summaryrefslogtreecommitdiff
path: root/pcap_io.h
AgeCommit message (Collapse)AuthorFilesLines
2017-02-09pcap_io: Add function to get packet timestampVadim Kochan1-0/+53
Add pcap_get_tstamp(...) function to get packet's timestamp considering different packet types & bytes order. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2016-06-22netsniff-ng: pcap_io: Print unsupported magic numberVadim Kochan1-1/+1
It might be more understandable to print unsupported pcap magic number in hexadecimal format. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-06-20pcap_io: add cooked mode supportDaniel Borkmann1-37/+155
Originally submitted by Vadim in a different form, he wrote: Use Linux "cooked" header for Netlink interface automatically or as replacement of L2 header if "--cooked" option is specified: http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html 'Cooked headers' makes sense to use for default or nsec pcap types which does not contain protocol info. Added new LINKTYPE_LINUX_SLL which indicates pcap file with Linux "cooked" header as L2 layer header. This pcap file is compatible with Wireshark's "cooked" header & vice-versa. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-06-18pcap_io: add sockaddr_ll to pcap_llVadim Kochan1-0/+30
Add relevant structure and conversion functions in both directions. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [ dbkm: split out patch ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-06-18netsniff-ng: Add cooked cmdline option.Vadim Kochan1-24/+51
Add a --cooked option that we later on use for capturing in cooked header. For now, this only captures with a dgram packet socket, but the remaining logic will follow up. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [ dbkm: split out patch ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2015-04-22netsniff-ng: Don't set IO prio when reading pcap fileVadim Kochan1-1/+1
It allows to read pcap file for users who have no permissions to set process IO prio. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> Acked-by: Daniel Borkmann <borkmann@iogearbox.net> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2015-04-13netsniff-ng: Consider radiotap header of monitor devVadim Kochan1-1/+2
netsniff-ng does not check if monitor device includes radiotap header which leads to the wrong 802.11 frame parsing. Tested if the .pcap file is understandable by wireshark and if dump info is basically correct, but did not test the case when xmit packets from .pcap file to the output device and from the input device to the output device. Signed-off-by: Vadim Kochan <vadim4j@gmail.com> [tklauser: whitespace changes] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-08-14netsniff-ng: Restore tpacket v2 capturingTobias Klauser1-0/+2
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng: migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for capturing packets. This patch restores the possibility to capture using tpacket v2. For now this is just a fallback if the configure script doesn't detect tpacket v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this shouldn't change anything and they will continue using tpacket v3. For now this fix contains quite a bit of ugly #ifdefery which should be cleaned up in the future. Fixes #76 Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-14dissector: Get rid of header dependency on pcap_io.hTobias Klauser1-23/+1
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead of pulling in this rather large header just for this, move the LINKTYPE_* #defines to an own header and include it where needed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2014-04-07pcap_io: fill sll when reading pcapDaniel Borkmann1-1/+24
When reading from a pcap in Kuznetsov/netsniff-ng format, we currently do not fill out sll. Do so so that users can see pkttype and the interface. Reported-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2014-03-11pcap_io: Only check byteswapped linktype if pcap magic is swappedTobias Klauser1-13/+8
In pcap_validate_header() the linktype and the byte-swapped linktype are currently checked against the supported linktypes. Since the swapped linktype is always larger than LINKTYPE_MAX, only one of the two tests was actually done. Make this intention a bit more clear by explicitly checking only for either the swapped or non-swapped linktype, depending on whether the pcap magic is swapped. Also make the error messages a bit more verbose regarding the major/minor version. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2013-09-30netsniff-ng: Display pcap I/O method in verbose modeTobias Klauser1-3/+3
If a user accidentially specifies more than one of --mm/--sg/--clrw, the option specified last will be used - as expected from standard command line tools. In order to still prevent users from being confused by this, explicitely display the pcap I/O method used in verbose mode. In order for the output to be more user-friendly, actually write out the method names in const char *pcap_ops_group_to_str, which isn't used anywhere else anyway. Suggested-by: Jon Schipp <jonschipp@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2013-08-11pcap_io: Fix compiler warningTobias Klauser1-1/+1
Fix the following compiler warning that occurs when building with "-W -Wall -Wextra": pcap_io.h: In function ‘pcap_prepare_header’: pcap_io.h:628:255: warning: signed and unsigned type in conditional expression [-Wsign-compare] Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2013-07-23pcap_io: tun: support captures from wireshark/tcpdump via tun devicesDaniel Borkmann1-0/+2
101-103 do not have official link types and seem to be non-portable. Just add them so that we can replay pcap's of such types as well. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-07-13pcap_io: Remove unused parameter sll from pcap_pkthdr_to_tpacket_hdr()Tobias Klauser1-2/+1
The sll parameter is not used anywhere in the function, so remove it. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2013-07-13pcap_io: Use iterator variable of correct typeTobias Klauser1-1/+1
array_size() returns size_t, thus make i size_t too to avoid a warning regarding comparison of signed/unsigned. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2013-07-03pcap: invoke dev->type to pcap linktype mapperDaniel Borkmann1-3/+3
Invoke dev->type to pcap linktype mapper in order to write a correct pcap file header for various link types. Also fix two bugs in pcap file header parsing and print a warning with the magic link number in case of an unknown link type. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-07-03pcap: fix build errorDaniel Borkmann1-4/+4
Various fixes for last commit. Sorry for that. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-07-03pcap: support for various linktypesDaniel Borkmann1-13/+104
Add a device_type() method to get the assigned dev->type from the kernel, and add support for automatic selection of the correct pcap file header's linktype. This needs to be integrated into the core code though. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-07-03pcap_io: add LINKTYPE_NETLINK for netlink pcapsDaniel Borkmann1-0/+3
This adds basic linktype support for netlink "nlmon" devices. Todo: we sill need to set the correct pcap type on capturing. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-06-04xio: rename xio to ioops and reduce its includesDaniel Borkmann1-1/+1
Rename xio to ioops (io-ops) and boil its include files down to a minimum. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-31ring: netsniff-ng: migrate capture only to TPACKET_V3Daniel Borkmann1-38/+63
Lets migrate capturing to TPACKET_V3, since it will bring a better performance due to fewer page cache misses caused by a higher density of packets, since now they are contigous placed in the ring buffer. It is said that TPACKET_V3 brings the following benefits: *) ~15 - 20% reduction in CPU-usage *) ~20% increase in packet capture rate *) ~2x increase in packet density *) Port aggregation analysis *) Non static frame size to capture entire packet payload Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-10make: allow to overwrite CFLAGS, CCACHEDaniel Borkmann1-3/+3
Allow to define custom compile flags, e.g. ... make CFLAGS="-O2 -Wall" ... and also allow to overwrite ccache variable: make CCACHE= all Also do some minor fixes when built with -O2 -Wall. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-10pcap_io: minor: fix some quirksDaniel Borkmann1-3/+3
We can just replace int with uin32_t, that's no problem. Also fix one case where we moved to uint16_t. Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-05-10pcap: let netsniff-ng also record pkt timestamp sourceDaniel Borkmann1-3/+26
With commit [1] in the kernel, we can also store the timestamp source in the pcap packet header for later analysis. We do this by splitting the netsniff-ng's u32 ifindex into u16 tsource and u16 ifindex. Older kernel do not support the timestamp source in PF_PACKET, so it will stay 0 and is compatible with older netsniff-ng binaries. [1] http://thread.gmane.org/gmane.linux.network/266878/ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-04-09pcap_io: introduce init_once helper that is called with priviledgesDaniel Borkmann1-0/+1
When using netsniff-ng with dropping priviledges, we have to introduce another pcap helper function that is called once before we drop the priviledges. In this function we have to invoke the disc I/O scheduler policy, because it needs priviledges. Otherwise netsniff-ng will fail with "Failed to set io prio for pid" on startup, since we're not root anymore. Reported-by: Doug Burks <doug.burks@gmail.com> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
2013-03-15all: import netsniff-ng 0.5.8-rc0 sourceDaniel Borkmann1-0/+581
We decided to get rid of the old Git history and start a new one for several reasons: *) Allow / enforce only high-quality commits (which was not the case for many commits in the history), have a policy that is more close to the one from the Linux kernel. With high quality commits, we mean code that is logically split into commits and commit messages that are signed-off and have a proper subject and message body. We do not allow automatic Github merges anymore, since they are total bullshit. However, we will either cherry-pick your patches or pull them manually. *) The old archive was about ~27MB for no particular good reason. This basically derived from the bad decision that also some PDF files where stored there. From this moment onwards, no binary objects are allowed to be stored in this repository anymore. The old archive is not wiped away from the Internet. You will still be able to find it, e.g. on git.cryptoism.org etc. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>