Re: [netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
Hey Daniel, Thanks for your reply. I did compile your example bpfc foo bar Which did return cat bar { 0x20, 0, 0, 0xf034 }, { 0x16, 0, 0, 0x }, I then tried to use it, netsniff-ng --dev eth0 -f bar Running! Hang up with ^C! 0 packets incoming (0 unread on exit) 0 packets passed filter 0 packets failed filter (out of space) 5 sec, 805074 usec in total Nothing seems to be passing that filer. You say, I need a recent kernel, I am on Fedora, kernel = 3.5.7+. I assume I am on an OK kernel. Perhaps there is something silly I am missing. Thanks, Dan On Wednesday, September 4, 2013 1:34:22 PM UTC-4, Daniel Borkmann wrote: On 09/03/2013 10:23 PM, Daniel Martin wrote: Hello again, I am working on 10Gbps systems. I am conducting tests that push line rate speeds and I am simply trying to come up with a way to basically prove the data is being received at line rate speeds. From previous posts I realize I am fairly sure my sniffer machines will not be able to handle capturing all data I have configured the systems just about every way I know how within reason and I am still getting about 88% packet loss. I will need to purchase additional parts to make this work. However, I am now thinking since all packets are of uniform size about 24,000 Bytes UDP. Would it be practical to try and write a filter that captures the packet, but only writes the IP Header information to a file and not all the data inside the packet? I am thinking that since most of the data being written is the packet payload maybe I might have better luck simply writing the IP Header Information, or is this not practical? Thanks for any advice you can give me in advance. If only headers are sufficient for you, you could try out the following bpfc filter: # cat foo ld poff ret a # bpfc foo bar # netsniff-ng ... -f bar ... That should already improve capturing. Note that you need a recent kernel to use this BPF extension. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
On 09/04/2013 08:22 PM, Daniel Martin wrote: Hey Daniel, Thanks for your reply. I did compile your example bpfc foo bar Which did return cat bar { 0x20, 0, 0, 0xf034 }, { 0x16, 0, 0, 0x }, You need 3.10 or higher. This was developed during netfilter workshop, and merged in on 2013-05-01 (net-next pull). -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[netsniff-ng] BPF Options/ Writing IP Packet Header Information to Output File and Practical Usage Question
Hello again, I am working on 10Gbps systems. I am conducting tests that push line rate speeds and I am simply trying to come up with a way to basically prove the data is being received at line rate speeds. From previous posts I realize I am fairly sure my sniffer machines will not be able to handle capturing all data I have configured the systems just about every way I know how within reason and I am still getting about 88% packet loss. I will need to purchase additional parts to make this work. However, I am now thinking since all packets are of uniform size about 24,000 Bytes UDP. Would it be practical to try and write a filter that captures the packet, but only writes the IP Header information to a file and not all the data inside the packet? I am thinking that since most of the data being written is the packet payload maybe I might have better luck simply writing the IP Header Information, or is this not practical? Thanks for any advice you can give me in advance. Dan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.