Age | Commit message (Collapse) | Author | Files | Lines |
|
After kernel commit a07ea4d9941a ("genetlink: no longer support using
static family IDs"), GENL_ID_GENERATE is no longer exposed to userspace
(and actually should never have been). Change the genl nlmsg dissector
to only consider the nlctrl family and the two other static family IDs
needed for workarounds. All other family IDs are considered dynamically
generated.
Fixes #171
Reported-by: Jaroslav Škarvada <jskarvad@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Protect usage of macros not present in pre-3.x kernels.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Remove empty lines in switch/case after break in genl_print_ctrl_attrs
to be consistent with coding style in the rest of the file.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Dump Generic netlink ops & mcast groups nested attributes.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Do not print rtnl message if there is only nlmsg header, which is happen
when dump all rtnl table.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Rename attr_fmt to rta_fmt as it uses rtattr struct.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Add dissection of basic Netlink Generic Controller family info.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Print not handled attributes which will be helpful to
indicate such attributes and add dissection code.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It looks like the result of RTA_PAYLOAD() can be of different type
depending on architecture/kernel header version/...
In order to prevent warnings related to non-matching types, just
explicitly cast RTA_LEN to an int, since it can't possible be larger
than the unsigned short of rta_len anyhow and it is used as an in in the
call to device_addr2str().
Fixes: 664dcf4217 ("netsniff-ng: nlmsg: Use correct pritnf format specifier for int")
Reported-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
RTA_LEN is defined as an alias of RTA_PAYLOAD which is defined as:
#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
Thus use the correct format specifier %d for int instead of %lu.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Currently we only support full dissection of RTNL netlink messages. For
non-RTNL message we only print the header and omit the data.
Change this behavior and print a full ascii/hex dump of the remaining
data (like it is done in dissector_entry_point() for trailing data after
all known protocols have been processed) to give the user a chance to
still inspect the message content.
Reported-by: Geoff Ladwig <gladwig@verdantnetworks.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
nl_nlmsg_flags2str() returns an empty string if the provided flags
argument is 0. Check this condition and display "none" instead to make
the output nicer to read.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The size of mmaped netlink packet is equals to its frame size, so
may be different from actual size. It can be checked by the next
nlmsg len is 0 or not, and trim it in that case.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
It would be better to use NLMSG_HDRLEN instead of sizeof(*hdr)
and not to use NLMSG_PAYLOAD to get payload length, I think.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
flowtop and the netsniff-ng's netlink message dissector both need to get
the process name for a pid from /proc/<pid>/exe, thus move that
functionality to an own function.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
NTF_SELF and NTF_MASTER might not be defined on older kernel versions (as
is e.g. the case in the Travis CI build failing [1]). Fix this by
conditionally defining all NTF_* constants.
[1] https://travis-ci.org/netsniff-ng/netsniff-ng/jobs/68779130
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Added dissector_sll.c which uses sockaddr_ll to lookup & print
higher L3 layer protocol.
This dissector is mapped by LINKTYPE_LINUX_SLL link type.
Sample output of dissected Netlink & Ethernet packets.
Truncated manually some longer lines by "...":
> nlmon0 20 1434193547s.717131169ns #6
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ]
[ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)...
> wlp3s0 52 1434194181s.436224709ns #9
[ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ]
[ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ...
), CSum (0x1ef5) is ok ]
[ Geo (local => Ukraine) ]
[ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ...
[ Chr .....w.Rj).. ]
[ Hex XX XX XX XX XX XX XX XX XX XX XX XX ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dissect basic rtnl neighbour info.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Move device string convertions funcs (device_type2str, device_addr2str)
from proto_nlmsg.c to dev.c to use them in other modules.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[ dbkm: minor stylistic fixes ]
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
IFA_FLAGS and RTPROT_MROUTED might not be defined on older kernel
versions (as is evident from the Travis CI build failing [1]). Fix it by
conditionally using the two definitions.
[1] https://travis-ci.org/netsniff-ng/netsniff-ng/jobs/65887691
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Add some more dissection logic for dumping rtnetlink related infos
with attributes.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dump RTnetlink address related info with attributes.
Additional changes:
- print 'Len' info at the end of each attribute.
- print new line before each header if packet
contains more netlink messages
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Dump RTnetlink interface related info with attributes.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Pull & print more netlink messages from one packet which can be sent
with MULTI flag.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Print 'Family' and 'Type' (considering family) fields in less mode.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Print nlmsg type name for rtnetlink messages.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tk: ifdef guards for RTM_NEWNETCONF and RTMNEWMDB, other minor fixes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Instead of just reproducing the macro name, provide a little more
information (as given in the comments next to the definitions in
linux/netlink.h)
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Netlink messages don't use the term `family' instead of `protocol', so
stick to it when printing dissected information.
Also, functions with the `nl_' prefix are used by libnl, so in order to
not confuse it with libnl functions, rename nl_proto2str() to
nlmsg_family2str()
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
nlmsg proto handler can't identify Netlink protocol from nlmsghdr, so
sockaddr_ll can be used to get it.
Also renamed [proto -> handler] member in pkt_buff struct, which is more
understandable.
Example:
>U nlmon0 4756 1429891435s.14505747ns
[ NLMSG Proto 0 (RTNETLINK), Len 1160, Type 0x0010 (0x10), Flags 0x0002 (MULTI), Seq-Nr 1429891436, PID 31613 ]
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[tklauser: Handle usage of NETLINK_SOCK_DIAG with pre 3.10 kernel
headers, fix nl_proto2str() return value, formatting changes]
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The libnl3 examples [1] use <netlink/netlink.h> etc. and since
pkg-config returns the paths including the libnl3 path component, we
should specify our include paths relative to these ones, not
/usr/include.
[1] http://www.infradead.org/~tgr/libnl/doc/core.html#_linking_to_this_library
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Commit 6c5d0caf3b7c ("netsniff-ng: Fix process name when sniffing nlmon
device") fixed the problem of not NULL-terminating the readlink() result
buffer by initializing the entire buffer with '\0'.
Switch to the more common and better readable idiom of explicitely
writing a NULL byte after the readlink result string to make this more
obvious. Also change the buffer size to PATH_MAX.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
While sniffing nlmon device the process name can be
printed with non-letter characters because readlink does not
put line ending '\0'
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Fixes sparse warnings like the following in some dissectors:
proto_arp.c:158:17: warning: symbol 'arp_ops' was not declared. Should it be static?
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
The port id field of the netlink message header does not necessarily
indicate the PID of the receiving process [1] (e.g. in case of
multithreaded applications or using multiple sockets). Mention this in
a comment.
[1] http://www.carisma.slowglass.com/~tgr/libnl/doc/core.html#core_netlink_fundamentals
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
In the netlink message dissector, use the PID from the header to look up
the process name of the sending process.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
|
Add an initial implementation of a dissector to work on netlink messages
as received from an nlmon device.
Use can use it as follows to monitor netlink traffic to/from the kernel:
modprobe nlmon
ip link add type nlmon
ip link set nlmon0 up
netsniff-ng -i nlmon0
ip link set nlmon 0 down
ip link del dev nlmon0
rmmod nlmon
Fixes: #89
Suggested-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|