| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The size of mmaped netlink packet is equals to its frame size, so
may be different from actual size. It can be checked by the next
nlmsg len is 0 or not, and trim it in that case.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It would be better to use NLMSG_HDRLEN instead of sizeof(*hdr)
and not to use NLMSG_PAYLOAD to get payload length, I think.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
flowtop and the netsniff-ng's netlink message dissector both need to get
the process name for a pid from /proc/<pid>/exe, thus move that
functionality to an own function.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
NTF_SELF and NTF_MASTER might not be defined on older kernel versions (as
is e.g. the case in the Travis CI build failing [1]). Fix this by
conditionally defining all NTF_* constants.
[1] https://travis-ci.org/netsniff-ng/netsniff-ng/jobs/68779130
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Added dissector_sll.c which uses sockaddr_ll to lookup & print
higher L3 layer protocol.
This dissector is mapped by LINKTYPE_LINUX_SLL link type.
Sample output of dissected Netlink & Ethernet packets.
Truncated manually some longer lines by "...":
> nlmon0 20 1434193547s.717131169ns #6
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ]
[ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)...
> wlp3s0 52 1434194181s.436224709ns #9
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ]
[ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ...
), CSum (0x1ef5) is ok ]
[ Geo (local => Ukraine) ]
[ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ...
[ Chr .....w.Rj).. ]
[ Hex XX XX XX XX XX XX XX XX XX XX XX XX ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dissect basic rtnl neighbour info.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Move device string convertions funcs (device_type2str, device_addr2str)
from proto_nlmsg.c to dev.c to use them in other modules.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[ dbkm: minor stylistic fixes ]
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
IFA_FLAGS and RTPROT_MROUTED might not be defined on older kernel
versions (as is evident from the Travis CI build failing [1]). Fix it by
conditionally using the two definitions.
[1] https://travis-ci.org/netsniff-ng/netsniff-ng/jobs/65887691
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Add some more dissection logic for dumping rtnetlink related infos
with attributes.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dump RTnetlink address related info with attributes.
Additional changes:
- print 'Len' info at the end of each attribute.
- print new line before each header if packet
contains more netlink messages
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dump RTnetlink interface related info with attributes.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Pull & print more netlink messages from one packet which can be sent
with MULTI flag.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Print 'Family' and 'Type' (considering family) fields in less mode.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Print nlmsg type name for rtnetlink messages.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tk: ifdef guards for RTM_NEWNETCONF and RTMNEWMDB, other minor fixes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of just reproducing the macro name, provide a little more
information (as given in the comments next to the definitions in
linux/netlink.h)
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Netlink messages don't use the term `family' instead of `protocol', so
stick to it when printing dissected information.
Also, functions with the `nl_' prefix are used by libnl, so in order to
not confuse it with libnl functions, rename nl_proto2str() to
nlmsg_family2str()
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
nlmsg proto handler can't identify Netlink protocol from nlmsghdr, so
sockaddr_ll can be used to get it.
Also renamed [proto -> handler] member in pkt_buff struct, which is more
understandable.
Example:
>U nlmon0 4756 1429891435s.14505747ns
[ NLMSG Proto 0 (RTNETLINK), Len 1160, Type 0x0010 (0x10), Flags 0x0002 (MULTI), Seq-Nr 1429891436, PID 31613 ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tklauser: Handle usage of NETLINK_SOCK_DIAG with pre 3.10 kernel
headers, fix nl_proto2str() return value, formatting changes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The libnl3 examples [1] use <netlink/netlink.h> etc. and since
pkg-config returns the paths including the libnl3 path component, we
should specify our include paths relative to these ones, not
/usr/include.
[1] http://www.infradead.org/~tgr/libnl/doc/core.html#_linking_to_this_library
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Commit 6c5d0caf3b7c ("netsniff-ng: Fix process name when sniffing nlmon
device") fixed the problem of not NULL-terminating the readlink() result
buffer by initializing the entire buffer with '\0'.
Switch to the more common and better readable idiom of explicitely
writing a NULL byte after the readlink result string to make this more
obvious. Also change the buffer size to PATH_MAX.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
While sniffing nlmon device the process name can be
printed with non-letter characters because readlink does not
put line ending '\0'
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Fixes sparse warnings like the following in some dissectors:
proto_arp.c:158:17: warning: symbol 'arp_ops' was not declared. Should it be static?
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The port id field of the netlink message header does not necessarily
indicate the PID of the receiving process [1] (e.g. in case of
multithreaded applications or using multiple sockets). Mention this in
a comment.
[1] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
In the netlink message dissector, use the PID from the header to look up
the process name of the sending process.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Add an initial implementation of a dissector to work on netlink messages
as received from an nlmon device.
Use can use it as follows to monitor netlink traffic to/from the kernel:
modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
netsniff-ng -i nlmon0
ip link set nlmon 0 down
ip link del dev nlmon0
rmmod nlmon
Fixes: #89
Suggested-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
