Hi Mathieu, >Here is a patch that add a netlink virtual interface. >Through a hook in af_netlink.c every packets are duplicated and sent to >that interface. Thus userspace sniffers can capture them.
> >Security people will cry, but sometimes we need good troubleshooting
> >means in userland.
>Yes, the deed is to enable netlink troubleshooting from kernel and
>userland
My guess, that the direction is interesting, whereas another way is to
use socket communication for such packet-log/sniffing.
Netfilter is using netlink sockets to output to userland packets.
It might be, that arranging a "DEBUG NETLINK socket" to direct to it,
when enabled,
copies of all netlink messages (better to exclude a really bulk
traffic like netfilter packet log),
will be a more "standardized" solution. Thus, the hook in
netlink_sendmsg will just
send a one more copy of a unicast and include the DEBUG_NETLINK socket to
a multicast.
Sniffing kernel packets via such netlink sockets actually may be extended for
the unix-domain traffic as well.
What do you think?
--
Sincerely,
-----------------------------------------------------------------------
Robert Iakobashvili, coroberti at gmail dot com
NAVIGARE NECESSE EST
----------------------------------------------------------------------
nldev.patch
Description: Binary data
