Re: [netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
Hey Daniel,
Thanks for your reply. I did compile your example
bpfc foo bar
Which did return
cat bar
{ 0x20, 0, 0, 0xf034 },
{ 0x16, 0, 0, 0x },
I then tried to use it,
netsniff-ng --dev eth0 -f bar
Running! Hang up with ^C!
0 packets incoming (0 unread on exit)
0 packets passed filter
0 packets failed filter (out of space)
5 sec, 805074 usec in total
Nothing seems to be passing that filer. You say, I need a recent kernel, I
am on Fedora, kernel = 3.5.7+. I assume I am on an OK kernel. Perhaps
there is something silly I am missing.
Thanks,
Dan
On Wednesday, September 4, 2013 1:34:22 PM UTC-4, Daniel Borkmann wrote:
On 09/03/2013 10:23 PM, Daniel Martin wrote:
Hello again,
I am working on 10Gbps systems. I am conducting tests that push line
rate
speeds and I am simply trying to come up with a way to basically prove
the
data is being received at line rate speeds. From previous posts I
realize
I am fairly sure my sniffer machines will not be able to handle
capturing
all data I have configured the systems just about every way I know how
within reason and I am still getting about 88% packet loss. I will
need
to purchase additional parts to make this work. However, I am now
thinking
since all packets are of uniform size about 24,000 Bytes UDP. Would it
be
practical to try and write a filter that captures the packet, but only
writes the IP Header information to a file and not all the data inside
the
packet? I am thinking that since most of the data being written is the
packet payload maybe I might have better luck simply writing the IP
Header
Information, or is this not practical? Thanks for any advice you can
give
me in advance.
If only headers are sufficient for you, you could try out the following
bpfc
filter:
# cat foo
ld poff
ret a
# bpfc foo bar
# netsniff-ng ... -f bar ...
That should already improve capturing. Note that you need a recent kernel
to
use this BPF extension.
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
On 09/04/2013 08:22 PM, Daniel Martin wrote:
Hey Daniel,
Thanks for your reply. I did compile your example
bpfc foo bar
Which did return
cat bar
{ 0x20, 0, 0, 0xf034 },
{ 0x16, 0, 0, 0x },
You need 3.10 or higher. This was developed during netfilter workshop,
and merged in on 2013-05-01 (net-next pull).
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
Hello again, I am working on 10Gbps systems. I am conducting tests that push line rate speeds and I am simply trying to come up with a way to basically prove the data is being received at line rate speeds. From previous posts I realize I am fairly sure my sniffer machines will not be able to handle capturing all data I have configured the systems just about every way I know how within reason and I am still getting about 88% packet loss. I will need to purchase additional parts to make this work. However, I am now thinking since all packets are of uniform size about 24,000 Bytes UDP. Would it be practical to try and write a filter that captures the packet, but only writes the IP Header information to a file and not all the data inside the packet? I am thinking that since most of the data being written is the packet payload maybe I might have better luck simply writing the IP Header Information, or is this not practical? Thanks for any advice you can give me in advance. Dan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
