Age | Commit message (Collapse) | Author | Files | Lines |
|
Display them as K->U resp. U->K.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Show vlan info (vid, prio & proto) from tpacket struct, in separated
line. It might be useful to sniff it in case if vlan reordering is on
(which is by default) and physical (vlan underlying) device supports
vlan offloading.
Meanwhile it uses only v3 tpacket info as location of vlan fields are
different between v2 & v3 (v1 does not have it at all), but current code
only has possibility to check if v3 is used which is not enough.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[ tk: make print format consistent with VLAN dissector ]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Added dissector_sll.c which uses sockaddr_ll to lookup & print
higher L3 layer protocol.
This dissector is mapped by LINKTYPE_LINUX_SLL link type.
Sample output of dissected Netlink & Ethernet packets.
Truncated manually some longer lines by "...":
> nlmon0 20 1434193547s.717131169ns #6
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ]
[ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)...
> wlp3s0 52 1434194181s.436224709ns #9
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ]
[ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ...
), CSum (0x1ef5) is ok ]
[ Geo (local => Ukraine) ]
[ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ...
[ Chr .....w.Rj).. ]
[ Hex XX XX XX XX XX XX XX XX XX XX XX XX ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Change the position of the packet number in the packet header output
such that we don't print two spaces between timestamp and number if no
timestamp source is available.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Show the packet number as part of the dissector output.
Example:
> wlp3s0 107 1430159373s.693002029ns (#5)
[ Eth MAC (6c:88:14:ac:51:e4 => 10:fe:ed:90:22:12), Proto (0x0800, IPv4) ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
nlmsg proto handler can't identify Netlink protocol from nlmsghdr, so
sockaddr_ll can be used to get it.
Also renamed [proto -> handler] member in pkt_buff struct, which is more
understandable.
Example:
>U nlmon0 4756 1429891435s.14505747ns
[ NLMSG Proto 0 (RTNETLINK), Len 1160, Type 0x0010 (0x10), Flags 0x0002 (MULTI), Seq-Nr 1429891436, PID 31613 ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tklauser: Handle usage of NETLINK_SOCK_DIAG with pre 3.10 kernel
headers, fix nl_proto2str() return value, formatting changes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The libnl3 examples [1] use <netlink/netlink.h> etc. and since
pkg-config returns the paths including the libnl3 path component, we
should specify our include paths relative to these ones, not
/usr/include.
[1] http://www.infradead.org/~tgr/libnl/doc/core.html#_linking_to_this_library
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Both sparse and clang warn about the initializers overriding previous
initialization of the packet_types array. Since every access of the
packet_types array checks the value for NULL (the default value, since the
array is static) and prints a "?" if it isNULL, we don't need the prior
initialization with "?".
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It's supposed to be LINKTYPE_NETLINK, not AF_NETLINK as otherwise
the pkt_type fixup cannot be done correctly.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but
only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng:
migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for
capturing packets.
This patch restores the possibility to capture using tpacket v2. For now
this is just a fallback if the configure script doesn't detect tpacket
v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this
shouldn't change anything and they will continue using tpacket v3.
For now this fix contains quite a bit of ugly #ifdefery which should be
cleaned up in the future.
Fixes #76
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The kernel sets the skb pkttype to PACKET_OUTGOING for all packets being
sent through dev_queue_xmit_nit(). However, if capturing packets from an
nlmon device, this causes the information on whether the netlink packet
was sent to kernel- or userspace (PACKET_KERNEL/PACKET_USER) to be
overwritten.
A previous attempt by Daniel Borkmann to fix this in kernel space [1] by
not overwriting the packet type for netlink packets was not regarded as
the proper solution.
[1] http://patchwork.ozlabs.org/patch/338612/
Thus, attempt to fix this in userspace by looking at the pid field of
the netlink packet, which is always 0 for messages to kernel space [2].
[2] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
These are not needed in the headers themselves and are pulled in in the
.c file where necessary.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead
of pulling in this rather large header just for this, move the
LINKTYPE_* #defines to an own header and include it where needed.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Linux kernel provides nlmon device (ARPHRD_NETLINK) driver that
can tap on netlink traffic, e.g.:
Setup:
modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
Capture:
netsniff-ng -i nlmon0 ... (or -i any)
Teardown:
ip link set nlmon0 down
ip link del dev nlmon0
rmmod nlmon
Provide information about the packet direction (user space or kernel
space), so that dissector will show that properly.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Use explicit form to initialize array.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Finally eliminate xutils.{c,h} and move the rest to epoll2.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Lets migrate capturing to TPACKET_V3, since it will bring a better
performance due to fewer page cache misses caused by a higher density
of packets, since now they are contigous placed in the ring buffer.
It is said that TPACKET_V3 brings the following benefits:
*) ~15 - 20% reduction in CPU-usage
*) ~20% increase in packet capture rate
*) ~2x increase in packet density
*) Port aggregation analysis
*) Non static frame size to capture entire packet payload
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Now, with PF_PACKET's extension, we can see what kind of sw/hw
timestamp is being reported to us [1]. Thus, report it in the
dissector.
[1] http://thread.gmane.org/gmane.linux.network/266878/
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
We decided to get rid of the old Git history and start a new one for
several reasons:
*) Allow / enforce only high-quality commits (which was not the case
for many commits in the history), have a policy that is more close
to the one from the Linux kernel. With high quality commits, we
mean code that is logically split into commits and commit messages
that are signed-off and have a proper subject and message body.
We do not allow automatic Github merges anymore, since they are
total bullshit. However, we will either cherry-pick your patches
or pull them manually.
*) The old archive was about ~27MB for no particular good reason.
This basically derived from the bad decision that also some PDF
files where stored there. From this moment onwards, no binary
objects are allowed to be stored in this repository anymore.
The old archive is not wiped away from the Internet. You will still
be able to find it, e.g. on git.cryptoism.org etc.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|