From da8fcdd7d8ce59ea334ec24cdaddcc02eb611f04 Mon Sep 17 00:00:00 2001 From: Vadim Kochan Date: Sat, 13 Jun 2015 15:30:46 +0300 Subject: netsniff-ng: Add cooked cmdline option. Add a --cooked option that we later on use for capturing in cooked header. For now, this only captures with a dgram packet socket, but the remaining logic will follow up. Signed-off-by: Vadim Kochan [ dbkm: split out patch ] Signed-off-by: Daniel Borkmann --- netsniff-ng.8 | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'netsniff-ng.8') diff --git a/netsniff-ng.8 b/netsniff-ng.8 index 677a78c..fb208cf 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -69,12 +69,14 @@ netsniff-ng can also be used to debug netlink traffic. Defines an input device. This can either be a networking device, a pcap file or stdin (\[lq]\-\[rq]). In case of a pcap file, the pcap type (\[lq]\-D\[rq] option) is determined automatically by the pcap file magic. In case of stdin, -it is assumed that the input stream is a pcap file. +it is assumed that the input stream is a pcap file. If the pcap link type is +Netlink and pcap type is default format (usec or nsec), then each packet will +be wrapped with pcap cooked header [2]. .PP .SS -o , --out Defines the output device. This can either be a networking device, a pcap file, -a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). In the case of a pcap -file that should not have the default pcap type (0xa1b2c3d4), the additional +a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). In the case of a +pcap file that should not have the default pcap type (0xa1b2c3d4), the additional option \[lq]\-T\[rq] must be provided. If a directory is given, then, instead of a single pcap file, multiple pcap files are generated with rotation based on maximum file size or a given interval (\[lq]\-F\[rq] option). Optionally, @@ -84,7 +86,10 @@ input device is a pcap file. To specify a pcap file as the output device, the file name must have \[lq].pcap\[rq] as its extension. If stdout is given as a device, then a trafgen configuration will be written to stdout if the input device is a pcap file, or a pcap file if the input device is a networking -device. +device. In case if the input device is a Netlink monitor device and pcap type +is default (usec or nsec) then each packet will be wrapped with pcap cooked +header [2] to keep Netlink family number (Kuznetzov's and netsniff-ng pcap types +already contain family number in protocol number field). .PP .SS -C , --fanout-group If multiple netsniff-ng instances are being started that all have the same packet @@ -254,6 +259,11 @@ possible addresses. Thus, to save bandwidth or for mirroring of Maxmind's databases (to bypass their traffic limit policy), different hosts or IP addresses can be placed into geoip.conf, separated by a newline. .PP +.SS -w, --cooked +Replace each frame link header with Linux "cooked" header [3] which keeps info +about link type and protocol. It allows to dump and dissect frames captured +from different link types when -i "any" was specified, for example. +.PP .SS -V, --verbose Be more verbose during startup i.e. show detailed ring setup information. .PP @@ -588,6 +598,8 @@ in the payload itself as reported here. However, the filtering for VLANs works reliable if your NIC supports it. See bpfc(8) for an example. .PP [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html + [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html + [3] http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html .PP .SH LEGAL netsniff-ng is licensed under the GNU GPL version 2.0. -- cgit v1.2.3-54-g00ecf