summaryrefslogtreecommitdiff
path: root/netsniff-ng.c
AgeCommit message (Collapse)AuthorFilesLines
2018-12-02netsniff-ng: store default prefix in ctxTobias Klauser1-2/+5
Store the default "dump-" prefix in ctx->prefix instead of checking it every time in generate_multi_pcap_filename. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2018-12-02netsniff-ng: implement rotating capture filesWhang Choi1-7/+28
Add a new option -O, --overwrite which allows to rotate capture files. The timestamp in the file name is replaced with a number that wraps around after reaching the specified number of files. Example usage: netsniff-ng -s -F 1KiB -O 10 -i eth0 -o /output/folder Fixes #147 Signed-off-by: Whang Choi <wch0x01@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2018-05-14netsniff-ng: add date format strings to --outDaniel Roberson1-3/+18
This adds the ability to use date(1)/strftime(3) style format strings when specifying an output file. Example: netsniff-ng --out %Y-%m-%d.pcap ### outputs to 2018-04-20.pcap Fixes #158 Signed-off-by: Daniel Roberson <daniel@planethacker.net> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2018-03-06all: drop fmem{cpy,set}Tobias Klauser1-3/+3
There is no need to explicity use the builtins. According to [1], GCC will recognize mem{cpy,set} as built-in functions, unless the corresponding -fno-builtin-* option is specified (which is not the case for netsniff-ng). [1] https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-06-27netsniff-ng: fix --bind-cpu option in example command lineTobias Klauser1-1/+1
Change the invalid --b option in one of the examples listed in the help to --bind-cpu. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-04-12netsniff-ng: remove unnecessary zeroing of packet counters in init_ctx()Tobias Klauser1-6/+0
The struct ctx in initialized using memset(ctx, 0, sizeof(*ctx) in init_ctx(), so there is no need to zero these members again. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-12-08all: Remove unused longindex parameter to getopt_long()Tobias Klauser1-2/+2
All tools (except mausezahn) use getopt_long() and pass a pointer to a local opt_index variable for the longindex parameter. However, this variable is never read afterwards. According to getopt(3) it's perfectly fine to pass NULL as the longindex parameter instead, so do that. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-07-29netsniff-ng: Account skipped packets as 'seen' and 'dropped'Paolo Abeni1-2/+14
The packets filtered out due to pkt_type are incoming packets effectively dropped and should be accounted as such. This patch explicitly accounts for the skipped packets number in skip_packet() and adds this number to the 'drop' and 'seen' counters in update_rx_stats(). Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-07-21netsniff-ng: Increment pkts_seen after packet type checkPaolo Abeni1-2/+2
Currently in receive_to_xmit() pkts_seen is incremented before the packet type check, but failing the latter will cause the packet to be ignored, pretty much as if it failed to pass the filter. This change moves the accunting after the check, as is currently done in both walk_t3_block() and recv_only_or_dump(). Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-07-21netsniff-ng: Skip duplicated packets on loopback devicePaolo Abeni1-10/+22
When sniffing on the loopback device, each packet will be seen twice, once per direction. To avoid duplicates, explicitly skip OUTGOING packets received from loopback, if no packet_type filter is explicitly set. Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-01-29netsniff-ng: Remove duplicate '=' in assignmentTobias Klauser1-1/+1
Remove a duplicate '=' introduced by me when amending commit 0ae726d ("netsniff-ng: Use time of SIGHUP time when rotating files prematurely"). Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-01-29netsniff-ng: Use time of SIGHUP time when rotating files prematurelyErik Bengtsson1-2/+13
Use the timestamp of the SIGHUP in the file name when rotating file prematurely instead of the file creation date, which might be delayed depending on when the next packet arrives. This should make it a bit easier to synchronize pcap files captures by multiple instances of netsniff-ng on multiple interfaces. Signed-off-by: Erik Bengtsson <e.bengtsson@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-11-10netsniff-ng: Use correct printf format specifier for uint64_tTobias Klauser1-1/+1
ctx->pkts_recvd_last and ctx->pkts_drops_last are uint64_t, so use the PRIu64 format specifier to print them. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-11-10netsniff-ng: Allow to specify compiled BPF from stdinVadim Kochan1-1/+1
Allow read compiled BPF instructions from stdin by via '-f -' option. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-11-09str: Add converting cmdline args vector to str moduleVadim Kochan1-16/+2
Move piece of code which converts cmdline args vector to string from netsniff-ng.c to str.c as function. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-10-28all: Change reporting bugs emailVadim Kochan1-1/+1
Replace bugs@netsniff-ng.com with netsniff-ng@googlegroups.com which is used in REPORTING-BUGS file. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-10-17netsniff-ng: Fix print stats in silent modeVadim Kochan1-6/+3
RX stats were not printed because of wrong check on PRINT_NONE. Fixes: 5f94671f31c040f ("netsniff-ng: Show total rx stats for multi pcap mode") Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-08-25netsniff-ng: Show total rx stats for multi pcap modeVadim Kochan1-45/+73
Allow to collect rx stats for multiple pcap mode, by storing them in separated variables before switch to the next pcap file. It allows to have the one approach when dump for single or multiple pcap(s) mode. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-08-03netsniff-ng: Do not tune socket memory in pcap read-only modeVadim Kochan1-0/+1
If a non-privileged user opens a pcap file then netsniff-ng tries to setup socket memory which causes warnings about failing because of permissions. So don't tune socket memory in pcap-read-only mode. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-07-13netsniff-ng: minor whitespace formatting fixDaniel Borkmann1-1/+1
Just get this properly aligned. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-06-20netsniff-ng: Add dissector for Linux "cooked" packetsVadim Kochan1-5/+5
Added dissector_sll.c which uses sockaddr_ll to lookup & print higher L3 layer protocol. This dissector is mapped by LINKTYPE_LINUX_SLL link type. Sample output of dissected Netlink & Ethernet packets. Truncated manually some longer lines by "...": > nlmon0 20 1434193547s.717131169ns #6 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ] [ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)... > wlp3s0 52 1434194181s.436224709ns #9 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ] [ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ... ), CSum (0x1ef5) is ok ] [ Geo (local => Ukraine) ] [ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ... [ Chr .....w.Rj).. ] [ Hex XX XX XX XX XX XX XX XX XX XX XX XX ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-06-20pcap_io: add cooked mode supportDaniel Borkmann1-0/+17
Originally submitted by Vadim in a different form, he wrote: Use Linux "cooked" header for Netlink interface automatically or as replacement of L2 header if "--cooked" option is specified: http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html 'Cooked headers' makes sense to use for default or nsec pcap types which does not contain protocol info. Added new LINKTYPE_LINUX_SLL which indicates pcap file with Linux "cooked" header as L2 layer header. This pcap file is compatible with Wireshark's "cooked" header & vice-versa. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-06-18netsniff-ng: Add cooked cmdline option.Vadim Kochan1-4/+10
Add a --cooked option that we later on use for capturing in cooked header. For now, this only captures with a dgram packet socket, but the remaining logic will follow up. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [ dbkm: split out patch ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-05-11netsniff-ng: Fix typo Unkown -> UnknownKartik Mistry1-2/+2
Fix typo in error message. Signed-off-by: Kartik Mistry <kartik.mistry@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-05-07netsniff-ng: add comment wrt NOATIME and fix whitespaceDaniel Borkmann1-1/+5
Just add a comment to the reader, so that it's obvious. The second condition could have been spared in case of open_or_die(), but it's nothing critical and the extra indent can be spared instead. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-05-07netsniff-ng: Open pcap w/o O_NOATIME on 2nd tryVadim Kochan1-1/+6
If the file open fails with O_NOATIME option then try to open it w/o this option in case if the user does not have enough prvileges to use O_NOATIME. It fixes the case when user made pcap file in sudo mode but after it should still use sudo to read it because of setting O_NOATIME option requires higher privileges. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-05-05die: Rename *_panic_func to *_panic_handlerVadim Kochan1-1/+1
Rename xxx_panic_func(s) to xxx_panic_handler(s) which is more understandable than 'func'. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-05-02netsniff-ng: Show packet numberVadim Kochan1-5/+8
Show the packet number as part of the dissector output. Example: > wlp3s0 107 1430159373s.693002029ns (#5) [ Eth MAC (6c:88:14:ac:51:e4 => 10:fe:ed:90:22:12), Proto (0x0800, IPv4) ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-05-01netsniff-ng: alias lb to rr as wellDaniel Borkmann1-1/+2
After all it's round robin mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-04-27netsniff-ng nlmsg: Print netlink protocol nameVadim Kochan1-5/+9
nlmsg proto handler can't identify Netlink protocol from nlmsghdr, so sockaddr_ll can be used to get it. Also renamed [proto -> handler] member in pkt_buff struct, which is more understandable. Example: >U nlmon0 4756 1429891435s.14505747ns [ NLMSG Proto 0 (RTNETLINK), Len 1160, Type 0x0010 (0x10), Flags 0x0002 (MULTI), Seq-Nr 1429891436, PID 31613 ] Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [tklauser: Handle usage of NETLINK_SOCK_DIAG with pre 3.10 kernel headers, fix nl_proto2str() return value, formatting changes] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-27netsniff-ng: Rotate pcap files prematurely on SIGHUPTobias Klauser1-9/+25
Allow to send SIGHUP to a running netsniff-ng process, causing it to prematurely rotate the output PCAP when the output device (-o/--out) is a directory. The rotating interval (time/file size) will be reset. Suggested by dcode in #140 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-22netsniff-ng: Don't set IO prio when reading pcap fileVadim Kochan1-3/+3
It allows to read pcap file for users who have no permissions to set process IO prio. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Acked-by: Daniel Borkmann <borkmann@iogearbox.net> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-22netsniff-ng: Store getgid() result in correct member of struct contextVadim Kochan1-1/+1
Changed to use ctx->gid when call getgid() on init_ctx. Before we were overwriting ctx->uid which clearly is an error. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-21netsniff-ng: Delete rfmon mac80211 device in case of panicVadim Kochan1-9/+17
netsniff-ng does not delete created rfmon device in case of panic (for example - bad pcap filter expression), so added ability to add callback func when panic will be happen and delete rfmon device. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-21netsniff-ng: add packet fanout supportMichał Purzyński1-5/+49
This work adds packet fanout support to netsniff-ng. Multiple netsniff-ng instances can join the same fanout group with a particular id in order to improve scaling. Based on different fanout disciplines, e.g. distribute to fanout member by packet hash, round-robin, by arrival cpu, by random, by socket rollover (if one members socket queue is full, switch to next one, etc), by hardware queue mapping, traffic can be distributed to one of the fanout members. Moreover, we also allow the user to specify additional aux arguments, e.g. whether to defrag incoming traffic for the fanout group or not, and whether to roll over a socket in case other disciplines than socket rollover have been used. All that is configurable via command line option. Signed-off-by: Michał Purzyński <michalpurzynski1@gmail.com> [ dbkm made some bigger changes to get this upstream ready ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-04-13netsniff-ng: Consider radiotap header of monitor devVadim Kochan1-12/+11
netsniff-ng does not check if monitor device includes radiotap header which leads to the wrong 802.11 frame parsing. Tested if the .pcap file is understandable by wireshark and if dump info is basically correct, but did not test the case when xmit packets from .pcap file to the output device and from the input device to the output device. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [tklauser: whitespace changes] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-03-31netsniff-ng: No trailing whitespaces in generated trafgen config filesTobias Klauser1-1/+4
Make sure we don't print any unnecessary trailing whitespaces to the trafgen config file when converting from pcap. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-02-05xmalloc: Make xrealloc() arguments conform to realloc()Tobias Klauser1-1/+1
xrealloc() has an additional nmemb argument compared to realloc() for which it should serve as a wrapper. Since we always call with nmemb = 1, we might as well remove this argument and thus have xrealloc() conform to the realloc() function prototype. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-01-26netsniff: Allow filter input pcap file to output pcapVadim Kochan1-1/+19
It might be useful to filter out interesting traffic from input pcap to output pcap file which will contain only filtered packets: $ netsniff-ng -i input.pcap -o output.pcap ip src 192.168.1.198 Now it is possible by specifying output pcap file with ".pcap" extension, otherwise the trafgen file will be generated as by default. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [tklauser: small wording and whitespace adjustment] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-12-12all: Reduce amount of empty liens in usage and version output a bitTobias Klauser1-5/+5
No need for some of the empty lines, remove them to make the output a bit denser. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-10-01netsniff-ng: Combine redundant pcap file rotation logic into functionTobias Klauser1-34/+24
The code to create the next pcap dump file is duplicated for the HAVE_TPACKET3 and !HAVE_TPACKET3 case. Consolidate the functionality into a function to reduce code duplication. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-29netsniff-ng: Fix tpacketv2-only capturingTobias Klauser1-1/+1
We need to set up the RX ring depending on whether tpacket v3 is available or not. Otherwise end up setting its structure up for tpacket v3, even though only tpacket v2 is available. This should fix packet capturing for tpacket v2 (i.e. corrupted frames in pcap). Reported-by: Mike Reeves <luke@geekempire.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-29netsniff-ng: Move variable definitionTobias Klauser1-3/+2
Save one #ifdef block by moving the tpacket v3 only variable definition to the block where it is actually used. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-11netsniff-ng: Remvoe unnecessary cast to void *Tobias Klauser1-2/+1
The iov_base member of struct iovec is already void *, so there is no need to cast it. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-11netsniff-ng: Unindent goto labelTobias Klauser1-2/+1
Stick to the usual style of having goto labels not indented. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-09netsniff-ng: Remove useless check for ctx.device_inTobias Klauser1-2/+1
If ctx.device_in is NULL after option parsing, it is always set to "any", which is before this check. Thus, it serves no purpose and can be removed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-09-05netsniff-ng: Don't duplicate copyright/bug report/license stringTobias Klauser1-18/+13
Move the copyright/bug report/license string to an own constant and use it for the output of help() and version() to avoid duplication and prevent the strings from getting out of sync. This makes the text section of netsniff-ng.o slightly smaller: before: text data bss dec hex filename 26998 8 68 27074 69c2 netsniff-ng/netsniff-ng.o after: text data bss dec hex filename 26582 8 68 26658 6822 netsniff-ng/netsniff-ng.o Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-14netsniff-ng: Use correct parameters to show_frame_hdr()Tobias Klauser1-1/+2
Commit edca6174b09 ("dissector: Restore paket type if capturing from nlmon device") changed the signature of show_frame_hdr(). The call to this function was not updated in the !HAVE_TPACKET3 part of netsniff-ng introduced in commit 97e6f994785c ("netsniff-ng: Restore tpacket v2 capturing"), causing a compile error. Fix this by providing the correct parameters to show_frame_hdr() also in this case. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-14netsniff-ng: Restore tpacket v2 capturingTobias Klauser1-1/+71
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng: migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for capturing packets. This patch restores the possibility to capture using tpacket v2. For now this is just a fallback if the configure script doesn't detect tpacket v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this shouldn't change anything and they will continue using tpacket v3. For now this fix contains quite a bit of ugly #ifdefery which should be cleaned up in the future. Fixes #76 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-12netsniff-ng: Add command line option to disable hardware time stampingTobias Klauser1-5/+13
Allow to disable hardware time stamping using the command line switch (-N/--no-hwtimestamp). This might be useful in situations where hardware time stamps are skewed somehow. Reference: #129 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>