| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
It might be useful to filter out interesting traffic
from input pcap to output pcap file which will contain only
filtered packets:
$ netsniff-ng -i input.pcap -o output.pcap ip src 192.168.1.198
Now it is possible by specifying output pcap file with ".pcap"
extension, otherwise the trafgen file will be generated as by default.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tklauser: small wording and whitespace adjustment]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
No need for some of the empty lines, remove them to make the output a
bit denser.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The code to create the next pcap dump file is duplicated for the
HAVE_TPACKET3 and !HAVE_TPACKET3 case. Consolidate the functionality
into a function to reduce code duplication.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
We need to set up the RX ring depending on whether tpacket v3 is
available or not. Otherwise end up setting its structure up for tpacket
v3, even though only tpacket v2 is available. This should fix packet
capturing for tpacket v2 (i.e. corrupted frames in pcap).
Reported-by: Mike Reeves <luke@geekempire.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Save one #ifdef block by moving the tpacket v3 only variable definition
to the block where it is actually used.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The iov_base member of struct iovec is already void *, so there is no
need to cast it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Stick to the usual style of having goto labels not indented.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
If ctx.device_in is NULL after option parsing, it is always set to
"any", which is before this check. Thus, it serves no purpose and can be
removed.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Move the copyright/bug report/license string to an own constant and use
it for the output of help() and version() to avoid duplication and
prevent the strings from getting out of sync. This makes the text
section of netsniff-ng.o slightly smaller:
before:
text data bss dec hex filename
26998 8 68 27074 69c2 netsniff-ng/netsniff-ng.o
after:
text data bss dec hex filename
26582 8 68 26658 6822 netsniff-ng/netsniff-ng.o
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Commit edca6174b09 ("dissector: Restore paket type if capturing from
nlmon device") changed the signature of show_frame_hdr(). The call to
this function was not updated in the !HAVE_TPACKET3 part of netsniff-ng
introduced in commit 97e6f994785c ("netsniff-ng: Restore tpacket v2
capturing"), causing a compile error. Fix this by providing the correct
parameters to show_frame_hdr() also in this case.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but
only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng:
migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for
capturing packets.
This patch restores the possibility to capture using tpacket v2. For now
this is just a fallback if the configure script doesn't detect tpacket
v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this
shouldn't change anything and they will continue using tpacket v3.
For now this fix contains quite a bit of ugly #ifdefery which should be
cleaned up in the future.
Fixes #76
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Allow to disable hardware time stamping using the command line switch
(-N/--no-hwtimestamp). This might be useful in situations where hardware
time stamps are skewed somehow.
Reference: #129
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The kernel sets the skb pkttype to PACKET_OUTGOING for all packets being
sent through dev_queue_xmit_nit(). However, if capturing packets from an
nlmon device, this causes the information on whether the netlink packet
was sent to kernel- or userspace (PACKET_KERNEL/PACKET_USER) to be
overwritten.
A previous attempt by Daniel Borkmann to fix this in kernel space [1] by
not overwriting the packet type for netlink packets was not regarded as
the proper solution.
[1] http://patchwork.ozlabs.org/patch/338612/
Thus, attempt to fix this in userspace by looking at the pid field of
the netlink packet, which is always 0 for messages to kernel space [2].
[2] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of memsetting the struct sock_filter every time before we call
bpf_parse_rules(), do it there directly.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of having to perform the individual steps to initialize a ring
and open coding them in multiple places, provide convenience functions
to do all at once. This has the nice side effect of allowing to make
most of these *_{rx,tx}_ring() functions static in their respective
module.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Move some variables from the function scipe to the block where they're
used solely.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
rx_poll will be passed to prepare_polling() which already zeros the
struct, so no need to do it before.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
These will be set later on depending on command line option (or panic()
out) and they're set to 0 by init_ctx() anyways.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Change type of verbose flag from int to bool.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of using a foor loop with empty initialization and afterthought,
just use a while loop with the same condition.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The mm_len member of struct ring is of type size_t, but in the code
paths leading to set it, unsigned int is used. In circumstances where
unsigned int is 32 bit and size_t is 64 bit, this could lead to an
integer overflow, which causes an improper ring size being mmap()'ed in
mmap_ring_generic().
In order to prevent this, consistently use size_t to store the ring
size, since this is also what mmap() takes as its `length' parameter.
This now allows to specify ring sizes larger than 4 GiB for both
netsniff-ng and trafgen (fixes #90).
Reported-by: Jon Schipp <jonschipp@gmail.com>
Reported-by: Michał Purzyński <michalpurzynski1@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Remove some leading/trailing whitespaces.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
These usually only make sense for complex macros which are expanded
moree than once. The label for `out' doesn't make sense anyhow as it is
declared on function level.
Also don't indent the labels, so they're clearer to spot.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
References:
https://github.com/netsniff-ng/netsniff-ng/commit/453f6eb9d79dd5aa2812ef956b22723f0a493086
https://github.com/netsniff-ng/netsniff-ng/pull/112
Signed-off-by: Christian Wiese <chris@opensde.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
When reading from a pcap in Kuznetsov/netsniff-ng format, we currently do
not fill out sll. Do so so that users can see pkttype and the interface.
Reported-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Handle all termination signals that we're allowed to handle (SIGKILL
can't be handled) in order to exit gracefully in any regular termination
case. Without this fix, pcap files written by netsniff-ng might be
corrupted.
Reported-by: Mike Westmacott <mikewestmacott@googlemail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
We shouldn't modify optarg (and thus argv) since it's e.g. used to
display the commandline string in `ps'. Since strtoul() reads until it
encounters the first non-numeric character and ignores the rest, we can
just revert from setting a NULL byte after the numeric part of the
string.
Reported-by: Jon Schipp <jonschipp@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
If setting an unsigned long variable, use strtoul() instead of strtol().
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Incorrect usage of "i.e." leads one to believe that replaying is
possible only.
Signed-off-by: Jon Schipp <jonschipp@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
If a user accidentially specifies more than one of --mm/--sg/--clrw, the
option specified last will be used - as expected from standard command
line tools. In order to still prevent users from being confused by this,
explicitely display the pcap I/O method used in verbose mode.
In order for the output to be more user-friendly, actually write out the
method names in const char *pcap_ops_group_to_str, which isn't used
anywhere else anyway.
Suggested-by: Jon Schipp <jonschipp@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The struct stat is filled by the call to stat(2) in the next line, so
there is no need to explicitely set it to 0 before.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of using goto, just check stats if stat() returned 0 and used
ctx->dump_dir afterwards. This makes the logic a bit easier to follow.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
When signal occurs, don't panic on EINTR, rather gracefully return.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
The return value of two calls to poll() are never check, despite the
(unlikely) possibility of them returning an error, fix it by checking
the return value and panic()ing on error.
This issue was discovered using the Coverity scanner.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Since entering/leaving promiscuous mode also is a device specific
function and all users of the `promisc' module also use `dev', integrate
it there. Also rename the functions to have a `device_' prefix like the
other functions in the module.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Fix the following compiler warning that occurs when building with "-W
-Wall -Wextra" by introducing a cast:
netsniff-ng.c: In function ‘walk_t3_block’:
netsniff-ng.c:841:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Compiling with "-W -Wall -Wextra" reveals the following warnings in
mac80211.c:
mac80211.c: In function ‘nl80211_init’:
mac80211.c:78:67: warning: unused parameter ‘device’ [-Wunused-parameter]
mac80211.c: In function ‘nl80211_wait_handler’:
mac80211.c:106:48: warning: unused parameter ‘msg’ [-Wunused-parameter]
mac80211.c: In function ‘nl80211_error_handler’:
mac80211.c:115:54: warning: unused parameter ‘nla’ [-Wunused-parameter]
mac80211.c:117:12: warning: unused parameter ‘arg’ [-Wunused-parameter]
mac80211.c: In function ‘nl80211_del_mon_if’:
mac80211.c:181:72: warning: unused parameter ‘device’ [-Wunused-parameter]
Fix them by either marking them as unused (where we need to conform to
library APIs or remove them alltogether (for our own APIs). For the
function leave_rfmon_mac80211() the according users (netsniff-ng and
trafgen) are also changed.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The sll parameter is not used anywhere in the function, so remove it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Those are the last occurences of warnings like:
netsniff-ng.c:697:48: warning: Using plain integer as NULL pointer
netsniff-ng.c:726:48: warning: Using plain integer as NULL pointer
...
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
We have to pass NEED_TCPDUMP_LIKE_FILTER define through gcc as it
otherwise is not possible to let the pcap compiler invoke through
netsniff-ng, but not through astraceroute.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
"-U" has been forgotten to add into shortopts. "--update" works as
expeceted however. So simply add "U".
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
This patch is a bundle of multiple fixes.
1) Fix compilation of astraceroute when HAVE_LIBPCAP=1:
astraceroute doesn't need libpcap, so add an additional
guard/define to bpf.h and bpf_comp.c and netsniff-ng.c.
Also since we generate a config.h file, we do not need
to have this additional compile flag anymore.
2) Fix tstamping.{h,c} to use the configure script instead
of the Makefile. For doing this, also fix the object
inclusion in netsniff-ng/Makefile.
Last but not least, rename __WITH_... into HAVE_... as this
is more clean.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
In order to be able to better track regressions or to give support,
let us track the Git id as well in version information. This makes
the ``--version'' switch actually useful.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Refactor ctx initialization and destruction into separate handlers.
That is more clean.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Invoke dev->type to pcap linktype mapper in order to write a correct
pcap file header for various link types. Also fix two bugs in pcap
file header parsing and print a warning with the magic link number in
case of an unknown link type.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
In netsniff-ng, we use tpacketv3 for capturing-only mode. The issue
observed lately is that when using f.e. -n10 or capturing a pcap and
then quitting, the pcap or actually seen number of packets are less
than what the statistics tell us from getsockopt(2).
This is due to the fact that tpacketv3 divides its ring buffer into
blocks of frames. Meaning, while we are traversing block n, the kernel
already fills up block n+1 and following if new packets arrive. While
doing so, it increments packet counters. Thus, when we ^C, we haven't
seen those blocks, so the stats tell us mostly a slightly higher
result. Fix this by adjusting socket stats printing to this fact.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Until now we didn't check the return value of set_sockopt_hwtimestamp()
and the Coverity scanner complained about it, so use it's return value
to report if timstamping is actually enabled in verbose mode.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Bail out if it should ever fail. Detected by coverty in the
translate_pcap_to_txf() path.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Only close the very first pcap file of multi-pcap files once, and not
once during next_multi_pcap_file and once during exit.
Discovered by Coverty scanner.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Better add a header file for this, so that we do not need to have it
in multiple places declared.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
