Age | Commit message (Collapse) | Author | Files | Lines |
|
Add pcap_get_tstamp(...) function to get packet's timestamp considering
different packet types & bytes order.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It might be more understandable to print unsupported
pcap magic number in hexadecimal format.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Originally submitted by Vadim in a different form, he wrote:
Use Linux "cooked" header for Netlink interface automatically or
as replacement of L2 header if "--cooked" option is specified:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
'Cooked headers' makes sense to use for default or nsec pcap
types which does not contain protocol info.
Added new LINKTYPE_LINUX_SLL which indicates pcap file with
Linux "cooked" header as L2 layer header. This pcap file is
compatible with Wireshark's "cooked" header & vice-versa.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Add relevant structure and conversion functions in both directions.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[ dbkm: split out patch ]
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Add a --cooked option that we later on use for capturing in cooked
header. For now, this only captures with a dgram packet socket, but
the remaining logic will follow up.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[ dbkm: split out patch ]
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
It allows to read pcap file for users who have no permissions to set
process IO prio.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Acked-by: Daniel Borkmann <borkmann@iogearbox.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
netsniff-ng does not check if monitor device includes radiotap
header which leads to the wrong 802.11 frame parsing.
Tested if the .pcap file is understandable by wireshark and if
dump info is basically correct, but did not test the case when xmit
packets from .pcap file to the output device and from the input device
to the output device.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tklauser: whitespace changes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Some older systems (e.g. RHEL 6) don't have tpacket v3 available, but
only tpacket v2. However, since commit d8cdc6a ("ring: netsniff-ng:
migrate capture only to TPACKET_V3") we solely rely on tpacket v3 for
capturing packets.
This patch restores the possibility to capture using tpacket v2. For now
this is just a fallback if the configure script doesn't detect tpacket
v3 (and thus HAVE_TPACKET3 isn't set). Thus, on most modern systems this
shouldn't change anything and they will continue using tpacket v3.
For now this fix contains quite a bit of ugly #ifdefery which should be
cleaned up in the future.
Fixes #76
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The dissector only needs the LINKTYPE_* #defines from pcap_io.h. Instead
of pulling in this rather large header just for this, move the
LINKTYPE_* #defines to an own header and include it where needed.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
When reading from a pcap in Kuznetsov/netsniff-ng format, we currently do
not fill out sll. Do so so that users can see pkttype and the interface.
Reported-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
In pcap_validate_header() the linktype and the byte-swapped linktype are
currently checked against the supported linktypes. Since the swapped
linktype is always larger than LINKTYPE_MAX, only one of the two tests
was actually done. Make this intention a bit more clear by explicitly
checking only for either the swapped or non-swapped linktype, depending
on whether the pcap magic is swapped.
Also make the error messages a bit more verbose regarding the
major/minor version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
If a user accidentially specifies more than one of --mm/--sg/--clrw, the
option specified last will be used - as expected from standard command
line tools. In order to still prevent users from being confused by this,
explicitely display the pcap I/O method used in verbose mode.
In order for the output to be more user-friendly, actually write out the
method names in const char *pcap_ops_group_to_str, which isn't used
anywhere else anyway.
Suggested-by: Jon Schipp <jonschipp@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Fix the following compiler warning that occurs when building with "-W
-Wall -Wextra":
pcap_io.h: In function ‘pcap_prepare_header’:
pcap_io.h:628:255: warning: signed and unsigned type in conditional expression [-Wsign-compare]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
101-103 do not have official link types and seem to be non-portable.
Just add them so that we can replay pcap's of such types as well.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
The sll parameter is not used anywhere in the function, so remove it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
array_size() returns size_t, thus make i size_t too to avoid a warning
regarding comparison of signed/unsigned.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Invoke dev->type to pcap linktype mapper in order to write a correct
pcap file header for various link types. Also fix two bugs in pcap
file header parsing and print a warning with the magic link number in
case of an unknown link type.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Various fixes for last commit. Sorry for that.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Add a device_type() method to get the assigned dev->type from the
kernel, and add support for automatic selection of the correct pcap
file header's linktype. This needs to be integrated into the core
code though.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
This adds basic linktype support for netlink "nlmon" devices.
Todo: we sill need to set the correct pcap type on capturing.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Rename xio to ioops (io-ops) and boil its include files down to a
minimum.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Lets migrate capturing to TPACKET_V3, since it will bring a better
performance due to fewer page cache misses caused by a higher density
of packets, since now they are contigous placed in the ring buffer.
It is said that TPACKET_V3 brings the following benefits:
*) ~15 - 20% reduction in CPU-usage
*) ~20% increase in packet capture rate
*) ~2x increase in packet density
*) Port aggregation analysis
*) Non static frame size to capture entire packet payload
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
Allow to define custom compile flags, e.g. ...
make CFLAGS="-O2 -Wall"
... and also allow to overwrite ccache variable:
make CCACHE= all
Also do some minor fixes when built with -O2 -Wall.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
We can just replace int with uin32_t, that's no problem. Also
fix one case where we moved to uint16_t.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
With commit [1] in the kernel, we can also store the timestamp
source in the pcap packet header for later analysis. We do this
by splitting the netsniff-ng's u32 ifindex into u16 tsource and
u16 ifindex. Older kernel do not support the timestamp source in
PF_PACKET, so it will stay 0 and is compatible with older
netsniff-ng binaries.
[1] http://thread.gmane.org/gmane.linux.network/266878/
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
When using netsniff-ng with dropping priviledges, we have to introduce
another pcap helper function that is called once before we drop the
priviledges. In this function we have to invoke the disc I/O scheduler
policy, because it needs priviledges. Otherwise netsniff-ng will fail
with "Failed to set io prio for pid" on startup, since we're not root
anymore.
Reported-by: Doug Burks <doug.burks@gmail.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
We decided to get rid of the old Git history and start a new one for
several reasons:
*) Allow / enforce only high-quality commits (which was not the case
for many commits in the history), have a policy that is more close
to the one from the Linux kernel. With high quality commits, we
mean code that is logically split into commits and commit messages
that are signed-off and have a proper subject and message body.
We do not allow automatic Github merges anymore, since they are
total bullshit. However, we will either cherry-pick your patches
or pull them manually.
*) The old archive was about ~27MB for no particular good reason.
This basically derived from the bad decision that also some PDF
files where stored there. From this moment onwards, no binary
objects are allowed to be stored in this repository anymore.
The old archive is not wiped away from the Internet. You will still
be able to find it, e.g. on git.cryptoism.org etc.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|