summaryrefslogtreecommitdiff
path: root/dissector.h
AgeCommit message (Collapse)AuthorFilesLines
2014-06-04dissector: Restore paket type if capturing from nlmon deviceTobias Klauser1-7/+22
The kernel sets the skb pkttype to PACKET_OUTGOING for all packets being sent through dev_queue_xmit_nit(). However, if capturing packets from an nlmon device, this causes the information on whether the netlink packet was sent to kernel- or userspace (PACKET_KERNEL/PACKET_USER) to be overwritten. A previous attempt by Daniel Borkmann to fix this in kernel space [1] by not overwriting the packet type for netlink packets was not regarded as the proper solution. [1] http://patchwork.ozlabs.org/patch/338612/ Thus, attempt to fix this in userspace by looking at the pid field of the netlink packet, which is always 0 for messages to kernel space [2]. [2] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-22built_in: Remove unnecessary #include <built_in.h> from several headersTobias Klauser1-1/+0
These are not needed in the headers themselves and are pulled in in the .c file where necessary. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-14dissector: Get rid of header dependency on pcap_io.hTobias Klauser1-1/+0
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead of pulling in this rather large header just for this, move the LINKTYPE_* #defines to an own header and include it where needed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-10dissector: display packet direction for tap'ing on netlink devices (nlmon)Daniel Borkmann1-6/+8
Linux kernel provides nlmon device (ARPHRD_NETLINK) driver that can tap on netlink traffic, e.g.: Setup: modprobe nlmon ip link add type nlmon ip link set nlmon0 up Capture: netsniff-ng -i nlmon0 ... (or -i any) Teardown: ip link set nlmon0 down ip link del dev nlmon0 rmmod nlmon Provide information about the packet direction (user space or kernel space), so that dissector will show that properly. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-06-17dissector: explicitly init arrayDaniel Borkmann1-10/+9
Use explicit form to initialize array. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-06-04xutils: eliminate xutils, move rest to epoll2Daniel Borkmann1-0/+2
Finally eliminate xutils.{c,h} and move the rest to epoll2. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-31ring: netsniff-ng: migrate capture only to TPACKET_V3Daniel Borkmann1-9/+20
Lets migrate capturing to TPACKET_V3, since it will bring a better performance due to fewer page cache misses caused by a higher density of packets, since now they are contigous placed in the ring buffer. It is said that TPACKET_V3 brings the following benefits: *) ~15 - 20% reduction in CPU-usage *) ~20% increase in packet capture rate *) ~2x increase in packet density *) Port aggregation analysis *) Non static frame size to capture entire packet payload Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-04-29dissector: show sw/hw timestamp sourceDaniel Borkmann1-2/+16
Now, with PF_PACKET's extension, we can see what kind of sw/hw timestamp is being reported to us [1]. Thus, report it in the dissector. [1] http://thread.gmane.org/gmane.linux.network/266878/ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-03-15all: import netsniff-ng 0.5.8-rc0 sourceDaniel Borkmann1-0/+64
We decided to get rid of the old Git history and start a new one for several reasons: *) Allow / enforce only high-quality commits (which was not the case for many commits in the history), have a policy that is more close to the one from the Linux kernel. With high quality commits, we mean code that is logically split into commits and commit messages that are signed-off and have a proper subject and message body. We do not allow automatic Github merges anymore, since they are total bullshit. However, we will either cherry-pick your patches or pull them manually. *) The old archive was about ~27MB for no particular good reason. This basically derived from the bad decision that also some PDF files where stored there. From this moment onwards, no binary objects are allowed to be stored in this repository anymore. The old archive is not wiped away from the Internet. You will still be able to find it, e.g. on git.cryptoism.org etc. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>