del dev nlmon0
rmmod nlmon
Provide information about the packet direction (user space or kernel
space), so that dissector will show that properly.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Use explicit form to initialize array.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Finally eliminate xutils.{c,h} and move the rest to epoll2.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Lets migrate capturing to TPACKET_V3, since it will bring a better
performance due to fewer page cache misses caused by a higher density
of packets, since now they are contigous placed in the ring buffer.
It is said that TPACKET_V3 brings the following benefits:
*) ~15 - 20% reduction in CPU-usage
*) ~20% increase in packet capture rate
*) ~2x increase in packet density
*) Port aggregation analysis
*) Non static frame size to capture entire packet payload
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Now, with PF_PACKET's extension, we can see what kind of sw/hw
timestamp is being reported to us [1]. Thus, report it in the
dissector.
[1] http://thread.gmane.org/gmane.linux.network/266878/
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
We decided to get rid of the old Git history and start a new one for
several reasons:
*) Allow / enforce only high-quality commits (which was not the case
for many commits in the history), have a policy that is more close
to the one from the Linux kernel. With high quality commits, we
mean code that is logically split into commits and commit messages
that are signed-off and have a proper subject and message body.
We do not allow automatic Github merges anymore, since they are
total bullshit. However, we will either cherry-pick your patches
or pull them manually.
*) The old archive was about ~27MB for no particular good reason.
This basically derived from the bad decision that also some PDF
files where stored there. From this moment onwards, no binary
objects are allowed to be stored in this repository anymore.
The old archive is not wiped away from the Internet. You will still
be able to find it, e.g. on git.cryptoism.org etc.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
