[netsniff-ng] [PATCH] mz: Dont bind to dev if help was specified
Fixed warnings: Warning: [lookupdev.c get_dev_params()] Cannot open socket! when specify help for packet type: # mz -t tcp help Also fixes delayed output of the same command if user is root. Signed-off-by: Vadim Kochan vadi...@gmail.com --- staging/mausezahn.c | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/staging/mausezahn.c b/staging/mausezahn.c index f5b470f..83ce424 100644 --- a/staging/mausezahn.c +++ b/staging/mausezahn.c @@ -357,6 +357,7 @@ int getopts (int argc, char *argv[]) char *packet_type=NULL, *mops_type=NULL; char *dum; unsigned char *dum1, *dum2; + bool do_help = false; libnet_t *l; char err_buf[LIBNET_ERRBUF_SIZE]; @@ -575,12 +576,17 @@ int getopts (int argc, char *argv[]) } else { /// arg_string given = no device has been specified -- let's find one! strncpy (tx.arg_string, argv[optind], MAX_PAYLOAD_SIZE); - if (lookupdev()) { // no device found - if (verbose) fprintf(stderr, mz: no active interfaces found!\n); - strcpy(tx.device, lo); + do_help = !!getarg(tx.arg_string,help, NULL); + if (!do_help) { + if (lookupdev()) { + /* no device found */ + if (verbose) + fprintf(stderr, mz: no active interfaces found!\n); + strcpy(tx.device, lo); + } + if (verbose) + fprintf(stderr, mz: device not given, will use %s\n,tx.device); } - if (verbose) - fprintf(stderr, mz: device not given, will use %s\n,tx.device); } break; case 2: // both device and arg_string given @@ -610,7 +616,7 @@ int getopts (int argc, char *argv[]) // Get own device MAC address: // Don't open context if only a help text is requested - if (getarg(tx.arg_string,help, NULL)!=1) { + if (!do_help getarg(tx.arg_string,help, NULL) !=1) { l = libnet_init (LIBNET_LINK_ADV, tx.device, err_buf ); if (l == NULL) { fprintf(stderr, mz/getopts: libnet_init() failed (%s), err_buf); -- 2.2.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC] trafgen: Alloc cpus regarding to number of packets
From: Vadim Kochan vadi...@gmail.com Trafgen uses all the online cpus even if number of packets specified by -n is less than numbers of selected cpus. Such behaviour leads to issues: - trafgen re-calculates number of packets per cpu which leads to rounding it to 0 then no packets will be sent. - trafgen might send more packets than specified by -n because of using all the online cpus. Fixed by calculation the minimum number of cpus for generation number of packets specified by -n. Signed-off-by: Vadim Kochan vadi...@gmail.com --- cpus.h| 7 +++ trafgen.c | 3 +++ 2 files changed, 10 insertions(+) diff --git a/cpus.h b/cpus.h index 0626726..be33884 100644 --- a/cpus.h +++ b/cpus.h @@ -25,4 +25,11 @@ static inline unsigned int get_number_cpus_online(void) return ret; } +static inline unsigned int alloc_cpus_by_n_pkts(int npkts) +{ + unsigned int cpus = get_number_cpus_online(); + + return min_t(unsigned int, ((double)npkts / cpus) * cpus, cpus); +} + #endif /* CPUS_H */ diff --git a/trafgen.c b/trafgen.c index 9151b5d..5403d47 100644 --- a/trafgen.c +++ b/trafgen.c @@ -1038,6 +1038,9 @@ int main(int argc, char **argv) } } + if (ctx.num ctx.num ctx.cpus ctx.cpus 1) + ctx.cpus = alloc_cpus_by_n_pkts(ctx.num); + if (argc 5) help(); if (ctx.device == NULL) -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] mz cli: Make pcap init funcs thread safer
On Sun, Mar 22, 2015 at 01:48:50PM +0200, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com mz fails start in cli mode and prints each time different pcap errors: $ mz -x -V fatal flex scanner internal error--end of buffer missed rx_arp: [ERROR] Error calling pcap_compile or simply shutdowns. Sometimes it successfully gets up. Seems some initialization pcap funcs are not thread safer. Fixed by using mutex locking before entering pcap loop. Signed-off-by: Vadim Kochan vadi...@gmail.com --- locking.h| 2 ++ staging/mopsrx_arp.c | 21 - 2 files changed, 18 insertions(+), 5 deletions(-) Hi, Just pinging if it was missed. Thanks, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] trafgen seems broken on kernel 3.19
On Mon, Mar 23, 2015 at 02:03:54PM +0200, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 01:07:24PM +0200, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 12:12:54PM +0100, Daniel Borkmann wrote: On 03/23/2015 11:37 AM, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 11:25:26AM +0100, Lorenzo Pistone wrote: ... Thats what I got on 3.18 with the same cfg file: $ trafgen/trafgen -c ~/trafgen.cfg -o wlp3s0 -n 1 4 packets to schedule 168 bytes in total Running! Hang up with ^C! 0 packets outgoing 0 bytes outgoing 0 sec, 0 usec on CPU0 (0 packets) 0 sec, 0 usec on CPU1 (0 packets) 0 sec, 0 usec on CPU2 (0 packets) 0 sec, 0 usec on CPU3 (0 packets) Seems packet was not sent from trafgen ? If you increase -n e.g. to 64 or omit -n entirely, does that work? Looks like a trafgen bug. Yeah, w/o -n my sniffer on the other side was totally stucked:-) so it helped. Meanwhile I see (by printf) that ctx-num is zeroed in xmit_packet_precheck where it is rounded. Regards, My understanding is that it works in slow path because in slow path we use 1 cpu, but in fast path the numbers of packets is multiplied by number of cpus in xmit_packet_precheck(...): plen_total = __wait_and_sum_others(ctx, cpu); which in my case plen_total is 4 when I specified -n 1 and then it is rounded to 0 - plen=1 plen_total=4 orig=1: ctx-num = (unsigned long) round((1.0 * plen / plen_total) * orig); -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] trafgen seems broken on kernel 3.19
On Mon, Mar 23, 2015 at 12:12:54PM +0100, Daniel Borkmann wrote: On 03/23/2015 11:37 AM, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 11:25:26AM +0100, Lorenzo Pistone wrote: ... Thats what I got on 3.18 with the same cfg file: $ trafgen/trafgen -c ~/trafgen.cfg -o wlp3s0 -n 1 4 packets to schedule 168 bytes in total Running! Hang up with ^C! 0 packets outgoing 0 bytes outgoing 0 sec, 0 usec on CPU0 (0 packets) 0 sec, 0 usec on CPU1 (0 packets) 0 sec, 0 usec on CPU2 (0 packets) 0 sec, 0 usec on CPU3 (0 packets) Seems packet was not sent from trafgen ? If you increase -n e.g. to 64 or omit -n entirely, does that work? Looks like a trafgen bug. Yeah, w/o -n my sniffer on the other side was totally stucked:-) so it helped. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] trafgen seems broken on kernel 3.19
On Mon, Mar 23, 2015 at 01:07:24PM +0200, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 12:12:54PM +0100, Daniel Borkmann wrote: On 03/23/2015 11:37 AM, Vadim Kochan wrote: On Mon, Mar 23, 2015 at 11:25:26AM +0100, Lorenzo Pistone wrote: ... Thats what I got on 3.18 with the same cfg file: $ trafgen/trafgen -c ~/trafgen.cfg -o wlp3s0 -n 1 4 packets to schedule 168 bytes in total Running! Hang up with ^C! 0 packets outgoing 0 bytes outgoing 0 sec, 0 usec on CPU0 (0 packets) 0 sec, 0 usec on CPU1 (0 packets) 0 sec, 0 usec on CPU2 (0 packets) 0 sec, 0 usec on CPU3 (0 packets) Seems packet was not sent from trafgen ? If you increase -n e.g. to 64 or omit -n entirely, does that work? Looks like a trafgen bug. Yeah, w/o -n my sniffer on the other side was totally stucked:-) so it helped. Meanwhile I see (by printf) that ctx-num is zeroed in xmit_packet_precheck where it is rounded. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] mz: Allow to print packet types by '-t help'
On Mon, Feb 23, 2015 at 02:11:57PM +0200, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Changed to print packet types by '-t help' earlier bofore mz will try to identify link device to bind. Signed-off-by: Vadim Kochan vadi...@gmail.com --- Hi, Just pinging about this patch in case if it was missed, sorry for the flood:) Actually this is minor fix, I am just waiting if it will applied or not as I have another one which have conflicted peace of code. Thanks, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] mz: Add igmp v1/v2 packet type crafting support
From: Vadim Kochan vadi...@gmail.com Signed-off-by: Vadim Kochan vadi...@gmail.com --- staging/layer3.c| 20 +-- staging/layer4.c| 101 staging/mausezahn.c | 28 +-- staging/mz.h| 38 ++-- 4 files changed, 155 insertions(+), 32 deletions(-) diff --git a/staging/layer3.c b/staging/layer3.c index 3eca55d..e217e43 100644 --- a/staging/layer3.c +++ b/staging/layer3.c @@ -154,17 +154,14 @@ libnet_ptag_t create_ip_packet (libnet_t *l) tx.ip_frag = 0; // Flags and Offset !!! tx.ip_sum = 0; // default: automatically calculate checksum tx.ip_tos = 0; - tx.ip_ttl = 255; - // temporary variables unsigned int dummy; size_t len; char *s; - T = tx.packet_mode; // 0 means automatic L2 creation - + if ( (getarg(tx.arg_string,help, NULL)==1) (mode==IP) ) { if (mz_port) @@ -284,13 +281,14 @@ libnet_ptag_t create_ip_packet (libnet_t *l) { tx.ip_frag |= 0x8000; } - - - if (getarg(tx.arg_string,ttl, argval)==1) - { - tx.ip_ttl = (u_int8_t) str2int(argval); - } - + + if (getarg(tx.arg_string, ttl, argval) == 1) + { + tx.ip_ttl = (u_int8_t)str2int(argval); + } else if (tx.ip_ttl == 0) { + tx.ip_ttl = 255; + } + if (getarg(tx.arg_string,proto, argval)==1) { tx.ip_proto = (u_int8_t) str2int(argval); diff --git a/staging/layer4.c b/staging/layer4.c index a4431a1..167f084 100644 --- a/staging/layer4.c +++ b/staging/layer4.c @@ -136,7 +136,32 @@ | Of course all Ethernet fields can also be accessed.\n\ |\n +#define MZ_IGMP_HELP \ + | IGMP type: Send raw IGMP packets.\n \ + |\n \ + | Parameters Values Explanation \n \ + | -- ---\n \ + | v,ver 1-2 version\n \ + | t,type packet type:\n \ +| q,qry,query- memberhsip query\n \ +| j,join - join group\n \ +| l,lv,leave - leave group\n \ +| resp_time max response time (v2 only)\n \ +| igmp_sumchecksum (optional)\n \ + | g,group group ipv4 address\n \ + \n +int print_packet_help(char *help) +{ + if (mz_port) { + cli_print(gcli, %s, help); + } else { + fprintf(stderr,\n MAUSEZAHN_VERSION \n%s, help); + exit(0); + } + + return -1; +} // Note: If another function specified tx.udp_payload then it must also // set tx.udp_payload_s AND tx.udp_len = tx.udp_payload_s + 8 @@ -884,3 +909,79 @@ libnet_ptag_t create_tcp_packet (libnet_t *l) return t; } + +libnet_ptag_t create_igmp_packet(libnet_t *l) +{ + libnet_ptag_t t; + char argval[MAX_PAYLOAD_SIZE]; + int ver = 2; + uint8_t type = IGMP_MEMBERSHIP_QUERY; + uint8_t resp_time = 10; + uint16_t sum = 0; + uint32_t group = 0; + + if ((getarg(tx.arg_string, help, NULL) == 1) (mode == IGMP)) + return print_packet_help(MZ_IGMP_HELP); + + if (getarg(tx.arg_string, ver, argval) == 1 || + getarg(tx.arg_string, v, argval) == 1) { + + ver = str2int(argval); + if (ver == 1) + resp_time = 0; + } + + if (getarg(tx.arg_string, type, argval) == 1 || + getarg(tx.arg_string, t, argval) == 1) { + + if (strcmp(j, argval) == 0 || strcmp(join, argval) == 0) { + + if (ver == 1) + type = IGMP_V1_MEMBERSHIP_REPORT; + else if (ver == 2) + type = IGMP_V2_MEMBERSHIP_REPORT; + + } else if (strcmp(l, argval) == 0 || strcmp(lv, argval) == 0 || + strcmp(leave, argval) == 0) { + + type = IGMP_LEAVE_GROUP; + } + } + + if (getarg(tx.arg_string, resp_time, argval) == 1) + resp_time = (uint8_t)str2int(argval); + + if (getarg(tx.arg_string, igmp_sum, argval) == 1) + sum = (uint16_t)str2int(argval); + + if (getarg(tx.arg_string, group, argval) == 1 || + getarg(tx.arg_string, g, argval) == 1) { + + group = str2ip32_rev(argval); + } + + if (type == IGMP_LEAVE_GROUP) { + tx.ip_dst
[netsniff-ng] [PATCH] geoip: Fix update failing
From: Vadim Kochan vadi...@gmail.com I have no enough arguments for this fix but it fixes the failing of geoip updating. Seems shutdown(..) closes socket too early. So shutdown(...) is removed and added Connection: close http header which says http server to close connection after response will be sent. Signed-off-by: Vadim Kochan vadi...@gmail.com --- geoip.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/geoip.c b/geoip.c index 0d5a4ed..7f4f718 100644 --- a/geoip.c +++ b/geoip.c @@ -162,6 +162,9 @@ static int geoip_get_database(const char *host, int which) size_t lenl = strlen(Content-Length: ); size_t lent = strlen(HTTP/1.1 200 OK); size_t lenc = strlen(\r\n\r\n); + char *http_req_fmt = GET %s%s HTTP/1.1\n +Connection: close\n +Host: %s\r\n\r\n; again: found = good = 0; @@ -172,7 +175,7 @@ again: if (sock 0) return -EIO; - slprintf(raw, sizeof(raw), GET %s%s HTTP/1.1\nHost: %s\r\n\r\n, + slprintf(raw, sizeof(raw), http_req_fmt, retry ? files[which].possible_prefix : , files[which].remote, host); @@ -182,8 +185,6 @@ again: return -EIO; } - shutdown(sock, SHUT_WR); - slprintf(zfile, sizeof(zfile), %s.gz, files[which].local); fd = open_or_die_m(zfile, O_WRONLY | O_CREAT | O_TRUNC, DEFFILEMODE); @@ -238,7 +239,7 @@ again: ptr = raw; len = ret; - } while(ret 0); + } while (ret 0); printf(\n); -- 2.1.3 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff: Del rfmon mac80211 dev in case of panic
From: Vadim Kochan vadi...@gmail.com netsniff does not delete created rfmon device in case of panic (for example - bad pcap filter expression), so added ability to add callback func when panic will be happen and delete rfmon device. Signed-off-by: Vadim Kochan vadi...@gmail.com --- astraceroute/Makefile | 1 + bpfc/Makefile | 1 + curvetun/Makefile | 1 + die.c | 31 +++ die.h | 5 + flowtop/Makefile | 1 + ifpps/Makefile| 1 + mausezahn/Makefile| 2 ++ netsniff-ng.c | 26 +- netsniff-ng/Makefile | 1 + trafgen/Makefile | 1 + 11 files changed, 62 insertions(+), 9 deletions(-) create mode 100644 die.c diff --git a/astraceroute/Makefile b/astraceroute/Makefile index 6fd0b17..2e80a11 100644 --- a/astraceroute/Makefile +++ b/astraceroute/Makefile @@ -16,6 +16,7 @@ astraceroute-objs = xmalloc.o \ link.o \ dev.o \ ring.o \ + die.o \ astraceroute.o ifeq ($(CONFIG_GEOIP), 1) diff --git a/bpfc/Makefile b/bpfc/Makefile index 5c8b8c9..b8a3787 100644 --- a/bpfc/Makefile +++ b/bpfc/Makefile @@ -5,6 +5,7 @@ bpfc-objs = xmalloc.o \ bpf.o \ bpf_lexer.yy.o \ bpf_parser.tab.o \ + die.o \ bpfc.o bpfc-lex = bpf_lexer.yy.o diff --git a/curvetun/Makefile b/curvetun/Makefile index eeebd11..d9ae339 100644 --- a/curvetun/Makefile +++ b/curvetun/Makefile @@ -22,6 +22,7 @@ curvetun-objs = xmalloc.o \ ioexact.o \ ioops.o \ cpusched.o \ + die.o \ curvetun_mgmt_servers.o \ curvetun_mgmt_users.o \ curvetun_server.o \ diff --git a/die.c b/die.c new file mode 100644 index 000..d3c8e60 --- /dev/null +++ b/die.c @@ -0,0 +1,31 @@ +/* + * Subject to the GPL, version 2. + */ + +#include xmalloc.h + +struct panic_func { + void *arg; + void (*on_panic)(void *arg); + struct panic_func *next; +}; + +static struct panic_func *panic_funcs; + +void panic_func_add(void (*on_panic)(void *arg), void *arg) +{ + struct panic_func *handler = xmallocz(sizeof(*panic_funcs)); + + handler-arg= arg; + handler-on_panic = on_panic; + handler-next = panic_funcs; + panic_funcs = handler; +}; + +void call_on_panic_funcs(void) +{ + struct panic_func *it = panic_funcs; + + for (; it; it = it-next) + it-on_panic(it-arg); +} diff --git a/die.h b/die.h index 919f3ae..0d709d0 100644 --- a/die.h +++ b/die.h @@ -12,6 +12,9 @@ #include built_in.h +extern void panic_func_add(void (*on_panic)(void *arg), void *arg); +extern void call_on_panic_funcs(void); + static inline void panic(const char *format, ...) __check_format_printf(1, 2); static inline void syslog_panic(const char *format, ...) __check_format_printf(1, 2); @@ -20,11 +23,13 @@ static inline void syslog_maybe(bool cond, int priority, static inline void __noreturn __die_hard(void) { + call_on_panic_funcs(); exit(EXIT_FAILURE); } static inline void __noreturn __die_harder(void) { + call_on_panic_funcs(); _exit(EXIT_FAILURE); } diff --git a/flowtop/Makefile b/flowtop/Makefile index 85acb43..41865c7 100644 --- a/flowtop/Makefile +++ b/flowtop/Makefile @@ -21,6 +21,7 @@ flowtop-objs =xmalloc.o \ lookup.o \ tprintf.o \ screen.o \ + die.o \ flowtop.o ifeq ($(CONFIG_GEOIP), 1) diff --git a/ifpps/Makefile b/ifpps/Makefile index 4d1a9b6..1625ea9 100644 --- a/ifpps/Makefile +++ b/ifpps/Makefile @@ -10,6 +10,7 @@ ifpps-objs = xmalloc.o \ dev.o \ sig.o \ screen.o \ + die.o \ ifpps.o ifpps-eflags = $(shell pkg-config --cflags ncurses 2 /dev/null) diff --git a/mausezahn/Makefile b/mausezahn/Makefile index 7943738..08918b5 100644 --- a/mausezahn/Makefile +++ b/mausezahn/Makefile @@ -6,6 +6,8 @@ mausezahn-libs =-lcli \ -lm mausezahn-objs = str.o \ + die.o \ + xmalloc.o \ staging/layer1.o \ staging/layer2.o \ staging/layer3.o \ diff --git a/netsniff-ng.c b/netsniff-ng.c index dfb99bb..2afd67d 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -177,6 +177,20 @@ static inline bool dump_to_pcap(struct ctx *ctx) return ctx-dump; } +static void on_panic_del_rfmon(void *arg) +{ + leave_rfmon_mac80211((char *)arg); +} + +static inline void setup_rfmon_mac80211_dev(struct ctx *ctx, char **rfmon_dev) +{ + ctx-device_trans = xstrdup
[netsniff-ng] [PATCH] mac80211: Check existing of generated monX device
From: Vadim Kochan vadi...@gmail.com Fixed case when netsniff fails if there is already existing monX device while generating. Signed-off-by: Vadim Kochan vadi...@gmail.com --- dev.c | 15 --- dev.h | 1 + mac80211.c | 4 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/dev.c b/dev.c index b3249e6..45659a8 100644 --- a/dev.c +++ b/dev.c @@ -13,7 +13,7 @@ #include link.h #include built_in.h -int device_ifindex(const char *ifname) +int device_ifindex_get(const char *ifname) { int ret, sock, index; struct ifreq ifr; @@ -27,8 +27,8 @@ int device_ifindex(const char *ifname) strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); ret = ioctl(sock, SIOCGIFINDEX, ifr); - if (unlikely(ret)) - panic(Cannot get ifindex from device!\n); + if (ret) + return -1; index = ifr.ifr_ifindex; close(sock); @@ -36,6 +36,15 @@ int device_ifindex(const char *ifname) return index; } +int device_ifindex(const char *ifname) +{ + int index = device_ifindex_get(ifname); + if (unlikely(index = 0)) + panic(Cannot get ifindex from device!\n); + + return index; +} + int device_type(const char *ifname) { int ret, sock, type; diff --git a/dev.h b/dev.h index 2d5f056..adb1c43 100644 --- a/dev.h +++ b/dev.h @@ -7,6 +7,7 @@ extern size_t device_mtu(const char *ifname); extern int device_address(const char *ifname, int af, struct sockaddr_storage *ss); extern int device_ifindex(const char *ifname); +extern int device_ifindex_get(const char *ifname); extern int device_type(const char *ifname); extern short device_get_flags(const char *ifname); extern void device_set_flags(const char *ifname, const short flags); diff --git a/mac80211.c b/mac80211.c index c089574..09f15b7 100644 --- a/mac80211.c +++ b/mac80211.c @@ -226,6 +226,10 @@ void enter_rfmon_mac80211(const char *device, char **mondev) char mondevice[32]; slprintf(mondevice, sizeof(mondevice), mon%u, n); + + if (device_ifindex_get(mondevice) 0) + continue; + ret = nl80211_add_mon_if(nlstate, device, mondevice); if (ret == 0) { *mondev = xstrdup(mondevice); -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] netsniff: Dump basic radiotap header info
On Tue, Apr 21, 2015 at 03:24:33PM +0200, Tobias Klauser wrote: On 2015-04-20 at 13:51:40 +0200, Vadim Kochan vadi...@gmail.com wrote: From: Vadim Kochan vadi...@gmail.com Please always add a short description, even if it's restating what subject already says. I added one for this. Also please note that the tool is called netsniff-ng, not netsniff ;-) Signed-off-by: Vadim Kochan vadi...@gmail.com Applied without printing of the binary representation of flags. IMO the hex representation is enough and we don't print it anywhere else. Hope that is OK. Thanks! OK, I understand, thank you! -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] netsniff-ng: Show packet number
On Thu, Apr 23, 2015 at 02:24:16PM +0300, Vadim Kochan wrote: static inline void __show_frame_hdr(uint8_t *packet, size_t len, int linktype, struct sockaddr_ll *s_ll, void *raw_hdr, - int mode, bool v3) + int mode, bool v3, unsigned long *count) { char tmp[IFNAMSIZ]; union tpacket_uhdr hdr; @@ -73,34 +73,40 @@ static inline void __show_frame_hdr(uint8_t *packet, size_t len, int linktype, pkttype = hdr-nlmsg_pid == 0 ? PACKET_KERNEL : PACKET_USER; } + if (count) + *count += 1; + hdr.raw = raw_hdr; switch (mode) { case PRINT_LESS: - tprintf(%s %s %u, + tprintf(%s %s %u (#%lu) , packet_types[pkttype] ? : ?, if_indextoname(s_ll-sll_ifindex, tmp) ? : ?, - tpacket_uhdr(hdr, tp_len, v3)); + tpacket_uhdr(hdr, tp_len, v3), *count); break; default: - tprintf(%s %s %u %us.%uns %s\n, + tprintf(%s %s %u %us.%uns %s (#%lu)\n, packet_types[pkttype] ? : ?, if_indextoname(s_ll-sll_ifindex, tmp) ? : ?, tpacket_uhdr(hdr, tp_len, v3), tpacket_uhdr(hdr, tp_sec, v3), tpacket_uhdr(hdr, tp_nsec, v3), - v3 ? : __show_ts_source(hdr.h2-tp_status)); + v3 ? : __show_ts_source(hdr.h2-tp_status), *count); break; } } I just realized that count will be dereferenced even if it was passed as NULL so if you agree with the feature I can re-send v2 ... Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng: Seems typo in getting current group id
From: Vadim Kochan vadi...@gmail.com Changed to use ctx-gid when call getgid() on init_ctx. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index c0d70c8..4ad8b19 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -1096,7 +1096,7 @@ static void init_ctx(struct ctx *ctx) memset(ctx, 0, sizeof(*ctx)); ctx-uid = getuid(); - ctx-uid = getgid(); + ctx-gid = getgid(); ctx-cpu = -1; ctx-packet_type = -1; -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] iosched: Print error cause if setting io prio failed
From: Vadim Kochan vadi...@gmail.com Add error cause message when ioprio_setpid fails. Signed-off-by: Vadim Kochan vadi...@gmail.com --- iosched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iosched.c b/iosched.c index 7417973..ff82126 100644 --- a/iosched.c +++ b/iosched.c @@ -47,7 +47,7 @@ static void ioprio_setpid(pid_t pid, int ioprio, int ioclass) int ret = ioprio_set(ioprio_who_process, pid, ioprio | ioclass IOPRIO_CLASS_SHIFT); if (ret 0) - panic(Failed to set io prio for pid!\n); + panic(Failed to set io prio for pid: %s\n, strerror(errno)); } void ioprio_print(void) -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
On Wed, Apr 22, 2015 at 05:02:52PM +0200, Daniel Borkmann wrote: On 04/22/2015 05:00 PM, Vadim Kochan wrote: Hi, It is not possible to just read pcap by netsniff-ng if user permissions does not allow to set processes IO prio, so it is really needed to do it just for print pcap file ? Thanks for the report Vadim! No, it's not a requirement. Do you mind sending a patch? Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Sure, I will try to fix it, really I dont have a fix yet. The issue goes from pcap ops in init one function, where IO prio is set, the first think which came up in my mind is to have separate pcap ops for read only where set IO prio will be not called ... but I am not sure if it is correct. Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
Hi, It is not possible to just read pcap by netsniff-ng if user permissions does not allow to set processes IO prio, so it is really needed to do it just for print pcap file ? Thanks, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: Do we need to set IO prio when do only read from pcap ?
On Wed, Apr 22, 2015 at 05:37:42PM +0200, Daniel Borkmann wrote: On 04/22/2015 05:09 PM, Vadim Kochan wrote: ... Sure, I will try to fix it, really I dont have a fix yet. The issue goes from pcap ops in init one function, where IO prio is set, the first think which came up in my mind is to have separate pcap ops for read only where set IO prio will be not called ... but I am not sure if it is correct. I think we have two options: 1) Don't panic on error, but perhaps just throw a warning to the user instead in case of insufficient permissions. 2) Change init_once_pcap() into void (*init_once_pcap)(bool enforce_prio); and push down the enforcement into the various functions, and inside read_pcap(), you'd set __pcap_io-init_once_pcap(false). And in case the enforcement is not set, we just move on silently. Perhaps 2nd option is cleaner? OK, I 've send a fix but it needs also to be applied the patch with a title: [PATCH] netsniff-ng: Seems typo in getting current group id https://groups.google.com/forum/?hl=en#!topic/netsniff-ng/7vKdK3FesSU Because of initializing wrong ctx-gid the user could not change the group because of the permissions when reading pcap file. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: mac80211: Better print layout for HT Capabilities element ?
)): Failed to dissect Subtype ] Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: mac80211: Better print layout for HT Capabilities element ?
On Thu, Apr 23, 2015 at 12:05:55AM +0200, Daniel Borkmann wrote: On 04/22/2015 11:50 PM, Vadim Kochan wrote: ... I think that HT Capabilities element info should be showed in more structured view so it will be more readable what do you think ? Does someone have a better option ? Yes, I'm fine with that. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. OK, I have some working output example: [ Radiotap Version (0), Length (26), Flags (0x482f) ] [ 802.11 Frame Control (0x0040)] [ Proto Version (0), Type (0, Management), Duration (0), Destination (ff:ff:ff:ff:ff:ff) Source (9c:4e:36:a5:38:98) = (Intel Corporate:a5:38:98) BSSID (ff:ff:ff:ff:ff:ff) Fragmentnr. (0), Seqnr. (1980). Subtype (4, Probe Request) ] [ Subtype Probe Request: Info Elements: SSID (0, Len (8)): blizzard Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18 Ext Support Rates (50, Len(4)): 24 36 48 54 HT Capabilities (45, Len(26)): Info: LDCP Cod Cap (0) Supp Ch Width Set (0) SM Pwr Save(0) HT-Greenfield (1) Short GI for 20/40 MHz (1/0) Tx/Rx STBC (0/1) HT-Delayed Block Ack (0) Max A-MSDU Len (1) DSSS/CCK Mode in 40 MHz (0) Res (0x0) Forty MHz Intol (0) L-SIG TXOP Protection Supp (0) A-MPDU Params: Max Len Exp (0) Min Start Spacing (2) Res (0x7) Supp MCS Set: Rx MCS Bitmask (0x) Res (0x0) Rx High Supp Data Rate (0) Res (0x0) Tx MCS Set Def (0) Tx Rx MCS Set Not Eq (0) Tx Max Number Spat Str Supp (0) Tx Uneq Mod Supp (0) Res (0x0) Ext Cap: PCO (0) PCO Trans Time (0) Res (0x0) MCS Feedb (0) +HTC Supp (0) RD Resp (0) Res (0x0) Transm Beamf: Impl Transm Beamf Rec Cap (0) Rec/Transm Stagg Sound Cap (0/0) Rec/Trans NDP Cap (0/0) Impl Transm Beamf Cap (0) Cal (0) Expl CSI Transm Beamf Cap (0) Expl Noncmpr/Compr Steering Cap (0/0) Expl Trans Beamf CSI Feedb (0) Expl Noncmpr/Cmpr Feedb Cap (0/0) Min Grpg (0) CSI Num Beamf Ant Supp (0) Noncmpr/Cmpr Steering Nr Beamf Ant Supp (0/0) CSI Max Nr Rows Beamf Supp (0) Ch Estim Cap (0) Res (0x0) ASEL: Ant Select Cap (0) Expl CSI Feedb Based Transm ASEL Cap (0) Ant Indic Feedb Based Transm ASEL Cap (0) Expl CSI Feedb Cap (0) Ant Indic Feedb Cap (0) Rec ASEL Cap (0) Transm Sound PPDUs Cap (0) Res (0x0) Reserved (21, Len (110)): Failed to dissect Subtype ] May be it would be good to add '(' and ')' around information elements to visually separate them ? [ Subtype Probe Request: Info Elements: (SSID (0, Len (8)): blizzard), (Supp. Rates (1, Len (8)): 1 2 5.5 11 6 9 12 18), (Ext Support Rates (50, Len(4)): 24 36 48 54), (HT Capabilities (45, Len(26)): Info: LDCP Cod Cap (0
[netsniff-ng] [PATCH] netsniff-ng mac80211: Print HT Capabilities more structurd
From: Vadim Kochan vadi...@gmail.com Now it looks like: [ Subtype Beacon: Timestamp 0x74c5c180, Beacon Interval (0.102400s), Capabilities (0x431 - ESS; Privacy; Short Preamble; Short Slot Time;) Parameters: SSID (0, Len (6)): D07F82 Supp. Rates (1, Len (8)): 1(B) 2(B) 5.5(B) 11(B) 6(B) 9 12(B) 18 DSSS Param Set (3, Len(1)): Current Channel: 1 TIM (5, Len(4)): DTIM Count: 0, DTIM Period: 3, Bitmap Control: 0, Partial Virtual Bitmap: 0x00 Country (7, Len(6)): Country String: US First Ch Nr: 1, Nr of Ch: 11, Max Transmit Pwr Lvl: 30 ERP (42, Len(1)): Non ERP Present (0), Use Protection (0), Barker Preamble Mode (0), Reserved (0x0) Ext Support Rates (50, Len(4)): 24 36 48 54 HT Capabilities (45, Len(26)): Info: LDCP Cod Cap (1) Supp Ch Width Set (1) SM Pwr Save(3) HT-Greenfield (0) Short GI for 20/40 MHz (1/1) Tx/Rx STBC (0/0) HT-Delayed Block Ack (0) Max A-MSDU Len (0) DSSS/CCK Mode in 40 MHz (1) Res (0x0) Forty MHz Intol (0) L-SIG TXOP Protection Supp (0) A-MPDU Params: Max Len Exp (0) Min Start Spacing (3) Res (0x3) Supp MCS Set: Rx MCS Bitmask (0x) Res (0x0) Rx High Supp Data Rate (0) Res (0x0) Tx MCS Set Def (0) Tx Rx MCS Set Not Eq (0) Tx Max Number Spat Str Supp (0) Tx Uneq Mod Supp (0) Res (0x0) Ext Cap: PCO (0) PCO Trans Time (0) Res (0x0) MCS Feedb (0) +HTC Supp (0) RD Resp (0) Res (0x0) Transm Beamf: Impl Transm Beamf Rec Cap (0) Rec/Transm Stagg Sound Cap (0/0) Rec/Trans NDP Cap (0/0) Impl Transm Beamf Cap (0) Cal (0) Expl CSI Transm Beamf Cap (0) Expl Noncmpr/Compr Steering Cap (0/0) Expl Trans Beamf CSI Feedb (0) Expl Noncmpr/Cmpr Feedb Cap (0/0) Min Grpg (0) CSI Num Beamf Ant Supp (0) Noncmpr/Cmpr Steering Nr Beamf Ant Supp (0/0) CSI Max Nr Rows Beamf Supp (0) Ch Estim Cap (0) Res (0x0) ASEL: Ant Select Cap (0) Expl CSI Feedb Based Transm ASEL Cap (0) Ant Indic Feedb Based Transm ASEL Cap (0) Expl CSI Feedb Cap (0) Ant Indic Feedb Cap (0) Rec ASEL Cap (0) Transm Sound PPDUs Cap (0) Res (0x0) Failed to dissect Subtype ] Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_80211_mac_hdr.c | 175 ++ 1 file changed, 107 insertions(+), 68 deletions(-) diff --git a/proto_80211_mac_hdr.c b/proto_80211_mac_hdr.c index 199c4e7..e37397c 100644 --- a/proto_80211_mac_hdr.c +++ b/proto_80211_mac_hdr.c @@ -883,7 +883,7 @@ static int8_t inf_reserved(struct pkt_buff *pkt, u8 *id) if (reserved == NULL) return 0; - tprintf(Reserved (%u, Len (%u)): , *id, reserved-len); + tprintf( Reserved (%u, Len (%u)): , *id, reserved-len); data = pkt_pull(pkt, reserved-len); if (data == NULL) @@ -2578,68 +2578,101 @@ static int8_t inf_ht_cap(struct pkt_buff *pkt, u8 *id) beam_cap = le32_to_cpu(ht_cap-beam_cap); ext_cap = le16_to_cpu(ht_cap-ext_cap); - tprintf( HT Capabilities (%u, Len(%u)): , *id, ht_cap-len
[netsniff-ng] [PATCH] netsniff-ng: Show packet number
From: Vadim Kochan vadi...@gmail.com ? 100 1429707903s.33856000ns (#1) [ Radiotap Version (0), Length (26), Flags (0x482f) ] [ 802.11 Frame Control (0x0040)] [ Proto Version (0), Type (0, Management), Duration (0), Destination (ff:ff:ff:ff:ff:ff) Source (00:23:14:da:1c:fc) = (Intel Corporate:da:1c:fc) BSSID (ff:ff:ff:ff:ff:ff) Fragmentnr. (0), Seqnr. (1733). Subtype (4, Probe Request) ] [ Subtype Probe Request: Failed to dissect Subtype ] [ Chr ...$2.0H`l-.r.}.. ] [ Hex 00 00 01 08 02 04 0b 16 0c 12 18 24 32 04 30 48 60 6c 2d 1a 72 09 17 ff ff 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 7d 89 bb ] Signed-off-by: Vadim Kochan vadi...@gmail.com --- dissector.h | 22 ++ netsniff-ng.c | 16 +++- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/dissector.h b/dissector.h index fc20eda..4234090 100644 --- a/dissector.h +++ b/dissector.h @@ -51,7 +51,7 @@ static inline const char *__show_ts_source(uint32_t status) static inline void __show_frame_hdr(uint8_t *packet, size_t len, int linktype, struct sockaddr_ll *s_ll, void *raw_hdr, - int mode, bool v3) + int mode, bool v3, unsigned long *count) { char tmp[IFNAMSIZ]; union tpacket_uhdr hdr; @@ -73,34 +73,40 @@ static inline void __show_frame_hdr(uint8_t *packet, size_t len, int linktype, pkttype = hdr-nlmsg_pid == 0 ? PACKET_KERNEL : PACKET_USER; } + if (count) + *count += 1; + hdr.raw = raw_hdr; switch (mode) { case PRINT_LESS: - tprintf(%s %s %u, + tprintf(%s %s %u (#%lu) , packet_types[pkttype] ? : ?, if_indextoname(s_ll-sll_ifindex, tmp) ? : ?, - tpacket_uhdr(hdr, tp_len, v3)); + tpacket_uhdr(hdr, tp_len, v3), *count); break; default: - tprintf(%s %s %u %us.%uns %s\n, + tprintf(%s %s %u %us.%uns %s (#%lu)\n, packet_types[pkttype] ? : ?, if_indextoname(s_ll-sll_ifindex, tmp) ? : ?, tpacket_uhdr(hdr, tp_len, v3), tpacket_uhdr(hdr, tp_sec, v3), tpacket_uhdr(hdr, tp_nsec, v3), - v3 ? : __show_ts_source(hdr.h2-tp_status)); + v3 ? : __show_ts_source(hdr.h2-tp_status), *count); break; } } static inline void show_frame_hdr(uint8_t *packet, size_t len, int linktype, - struct frame_map *hdr, int mode) + struct frame_map *hdr, int mode, + unsigned long *count) { - __show_frame_hdr(packet, len, linktype, hdr-s_ll, hdr-tp_h, mode, false); + __show_frame_hdr(packet, len, linktype, hdr-s_ll, hdr-tp_h, mode, + false, count); } extern void dissector_init_all(int fnttype); -extern void dissector_entry_point(uint8_t *packet, size_t len, int linktype, int mode); +extern void dissector_entry_point(uint8_t *packet, size_t len, int linktype, int + mode); extern void dissector_cleanup_all(void); extern int dissector_set_print_type(void *ptr, int type); diff --git a/netsniff-ng.c b/netsniff-ng.c index ee9dc38..2094a3f 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -64,6 +64,7 @@ struct ctx { gid_t gid; uint32_t link_type, magic; uint32_t fanout_group, fanout_type; + unsigned long pkts_showed; }; static volatile sig_atomic_t sigint = 0; @@ -308,7 +309,8 @@ static void pcap_to_xmit(struct ctx *ctx) ctx-tx_packets++; show_frame_hdr(out, hdr-tp_h.tp_snaplen, - ctx-link_type, hdr, ctx-print_mode); + ctx-link_type, hdr, ctx-print_mode, + ctx-pkts_showed); dissector_entry_point(out, hdr-tp_h.tp_snaplen, ctx-link_type, ctx-print_mode); @@ -457,7 +459,8 @@ static void receive_to_xmit(struct ctx *ctx) } show_frame_hdr(in, hdr_in-tp_h.tp_snaplen, - ctx-link_type, hdr_in, ctx-print_mode); + ctx-link_type, hdr_in, ctx-print_mode, + ctx-pkts_showed); dissector_entry_point(in, hdr_in-tp_h.tp_snaplen, ctx-link_type, ctx-print_mode); @@ -640,7 +643,7 @@ static void read_pcap(struct ctx *ctx) ctx-tx_packets
Re: [netsniff-ng] [PATCH] mac80211: Check existing of generated monX device
On Tue, Apr 21, 2015 at 12:30:07PM +0200, Daniel Borkmann wrote: Hi Vadim, On 04/17/2015 09:04 PM, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Fixed case when netsniff fails if there is already existing monX device while generating. Signed-off-by: Vadim Kochan vadi...@gmail.com ... +int device_ifindex(const char *ifname) +{ +int index = device_ifindex_get(ifname); +if (unlikely(index = 0)) This test should be 0 only as ifindex 0 would mean to capture on any device. So starting netsniff-ng w/o any arguments would not work anymore otherwise, fix up: https://github.com/netsniff-ng/netsniff-ng/commit/42ca7e42aa76ee52499ae82370d11d044e811f35 +panic(Cannot get ifindex from device!\n); + +return index; +} Cheers, Daniel Fuf, thank you! And sorry for this BUG! -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] netsniff-ng nlmsg: Print type for NETLINK_ROUTE
On Mon, Apr 27, 2015 at 04:29:40PM +0300, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Print nlmsg type name for rtnetlink messages Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 84 +-- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index b219867..c5ef9d5 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -47,6 +47,86 @@ static const char *nl_proto2str(uint16_t proto) } } +static char * rtnl_types2str[RTM_MAX] = { + [RTM_NEWLINK] = NEW LINK, + [RTM_DELLINK] = DEL LINK, + [RTM_GETLINK] = GET LINK, + [RTM_SETLINK] = SET LINK, + + [RTM_NEWADDR] = NEW ADDR, + [RTM_DELADDR] = DEL ADDR, + [RTM_GETADDR] = GET ADDR, + + [RTM_NEWROUTE] = NEW ROUTE, + [RTM_DELROUTE] = DEL ROUTE, + [RTM_GETROUTE] = GET ROUTE, + + [RTM_NEWNEIGH] = NEW NEIGH, + [RTM_DELNEIGH] = DEL NEIGH, + [RTM_GETNEIGH] = GET NEIGH, + + [RTM_NEWRULE] = NEW RULE, + [RTM_DELRULE] = DEL RULE, + [RTM_GETRULE] = GET RULE, + + [RTM_NEWQDISC] = NEW QDISC, + [RTM_DELQDISC] = DEL QDISC, + [RTM_GETQDISC] = GET QDISC, + + [RTM_NEWTCLASS] = NEW TCLASS, + [RTM_DELTCLASS] = DEL TCLASS, + [RTM_GETTCLASS] = GET TCLASS, + + [RTM_NEWTFILTER] = NEW TFILTER, + [RTM_DELTFILTER] = DEL TFILTER, + [RTM_GETTFILTER] = GET TFILTER, + + [RTM_NEWACTION] = NEW ACTION, + [RTM_DELACTION] = DEL ACTION, + [RTM_GETACTION] = GET ACTION, + + [RTM_NEWPREFIX] = NEW PREFIX, + + [RTM_GETMULTICAST] = GET MULTICAST, + + [RTM_GETANYCAST] = GET ANYCAST, + + [RTM_NEWNEIGHTBL] = NEW NEIGHTBL, + [RTM_GETNEIGHTBL] = GET NEIGHTBL, + [RTM_SETNEIGHTBL] = SET NEIGHTBL, + + [RTM_NEWNDUSEROPT] = NEW NDUSEROPT, + + [RTM_NEWADDRLABEL] = NEW ADDRLABEL, + [RTM_DELADDRLABEL] = DEL ADDRLABEL, + [RTM_GETADDRLABEL] = GET ADDRLABEL, + + [RTM_GETDCB] = GET DCB, + [RTM_SETDCB] = SET DCB, + + [RTM_NEWNETCONF] = NEW NETCONF, + [RTM_GETNETCONF] = GET NETCONF, + + [RTM_NEWMDB] = NEW MDB, + [RTM_DELMDB] = DEL MDB, + [RTM_GETMDB] = GET MDB, +}; + +static char *nl_msgtype2str(uint16_t proto, uint16_t type, char *buf, int len) +{ + char *name = NULL; + + if (proto == NETLINK_ROUTE type RTM_MAX) + name = rtnl_types2str[type]; + + if (name) { + strncpy(buf, name, len); + return buf; + } + + return nl_nlmsgtype2str(type, buf, len); +} + static void nlmsg(struct pkt_buff *pkt) { struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); @@ -82,8 +162,8 @@ static void nlmsg(struct pkt_buff *pkt) tprintf(Len %u, , hdr-nlmsg_len); tprintf(Type 0x%.4x (%s%s%s), , hdr-nlmsg_type, colorize_start(bold), - nl_nlmsgtype2str(hdr-nlmsg_type, type, sizeof(type)), - colorize_end()); + nl_msgtype2str(ntohs(pkt-proto), hdr-nlmsg_type, type, + sizeof(type)), colorize_end()); tprintf(Flags 0x%.4x (%s%s%s), , hdr-nlmsg_flags, colorize_start(bold), nl_nlmsg_flags2str(hdr-nlmsg_flags, flags, sizeof(flags)), -- 2.3.1 Ok, I will re-work this one to v2 with func renaming make NETLINK_ROUTE type names more understandable. Sorry for the noise. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] netsniff-ng: Fix capturing extra packets from other dev
On Sat, May 02, 2015 at 07:00:53PM +0200, Tobias Klauser wrote: On 2015-04-29 at 21:18:24 +0200, Vadim Kochan vadi...@gmail.com wrote: From: Vadim Kochan vadi...@gmail.com It might be related to the issue #73 noticed by Jon Schipp jonsch...@gmail.com where he pointed that netsniff-ng captures some extra packets. I observed this issue when I captured few Ethernet frames from wireless device while I was sniffing Netlink monitor device (!!!), especially under high load traffic (HD Video). It can be easy grepped: sudo netsniff-ng/netsniff-ng -i nlmon0 --less | grep dev where dev is the active high traffic device. Interesting observation was that issue appeared only in the beginning of the sniffing, and after some investigation I came up to the conclusion that issue might be caused when netsniff-ng creates RX ring through the setsockopt where Linux registers device hook for any device (we did not bind yet socket to the specified device), and I assumed that before binding to the specified device Linux can caught for us some packets from the other devices until netsniff-ng will bind socket to the specified device. So fixed (I can't reproduce this anymore) by moving device binding before attaching RX ring to the socket, in this case setsockopt consider the bound device. Signed-off-by: Vadim Kochan vadi...@gmail.com --- ring_rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ring_rx.c b/ring_rx.c index 32d3f6d..56685e0 100644 --- a/ring_rx.c +++ b/ring_rx.c @@ -231,10 +231,10 @@ void ring_rx_setup(struct ring *ring, int sock, size_t size, int ifindex, { fmemset(ring, 0, sizeof(*ring)); setup_rx_ring_layout(sock, ring, size, jumbo_support, v3); + bind_ring_generic(sock, ring, ifindex, false); create_rx_ring(sock, ring, verbose); mmap_ring_generic(sock, ring); alloc_rx_ring_frames(sock, ring); - bind_ring_generic(sock, ring, ifindex, false); join_fanout_group(sock, fanout_group, fanout_type); prepare_polling(sock, poll); Shouldn't mmap_ring_generic and alloc_rx_ring_frames be done before bind_ring_generic? How about moving create_rx_ring down instead of moving bind_ring_generic up? Daniel can probably comment better on how exactly the order should be and what the interdependecies are... Any comments? My understanding is, that bind-ing in this case is just re-registering packet hook to the specified device. What would be a difference if after pf_alloc socket already has a default packet hook which is bound to all devices and any protocol ? Sure, Daniel's comments would great to have here :-) -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] die: Rename panic func - panic handler
From: Vadim Kochan vadi...@gmail.com Rename xxx_panic_func(s) to xxx_panic_handler(s) which is more understandable than 'func'. Signed-off-by: Vadim Kochan vadi...@gmail.com --- die.c | 4 ++-- die.h | 8 netsniff-ng.c | 2 +- trafgen.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/die.c b/die.c index 523107e..4e525f9 100644 --- a/die.c +++ b/die.c @@ -14,7 +14,7 @@ struct panic_handler { static struct panic_handler *panic_handlers; -void panic_func_add(void (*on_panic)(void *arg), void *arg) +void panic_handler_add(void (*on_panic)(void *arg), void *arg) { struct panic_handler *handler = xmallocz(sizeof(*handler)); @@ -26,7 +26,7 @@ void panic_func_add(void (*on_panic)(void *arg), void *arg) panic_handlers = handler; }; -void call_on_panic_funcs(void) +void call_panic_handlers(void) { struct panic_handler *it; pid_t pid = getpid(); diff --git a/die.h b/die.h index 0d709d0..0ca9e86 100644 --- a/die.h +++ b/die.h @@ -12,8 +12,8 @@ #include built_in.h -extern void panic_func_add(void (*on_panic)(void *arg), void *arg); -extern void call_on_panic_funcs(void); +extern void panic_handler_add(void (*on_panic)(void *arg), void *arg); +extern void call_panic_handlers(void); static inline void panic(const char *format, ...) __check_format_printf(1, 2); static inline void syslog_panic(const char *format, @@ -23,13 +23,13 @@ static inline void syslog_maybe(bool cond, int priority, static inline void __noreturn __die_hard(void) { - call_on_panic_funcs(); + call_panic_handlers(); exit(EXIT_FAILURE); } static inline void __noreturn __die_harder(void) { - call_on_panic_funcs(); + call_panic_handlers(); _exit(EXIT_FAILURE); } diff --git a/netsniff-ng.c b/netsniff-ng.c index 9655c59..dfab81a 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -198,7 +198,7 @@ static inline void setup_rfmon_mac80211_dev(struct ctx *ctx, char **rfmon_dev) xfree(*rfmon_dev); enter_rfmon_mac80211(ctx-device_trans, rfmon_dev); - panic_func_add(on_panic_del_rfmon, *rfmon_dev); + panic_handler_add(on_panic_del_rfmon, *rfmon_dev); } static void pcap_to_xmit(struct ctx *ctx) diff --git a/trafgen.c b/trafgen.c index 4a9fde5..f981eaf 100644 --- a/trafgen.c +++ b/trafgen.c @@ -1072,7 +1072,7 @@ int main(int argc, char **argv) xfree(ctx.device); enter_rfmon_mac80211(ctx.device_trans, ctx.device); - panic_func_add(on_panic_del_rfmon, ctx.device); + panic_handler_add(on_panic_del_rfmon, ctx.device); sleep(0); } -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [PATCH] die: Rename panic func - panic handler
On Mon, May 04, 2015 at 11:11:21AM +0300, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Rename xxx_panic_func(s) to xxx_panic_handler(s) which is more understandable than 'func'. Signed-off-by: Vadim Kochan vadi...@gmail.com --- die.c | 4 ++-- die.h | 8 netsniff-ng.c | 2 +- trafgen.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/die.c b/die.c index 523107e..4e525f9 100644 --- a/die.c +++ b/die.c @@ -14,7 +14,7 @@ struct panic_handler { static struct panic_handler *panic_handlers; -void panic_func_add(void (*on_panic)(void *arg), void *arg) +void panic_handler_add(void (*on_panic)(void *arg), void *arg) { struct panic_handler *handler = xmallocz(sizeof(*handler)); @@ -26,7 +26,7 @@ void panic_func_add(void (*on_panic)(void *arg), void *arg) panic_handlers = handler; }; -void call_on_panic_funcs(void) +void call_panic_handlers(void) { struct panic_handler *it; pid_t pid = getpid(); diff --git a/die.h b/die.h index 0d709d0..0ca9e86 100644 --- a/die.h +++ b/die.h @@ -12,8 +12,8 @@ #include built_in.h -extern void panic_func_add(void (*on_panic)(void *arg), void *arg); -extern void call_on_panic_funcs(void); +extern void panic_handler_add(void (*on_panic)(void *arg), void *arg); +extern void call_panic_handlers(void); static inline void panic(const char *format, ...) __check_format_printf(1, 2); static inline void syslog_panic(const char *format, @@ -23,13 +23,13 @@ static inline void syslog_maybe(bool cond, int priority, static inline void __noreturn __die_hard(void) { - call_on_panic_funcs(); + call_panic_handlers(); exit(EXIT_FAILURE); } static inline void __noreturn __die_harder(void) { - call_on_panic_funcs(); + call_panic_handlers(); _exit(EXIT_FAILURE); } diff --git a/netsniff-ng.c b/netsniff-ng.c index 9655c59..dfab81a 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -198,7 +198,7 @@ static inline void setup_rfmon_mac80211_dev(struct ctx *ctx, char **rfmon_dev) xfree(*rfmon_dev); enter_rfmon_mac80211(ctx-device_trans, rfmon_dev); - panic_func_add(on_panic_del_rfmon, *rfmon_dev); + panic_handler_add(on_panic_del_rfmon, *rfmon_dev); } static void pcap_to_xmit(struct ctx *ctx) diff --git a/trafgen.c b/trafgen.c index 4a9fde5..f981eaf 100644 --- a/trafgen.c +++ b/trafgen.c @@ -1072,7 +1072,7 @@ int main(int argc, char **argv) xfree(ctx.device); enter_rfmon_mac80211(ctx.device_trans, ctx.device); - panic_func_add(on_panic_del_rfmon, ctx.device); + panic_handler_add(on_panic_del_rfmon, ctx.device); sleep(0); } -- 2.3.1 'make clean make' is needed after these changes ... -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng nlmsg: Print more fields in less mode
From: Vadim Kochan vadi...@gmail.com Print similar header fields in less mode as it is done in full mode. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 30 +- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index e8706a2..6d24fef 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -133,16 +133,12 @@ static char *nlmsg_type2str(uint16_t proto, uint16_t type, char *buf, int len) return nl_nlmsgtype2str(type, buf, len); } -static void nlmsg(struct pkt_buff *pkt) +static void nlmsg_print_hdr(uint16_t proto, struct nlmsghdr *hdr) { - struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); char type[32]; char flags[128]; char procname[PATH_MAX]; - if (hdr == NULL) - return; - /* Look up the process name if message is not coming from the kernel. * * Note that the port id is not necessarily equal to the PID of the @@ -162,13 +158,12 @@ static void nlmsg(struct pkt_buff *pkt) } else snprintf(procname, sizeof(procname), kernel); - tprintf( [ NLMSG ); - tprintf(Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), - nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); + tprintf(Family %d (%s%s%s), , ntohs(proto), colorize_start(bold), + nlmsg_family2str(ntohs(proto)), colorize_end()); tprintf(Len %u, , hdr-nlmsg_len); tprintf(Type 0x%.4x (%s%s%s), , hdr-nlmsg_type, colorize_start(bold), - nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, + nlmsg_type2str(ntohs(proto), hdr-nlmsg_type, type, sizeof(type)), colorize_end()); tprintf(Flags 0x%.4x (%s%s%s), , hdr-nlmsg_flags, colorize_start(bold), @@ -179,20 +174,29 @@ static void nlmsg(struct pkt_buff *pkt) if (procname[0]) tprintf( (%s%s%s), colorize_start(bold), basename(procname), colorize_end()); +} + +static void nlmsg(struct pkt_buff *pkt) +{ + struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); + + if (hdr == NULL) + return; + + tprintf( [ NLMSG ); + nlmsg_print_hdr(pkt-proto, hdr); tprintf( ]\n); } static void nlmsg_less(struct pkt_buff *pkt) { struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); - char type[32]; if (hdr == NULL) return; - tprintf( NLMSG %u (%s%s%s), hdr-nlmsg_type, colorize_start(bold), - nl_nlmsgtype2str(hdr-nlmsg_type, type, sizeof(type)), - colorize_end()); + tprintf( NLMSG ); + nlmsg_print_hdr(pkt-proto, hdr); } struct protocol nlmsg_ops = { -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] tprintf breaks color terminal sequence
Hi, In less mode (netsniff-ng -i dev --less) the color ESC terminal sequences can be broken by automatic indentation made in tprintf.c: __tprint_flush which can add spaces or new line within of this sequence. I am trying to fix this, but sending this message in case you may consider this issue before making a next release, or if you can make a fast fix :-) Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] multiple instances of netsniff-ng with AF_PACKET hash fanout
On Thu, Apr 30, 2015 at 05:42:41PM +0200, Daniel Borkmann wrote: Hi Ivan, On 04/30/2015 05:28 PM, arse...@gmail.com wrote: Hi all, I have been using netsniff-ng for some time now and am very excited about packet fanout feature. Cool, great to hear! :) Have one AF_PACKET hash fanout functionality related question if somebody has time to comment : how can I get 3 or more netsniff-ng instances in one fanout-group output into 1 single PCAP file ? You below command-line invocation looks good to me. Letting all processes write into one single pcap file at one, I'm afraid, won't work. There are various reasons, i.e. it would corrupt the pcap file as there's no synchronization between the processes to write a single packet atomically into the pcap. You also wouldn't want to do that. ;) Because assume if such a possibility would exist, then the bottleneck becomes easily the write to disc on that single file. You rather want to have parallelism all the way to the hardware in the best case. If you need to merge file, there could f.e. be a background process grabbing individual pcap files and merge them based on the time-stamps into a single one, e.g. mergecap: https://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html Hope that helps, Thanks, Daniel So far, I have tried to start 3 instances with : sudo nohup /usr/local/sbin/netsniff-ng --fanout-group 1 --fanout-type hash --mmap --ring-size 256MiB --bind-cpu 18 --silent --in eth5 --out /mnt/sdb1/netcapture/ --prefix eth5. --interval 60sec sudo nohup /usr/local/sbin/netsniff-ng --fanout-group 1 --fanout-type hash --mmap --ring-size 256MiB --bind-cpu 20 --silent --in eth5 --out /mnt/sdb1/netcapture/ --prefix eth5. --interval 60sec sudo nohup /usr/local/sbin/netsniff-ng --fanout-group 1 --fanout-type hash --mmap --ring-size 256MiB --bind-cpu 22 --silent --in eth5 --out /mnt/sdb1/netcapture/ --prefix eth5. --interval 60sec However, since interval isn't exactly 60 seconds, after 1-2 days I end up with separate output files, like : -rw-r--r-- 1 root root 135M Apr 30 14:44 /mnt/sdb1/netcapture/eth5.1430405040.pcap -rw-r--r-- 1 root root 125M Apr 30 14:44 /mnt/sdb1/netcapture/eth5.1430405041.pcap $ tcpslice /mnt/sdb1/netcapture/eth5.1430404980.pcap -t /mnt/sdb1/netcapture/eth5.1430404980.pcap 2015y04m30d14h43m00s733651u 2015y04m30d14h44m00s742344u $ tcpslice /mnt/sdb1/netcapture/eth5.1430404981.pcap -t /mnt/sdb1/netcapture/eth5.1430404981.pcap 2015y04m30d14h43m01s118241u 2015y04m30d14h44m01s138441u Am I doing something wrong the way I start instances, is there different way to start 3 instances to write into single output pcap file ? Also, I was wondering if there are any plans to make command line ability to start multiple instances using something like one command line with --bind-cpu 18,20,22 and one --out file, which would trigger 3 netsniff-ng instances while output goes into single output pcap file ? ( SolarCapture/SolarFlare uses that approach with multiple capture cores and one writeout core ) Let me know if you need more details. Best Regards Ivan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, What about if netsniff-ng can fork children so each children will use separate output file in specified directory and at the end after all children done then the main netsniff-ng will merge these files into one, and remove the files which were generated by children... Just thoughts ... Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] netsniff-ng: wireshark does not understand pcap file with Netlink frames
On Tue, May 05, 2015 at 01:13:04PM +0200, Daniel Borkmann wrote: On 05/05/2015 12:59 PM, Vadim Kochan wrote: Wireshark does not understand netsniff-ng's pcap file with Netlink frames, I assume thats because W-shark expects that each Netlink frame should have additional header on-top described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html it shows this is a Netlink type link but can't dissect Netlink frames. Meanwhile I do not have a fix for this yet. Don't know if it is important for this release. Well, tcpdump has that type (nlmon) registered so far, that's more important. ;) Cheers, Daniel At least it is possible to identify Netlink family from pcap file by netsniff-ng if to save pcap file in netsniff-ng's pcap format type (magic: 0xa1e2cb12) which stores protocol number ... -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] netsniff-ng: Fix capturing extra packets from other dev
On Tue, May 05, 2015 at 04:39:51PM +0200, Daniel Borkmann wrote: On 05/05/2015 12:10 PM, Daniel Borkmann wrote: On 05/05/2015 11:26 AM, Tobias Klauser wrote: On 2015-05-02 at 22:54:50 +0200, Vadim Kochan vadi...@gmail.com wrote: On Sat, May 02, 2015 at 07:00:53PM +0200, Tobias Klauser wrote: On 2015-04-29 at 21:18:24 +0200, Vadim Kochan vadi...@gmail.com wrote: From: Vadim Kochan vadi...@gmail.com It might be related to the issue #73 noticed by Jon Schipp jonsch...@gmail.com where he pointed that netsniff-ng captures some extra packets. I observed this issue when I captured few Ethernet frames from wireless device while I was sniffing Netlink monitor device (!!!), especially under high load traffic (HD Video). ... The better fix would just be to consolidate pf_socket() and pf_tx_socket() and allocate both with socket(PF_PACKET, SOCK_RAW, 0). That way, we should also be able to avoid the synchronize_net() barrier (as po-running is false at bind time). If we change pf_socket(), the only thing we need to make sure is that all such sockets do a proper bind() call before starting to capture packets, so that we don't break anything. Vadim, feel free to follow-up on that with a fix based on above suggestion, as you've already investigated and proposed a first patch. Thanks, Daniel Will play with this today :) When I was investigating this I really tried to use 0 instead of ETH_P_ALL but for some reason I did not catch any packets and dropped this way, and after your explanation I tried again and saw some packets at least. OK I will try what I can do. Thanks, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Regular user can't read pcap which was created by root
Hi, If for example captured file was created by sudo then the regular user can't open the file with netsniff-ng w/o sudo, it causes by using O_NOATIME flag when opening a file, I understand that it will increase speed of opening the file, but is it really needed in comparing to do not allow to open the file w/o admin permissions ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] authors: Fix Daniel's email
From: Vadim Kochan vadi...@gmail.com Use actual Daniel's borkm...@iogearbox.net email. Signed-off-by: Vadim Kochan vadi...@gmail.com --- AUTHORS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AUTHORS b/AUTHORS index ec95d91..f9471db 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,7 +1,7 @@ Maintainer: * Tobias Klauser tklau...@distanz.ch - * Daniel Borkmann borkm...@redhat.com + * Daniel Borkmann borkm...@iogearbox.net Former maintainer: -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng: Do not use O_NOATIME when read pcap
From: Vadim Kochan vadi...@gmail.com It fixes the case when user made pcap file in sudo mode but after it should still use sudo to read it because of setting O_NOATIME option requires higher privileges. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index dfab81a..d426af6 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -570,7 +570,7 @@ static void read_pcap(struct ctx *ctx) if (ctx-pcap == PCAP_OPS_MM) ctx-pcap = PCAP_OPS_SG; } else { - fd = open_or_die(ctx-device_in, O_RDONLY | O_LARGEFILE | O_NOATIME); + fd = open_or_die(ctx-device_in, O_RDONLY | O_LARGEFILE); } if (__pcap_io-init_once_pcap) -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng: Fix color breaking in less mode
From: Vadim Kochan vadi...@gmail.com Automatic new line indentation can break terminal ESC color sequence by inserting new line within it. Fixed by considering that color ESC sequence is not closed by 'm' and only after it is closed - print new line with spaces. Signed-off-by: Vadim Kochan vadi...@gmail.com --- tprintf.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tprintf.c b/tprintf.c index 0ca2375..917b781 100644 --- a/tprintf.c +++ b/tprintf.c @@ -66,6 +66,7 @@ static void __tprintf_flush(void) size_t i; static ssize_t line_count = 0; ssize_t term_len = term_curr_size; + int color_opens = 0; for (i = 0; i buffer_use; ++i) { if (buffer[i] == '\n') { @@ -73,7 +74,13 @@ static void __tprintf_flush(void) line_count = -1; } - if (line_count == term_len) { + if (buffer[i] == 033) { + if ((i + 1) buffer_use buffer[i + 1] == '[') + color_opens++; + } + + if (!color_opens line_count = term_len) { + __tprintf_flush_newline(); line_count = term_starting_size; @@ -82,6 +89,9 @@ static void __tprintf_flush(void) i++; } + if (color_opens 0 buffer[i] == 'm') + color_opens--; + fputc(buffer[i], stdout); line_count++; } -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] sock: Fix capturing extra packets from other dev
From: Vadim Kochan vadi...@gmail.com Create PF socket with proto=0 which does not setup packet handler and will not capture packets until bind() will be invoked. Also replaced pf_tx_socket by pf_socket as these funcs became the same, as proto arg is set to 0. Suggested-by: Daniel Borkmann borkm...@iogearbox.net Signed-off-by: Vadim Kochan vadi...@gmail.com --- sock.c| 11 +-- sock.h| 1 - trafgen.c | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/sock.c b/sock.c index fbf50d8..7cfa4a0 100644 --- a/sock.c +++ b/sock.c @@ -26,18 +26,9 @@ int af_socket(int af) int pf_socket(void) { - int sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); - if (unlikely(sock 0)) - panic(Creation of PF socket failed: %s\n, strerror(errno)); - - return sock; -} - -int pf_tx_socket(void) -{ int sock = socket(PF_PACKET, SOCK_RAW, 0); if (unlikely(sock 0)) - panic(Creation of PF TX socket failed: %s\n, strerror(errno)); + panic(Creation of PF socket failed: %s\n, strerror(errno)); return sock; } diff --git a/sock.h b/sock.h index 0e680ef..50f7102 100644 --- a/sock.h +++ b/sock.h @@ -3,7 +3,6 @@ extern int af_socket(int af); extern int pf_socket(void); -extern int pf_tx_socket(void); extern void set_nonblocking(int fd); extern int set_nonblocking_sloppy(int fd); extern int set_reuseaddr(int fd); diff --git a/trafgen.c b/trafgen.c index f981eaf..53320fe 100644 --- a/trafgen.c +++ b/trafgen.c @@ -822,7 +822,7 @@ static void main_loop(struct ctx *ctx, char *confname, bool slow, fflush(stdout); } - sock = pf_tx_socket(); + sock = pf_socket(); if (ctx-qdisc_path == false) set_sock_qdisc_bypass(sock, ctx-verbose); -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] netsniff-ng nlmsg: Print more fields in less mode
On Tue, May 05, 2015 at 11:48:55AM +0200, Tobias Klauser wrote: On 2015-05-05 at 11:43:03 +0200, Vadim Kochan vadi...@gmail.com wrote: On Tue, May 05, 2015 at 11:20:42AM +0200, Tobias Klauser wrote: On 2015-05-04 at 11:32:33 +0200, Vadim Kochan vadi...@gmail.com wrote: From: Vadim Kochan vadi...@gmail.com Print similar header fields in less mode as it is done in full mode. In my opinion it's fine as it is now and I'd like to keep the *_less outputs as sparse as possible. If the user wants more details they can still switch to verbose mode. Thus I'm not going to apply this, sorry. OK, I just was thinking that less mode should have at least printed header but not content. But what about to have at least a 'Family' and 'Type' (based on Family) ? Yes, that'd make sense. Could you please send an updated patch? Thanks! Sure. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] tprintf breaks color terminal sequence
On Tue, May 05, 2015 at 12:10:54PM +0200, Tobias Klauser wrote: On 2015-05-04 at 19:16:39 +0200, Vadim Kochan vadi...@gmail.com wrote: Hi, In less mode (netsniff-ng -i dev --less) the color ESC terminal sequences can be broken by automatic indentation made in tprintf.c: __tprint_flush which can add spaces or new line within of this sequence. I am trying to fix this, but sending this message in case you may consider this issue before making a next release, or if you can make a fast fix :-) Thanks for your follow up patch, with it applied I could no longer reproduce the problem Speaking of the release: Vadim, do you have any patches queued up which you think should be part of the release. Otherwise I'd close the tree for anything except bug fixes and target a release in 1-2 days (I've still got your bind()/create_ring() patch queued up and am waiting for feedback from Daniel) Thanks for your contributions! I sent a patch with some additions for nlmsg proto in less mode. Not sure if it should be in this release. Meanwhile I do not have a fixes except the one with bind()/create_ring(), but seems Daniel suggested some other way. Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng nlmsg: Print family type in less mode
From: Vadim Kochan vadi...@gmail.com Print 'Family' and 'Type' (considering family) fields in less mode. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index e8706a2..c651659 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -190,9 +190,12 @@ static void nlmsg_less(struct pkt_buff *pkt) if (hdr == NULL) return; - tprintf( NLMSG %u (%s%s%s), hdr-nlmsg_type, colorize_start(bold), - nl_nlmsgtype2str(hdr-nlmsg_type, type, sizeof(type)), - colorize_end()); + tprintf( NLMSG ); + tprintf(Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), + nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); + tprintf(Type %u (%s%s%s), hdr-nlmsg_type, colorize_start(bold), + nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, + sizeof(type)), colorize_end()); } struct protocol nlmsg_ops = { -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [RFC] netsniff-ng: Add support of pcap cooked header
On Wed, May 13, 2015 at 11:08:01AM +0200, Daniel Borkmann wrote: On 05/10/2015 02:37 PM, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Since Netlink messages are written in default pcap format there is no way to identify Netlink family by socket protocol number, so use pcap cooked header for Netlink messages as described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html Signed-off-by: Vadim Kochan vadi...@gmail.com Thanks for looking into this, Vadim! One preliminary question: you would only set that for netlink or also for other protocols? Meanwhile it is useful only for Netlink link type. The basic issue is that normal pcap hdr in front of every captured packet looses this information for the dissector, but alternative formats such as kuznet/netsniff-ng format still have it preserved, but are not supported by tools like wireshark. Well, the main motivation was: 1) support saving Netlink protocol info by default in pcap file w/o setting the magic type. 2) compatibility with Wireshark (not so important but ...) Of course using borkmann's/kuznetsov's pcap headers solve this issue. So the options which I see are: If you think that setting the magic type is enough then ignore the patch (at least it was funny to achieve the goal :-) ), but at least the manual page should have a comment that for Netlink messages it is better to use borkmann's/kuznetsov's format, and thats is :-) Ok. Thinking out loud, what if we add another pcap type as an option to choose? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [RFC] netsniff-ng: Add support of pcap cooked header
On Wed, May 13, 2015 at 12:18:37PM +0300, Vadim Kochan wrote: On Wed, May 13, 2015 at 11:08:01AM +0200, Daniel Borkmann wrote: On 05/10/2015 02:37 PM, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Since Netlink messages are written in default pcap format there is no way to identify Netlink family by socket protocol number, so use pcap cooked header for Netlink messages as described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html Signed-off-by: Vadim Kochan vadi...@gmail.com Thanks for looking into this, Vadim! One preliminary question: you would only set that for netlink or also for other protocols? Meanwhile it is useful only for Netlink link type. The basic issue is that normal pcap hdr in front of every captured packet looses this information for the dissector, but alternative formats such as kuznet/netsniff-ng format still have it preserved, but are not supported by tools like wireshark. Well, the main motivation was: 1) support saving Netlink protocol info by default in pcap file w/o setting the magic type. 2) compatibility with Wireshark (not so important but ...) Of course using borkmann's/kuznetsov's pcap headers solve this issue. So the options which I see are: If you think that setting the magic type is enough then ignore the patch (at least it was funny to achieve the goal :-) ), but at least the manual page should have a comment that for Netlink messages it is better to use borkmann's/kuznetsov's format, and thats is :-) Ok. Thinking out loud, what if we add another pcap type as an option to choose? Regards, Vadim Kochan Or in case of Netlink link type enforce to use netsniff-ng pcap format ... -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng nlmsg: Print multi-part messages
From: Vadim Kochan vadi...@gmail.com Pull print more Netlink messages from one packet which can be sent with MULTI flag. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 52 +--- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index 136cec6..290fbf6 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -133,16 +133,27 @@ static char *nlmsg_type2str(uint16_t proto, uint16_t type, char *buf, int len) return nl_nlmsgtype2str(type, buf, len); } -static void nlmsg(struct pkt_buff *pkt) +static void nlmsg_print_each(struct pkt_buff *pkt, + void (*do_print)(uint16_t family, struct nlmsghdr *hdr)) +{ + struct nlmsghdr *hdr = (struct nlmsghdr *)pkt_pull(pkt, sizeof(*hdr)); + + while (hdr) { + do_print(ntohs(pkt-proto), hdr); + + if (!pkt_pull(pkt, NLMSG_PAYLOAD(hdr, 0))) + break; + + hdr = (struct nlmsghdr *)pkt_pull(pkt, sizeof(*hdr)); + } +} + +static void nlmsg_print(uint16_t family, struct nlmsghdr *hdr) { - struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); char type[32]; char flags[128]; char procname[PATH_MAX]; - if (hdr == NULL) - return; - /* Look up the process name if message is not coming from the kernel. * * Note that the port id is not necessarily equal to the PID of the @@ -163,13 +174,15 @@ static void nlmsg(struct pkt_buff *pkt) snprintf(procname, sizeof(procname), kernel); tprintf( [ NLMSG ); - tprintf(Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), - nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); + tprintf(Family %d (%s%s%s), , family, + colorize_start(bold), + nlmsg_family2str(family), + colorize_end()); tprintf(Len %u, , hdr-nlmsg_len); tprintf(Type 0x%.4x (%s%s%s), , hdr-nlmsg_type, colorize_start(bold), - nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, - sizeof(type)), colorize_end()); + nlmsg_type2str(family, hdr-nlmsg_type, type, sizeof(type)), + colorize_end()); tprintf(Flags 0x%.4x (%s%s%s), , hdr-nlmsg_flags, colorize_start(bold), nl_nlmsg_flags2str(hdr-nlmsg_flags, flags, sizeof(flags)), @@ -182,19 +195,28 @@ static void nlmsg(struct pkt_buff *pkt) tprintf( ]\n); } +static void nlmsg(struct pkt_buff *pkt) +{ + nlmsg_print_each(pkt, nlmsg_print); +} + static void nlmsg_less(struct pkt_buff *pkt) { - struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); + struct nlmsghdr *hdr = (struct nlmsghdr *)pkt_pull(pkt, sizeof(*hdr)); + uint16_t family = ntohs(pkt-proto); char type[32]; if (hdr == NULL) return; - tprintf( NLMSG Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), - nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); - tprintf(Type %u (%s%s%s), hdr-nlmsg_type, colorize_start(bold), - nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, - sizeof(type)), colorize_end()); + tprintf( NLMSG Family %d (%s%s%s), , family, + colorize_start(bold), + nlmsg_family2str(family), + colorize_end()); + tprintf(Type %u (%s%s%s), hdr-nlmsg_type, + colorize_start(bold), + nlmsg_type2str(family, hdr-nlmsg_type, type, sizeof(type)), + colorize_end()); } struct protocol nlmsg_ops = { -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH v2] netsniff-ng nlmsg: Print multi-part messages
From: Vadim Kochan vadi...@gmail.com Pull print more Netlink messages from one packet which can be sent with MULTI flag. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 44 ++-- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index 136cec6..1b0eed7 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -133,16 +133,12 @@ static char *nlmsg_type2str(uint16_t proto, uint16_t type, char *buf, int len) return nl_nlmsgtype2str(type, buf, len); } -static void nlmsg(struct pkt_buff *pkt) +static void nlmsg_print(uint16_t family, struct nlmsghdr *hdr) { - struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); char type[32]; char flags[128]; char procname[PATH_MAX]; - if (hdr == NULL) - return; - /* Look up the process name if message is not coming from the kernel. * * Note that the port id is not necessarily equal to the PID of the @@ -163,13 +159,15 @@ static void nlmsg(struct pkt_buff *pkt) snprintf(procname, sizeof(procname), kernel); tprintf( [ NLMSG ); - tprintf(Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), - nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); + tprintf(Family %d (%s%s%s), , family, + colorize_start(bold), + nlmsg_family2str(family), + colorize_end()); tprintf(Len %u, , hdr-nlmsg_len); tprintf(Type 0x%.4x (%s%s%s), , hdr-nlmsg_type, colorize_start(bold), - nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, - sizeof(type)), colorize_end()); + nlmsg_type2str(family, hdr-nlmsg_type, type, sizeof(type)), + colorize_end()); tprintf(Flags 0x%.4x (%s%s%s), , hdr-nlmsg_flags, colorize_start(bold), nl_nlmsg_flags2str(hdr-nlmsg_flags, flags, sizeof(flags)), @@ -182,19 +180,37 @@ static void nlmsg(struct pkt_buff *pkt) tprintf( ]\n); } +static void nlmsg(struct pkt_buff *pkt) +{ + struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); + + while (hdr) { + nlmsg_print(ntohs(pkt-proto), hdr); + + if (!pkt_pull(pkt, NLMSG_PAYLOAD(hdr, 0))) + break; + + hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); + } +} + static void nlmsg_less(struct pkt_buff *pkt) { struct nlmsghdr *hdr = (struct nlmsghdr *) pkt_pull(pkt, sizeof(*hdr)); + uint16_t family = ntohs(pkt-proto); char type[32]; if (hdr == NULL) return; - tprintf( NLMSG Family %d (%s%s%s), , ntohs(pkt-proto), colorize_start(bold), - nlmsg_family2str(ntohs(pkt-proto)), colorize_end()); - tprintf(Type %u (%s%s%s), hdr-nlmsg_type, colorize_start(bold), - nlmsg_type2str(ntohs(pkt-proto), hdr-nlmsg_type, type, - sizeof(type)), colorize_end()); + tprintf( NLMSG Family %d (%s%s%s), , family, + colorize_start(bold), + nlmsg_family2str(family), + colorize_end()); + tprintf(Type %u (%s%s%s), hdr-nlmsg_type, + colorize_start(bold), + nlmsg_type2str(family, hdr-nlmsg_type, type, sizeof(type)), + colorize_end()); } struct protocol nlmsg_ops = { -- 2.3.1 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng nlmsg: Dissect rtnl link type messages
From: Vadim Kochan vadi...@gmail.com Dump RTnetlink interface related info with attributes. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng/Makefile | 2 + proto_nlmsg.c| 232 +++ 2 files changed, 234 insertions(+) diff --git a/netsniff-ng/Makefile b/netsniff-ng/Makefile index 9fe2ffe..92990ff 100644 --- a/netsniff-ng/Makefile +++ b/netsniff-ng/Makefile @@ -1,5 +1,6 @@ netsniff-ng-libs = $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-3.0) \ $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-genl-3.0) \ + $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-route-3.0) \ -lpthread ifeq ($(CONFIG_LIBPCAP), 1) @@ -78,6 +79,7 @@ endif netsniff-ng-eflags = $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-3.0) \ $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-genl-3.0) \ +$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-route-3.0) \ -DNEED_TCPDUMP_LIKE_FILTER netsniff-ng-confs =ether.conf \ diff --git a/proto_nlmsg.c b/proto_nlmsg.c index 1b0eed7..c482df1 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -9,6 +9,9 @@ #include limits.h #include libgen.h #include netlink/msg.h +#include netlink/route/link.h +#include linux/if_arp.h +#include arpa/inet.h #include pkt_buff.h #include proto.h @@ -120,6 +123,114 @@ static const char *nlmsg_rtnl_type2str(uint16_t type) } } +static char *if_type2str(uint16_t type) +{ + switch (type) { + case ARPHRD_ETHER: return ether; + case ARPHRD_EETHER: return eether; + case ARPHRD_AX25: return ax25; + case ARPHRD_PRONET: return pronet; + case ARPHRD_CHAOS: return chaos; + case ARPHRD_IEEE802: return ieee802; + case ARPHRD_ARCNET: return arcnet; + case ARPHRD_APPLETLK: return appletlk; + case ARPHRD_DLCI: return dlci; + case ARPHRD_ATM: return atm; + case ARPHRD_METRICOM: return metricom; + case ARPHRD_IEEE1394: return ieee1394; + case ARPHRD_INFINIBAND: return infiniband; + case ARPHRD_SLIP: return slip; + case ARPHRD_CSLIP: return cslip; + case ARPHRD_SLIP6: return slip6; + case ARPHRD_CSLIP6: return cslip6; + case ARPHRD_RSRVD: return RSRVD; + case ARPHRD_ADAPT: return adapt; + case ARPHRD_ROSE: return rose; + case ARPHRD_X25: return x25; + case ARPHRD_HWX25: return hwx25; + case ARPHRD_CAN: return can; + case ARPHRD_PPP: return ppp; + case ARPHRD_HDLC: return hdlc; + case ARPHRD_LAPB: return lapb; + case ARPHRD_DDCMP: return ddcmp; + case ARPHRD_RAWHDLC: return rawhdlc; + case ARPHRD_TUNNEL: return tunnel; + case ARPHRD_TUNNEL6: return tunnel6; + case ARPHRD_FRAD: return frad; + case ARPHRD_SKIP: return skip; + case ARPHRD_LOOPBACK: return loopback; + case ARPHRD_LOCALTLK: return localtlk; + case ARPHRD_FDDI: return fddi; + case ARPHRD_BIF: return bif; + case ARPHRD_SIT: return sit; + case ARPHRD_IPDDP: return ipddp; + case ARPHRD_IPGRE: return ipgre; + case ARPHRD_PIMREG: return pimreg; + case ARPHRD_HIPPI: return hippi; + case ARPHRD_ASH: return ash; + case ARPHRD_ECONET: return econet; + case ARPHRD_IRDA: return irda; + case ARPHRD_FCPP: return fcpp; + case ARPHRD_FCAL: return fcal; + case ARPHRD_FCPL: return fcpl; + case ARPHRD_FCFABRIC: return fcfb0; + case ARPHRD_FCFABRIC + 1: return fcfb1; + case ARPHRD_FCFABRIC + 2: return fcfb2; + case ARPHRD_FCFABRIC + 3: return fcfb3; + case ARPHRD_FCFABRIC + 4: return fcfb4; + case ARPHRD_FCFABRIC + 5: return fcfb5; + case ARPHRD_FCFABRIC + 6: return fcfb6; + case ARPHRD_FCFABRIC + 7: return fcfb7; + case ARPHRD_FCFABRIC + 8: return fcfb8; + case ARPHRD_FCFABRIC + 9: return fcfb9; + case ARPHRD_FCFABRIC + 10: return fcfb10; + case ARPHRD_FCFABRIC + 11: return fcfb11; + case ARPHRD_FCFABRIC + 12: return fcfb12; + case ARPHRD_IEEE802_TR: return ieee802_tr; + case ARPHRD_IEEE80211: return ieee80211; + case ARPHRD_IEEE80211_PRISM: return ieee80211_prism; + case ARPHRD_IEEE80211_RADIOTAP: return ieee80211_radiotap; + case ARPHRD_IEEE802154: return ieee802154; + case ARPHRD_PHONET: return phonet; + case ARPHRD_PHONET_PIPE: return phonet_pipe; + case ARPHRD_CAIF: return caif; + case ARPHRD_IP6GRE: return ip6gre; + case ARPHRD_NETLINK: return netlink; + case ARPHRD_NONE: return none; + case ARPHRD_VOID: return void; + + default: return Unknown; + } +} + +static const char *if_addr2str(const unsigned char *addr, int alen, int
[netsniff-ng] [PATCH v2] netsniff-ng nlmsg: Dissect rtnl link type messages
From: Vadim Kochan vadi...@gmail.com Dump RTnetlink interface related info with attributes. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng/Makefile | 2 + proto_nlmsg.c| 233 +++ 2 files changed, 235 insertions(+) diff --git a/netsniff-ng/Makefile b/netsniff-ng/Makefile index 9fe2ffe..92990ff 100644 --- a/netsniff-ng/Makefile +++ b/netsniff-ng/Makefile @@ -1,5 +1,6 @@ netsniff-ng-libs = $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-3.0) \ $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-genl-3.0) \ + $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --libs libnl-route-3.0) \ -lpthread ifeq ($(CONFIG_LIBPCAP), 1) @@ -78,6 +79,7 @@ endif netsniff-ng-eflags = $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-3.0) \ $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-genl-3.0) \ +$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) $(PKG_CONFIG) --cflags libnl-route-3.0) \ -DNEED_TCPDUMP_LIKE_FILTER netsniff-ng-confs =ether.conf \ diff --git a/proto_nlmsg.c b/proto_nlmsg.c index 1b0eed7..89b48b2 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -9,6 +9,9 @@ #include limits.h #include libgen.h #include netlink/msg.h +#include netlink/route/link.h +#include linux/if_arp.h +#include arpa/inet.h #include pkt_buff.h #include proto.h @@ -120,6 +123,115 @@ static const char *nlmsg_rtnl_type2str(uint16_t type) } } +static char *if_type2str(uint16_t type) +{ + switch (type) { + case ARPHRD_ETHER: return ether; + case ARPHRD_EETHER: return eether; + case ARPHRD_AX25: return ax25; + case ARPHRD_PRONET: return pronet; + case ARPHRD_CHAOS: return chaos; + case ARPHRD_IEEE802: return ieee802; + case ARPHRD_ARCNET: return arcnet; + case ARPHRD_APPLETLK: return appletlk; + case ARPHRD_DLCI: return dlci; + case ARPHRD_ATM: return atm; + case ARPHRD_METRICOM: return metricom; + case ARPHRD_IEEE1394: return ieee1394; + case ARPHRD_INFINIBAND: return infiniband; + case ARPHRD_SLIP: return slip; + case ARPHRD_CSLIP: return cslip; + case ARPHRD_SLIP6: return slip6; + case ARPHRD_CSLIP6: return cslip6; + case ARPHRD_RSRVD: return RSRVD; + case ARPHRD_ADAPT: return adapt; + case ARPHRD_ROSE: return rose; + case ARPHRD_X25: return x25; + case ARPHRD_HWX25: return hwx25; + case ARPHRD_CAN: return can; + case ARPHRD_PPP: return ppp; + case ARPHRD_HDLC: return hdlc; + case ARPHRD_LAPB: return lapb; + case ARPHRD_DDCMP: return ddcmp; + case ARPHRD_RAWHDLC: return rawhdlc; + case ARPHRD_TUNNEL: return tunnel; + case ARPHRD_TUNNEL6: return tunnel6; + case ARPHRD_FRAD: return frad; + case ARPHRD_SKIP: return skip; + case ARPHRD_LOOPBACK: return loopback; + case ARPHRD_LOCALTLK: return localtlk; + case ARPHRD_FDDI: return fddi; + case ARPHRD_BIF: return bif; + case ARPHRD_SIT: return sit; + case ARPHRD_IPDDP: return ipddp; + case ARPHRD_IPGRE: return ipgre; + case ARPHRD_PIMREG: return pimreg; + case ARPHRD_HIPPI: return hippi; + case ARPHRD_ASH: return ash; + case ARPHRD_ECONET: return econet; + case ARPHRD_IRDA: return irda; + case ARPHRD_FCPP: return fcpp; + case ARPHRD_FCAL: return fcal; + case ARPHRD_FCPL: return fcpl; + case ARPHRD_FCFABRIC: return fcfb0; + case ARPHRD_FCFABRIC + 1: return fcfb1; + case ARPHRD_FCFABRIC + 2: return fcfb2; + case ARPHRD_FCFABRIC + 3: return fcfb3; + case ARPHRD_FCFABRIC + 4: return fcfb4; + case ARPHRD_FCFABRIC + 5: return fcfb5; + case ARPHRD_FCFABRIC + 6: return fcfb6; + case ARPHRD_FCFABRIC + 7: return fcfb7; + case ARPHRD_FCFABRIC + 8: return fcfb8; + case ARPHRD_FCFABRIC + 9: return fcfb9; + case ARPHRD_FCFABRIC + 10: return fcfb10; + case ARPHRD_FCFABRIC + 11: return fcfb11; + case ARPHRD_FCFABRIC + 12: return fcfb12; + case ARPHRD_IEEE802_TR: return ieee802_tr; + case ARPHRD_IEEE80211: return ieee80211; + case ARPHRD_IEEE80211_PRISM: return ieee80211_prism; + case ARPHRD_IEEE80211_RADIOTAP: return ieee80211_radiotap; + case ARPHRD_IEEE802154: return ieee802154; + case ARPHRD_PHONET: return phonet; + case ARPHRD_PHONET_PIPE: return phonet_pipe; + case ARPHRD_CAIF: return caif; + case ARPHRD_IP6GRE: return ip6gre; + case ARPHRD_NETLINK: return netlink; + case ARPHRD_NONE: return none; + case ARPHRD_VOID: return void; + + default: return Unknown; + } +} + +/* Taken from iproute2 */ +static const char *ll_addr_n2a(const unsigned
Re: [netsniff-ng] [PATCH] netsniff-ng: Add support of pcap cooked header
On Tue, Jun 02, 2015 at 10:51:01AM +0200, Daniel Borkmann wrote: On 06/02/2015 10:44 AM, Vadim Kochan wrote: On Tue, Jun 02, 2015 at 10:36:12AM +0200, Daniel Borkmann wrote: On 06/01/2015 05:43 PM, Vadim Kochan wrote: On Mon, Jun 01, 2015 at 05:14:10PM +0200, Daniel Borkmann wrote: On 06/01/2015 04:23 PM, Vadim Kochan wrote: ... I checked that in this case Ethernet Netlink frames will be mixed in the pcap file, but netsniff-ng tries to identify all the frames as Ethernet, and in this case frames is not wrapped with cooked header. Right, so for that use case, it wouldn't work currently. I'm thinking that in case of 'any' device *and* if there's at least one device present at the time we bind the socket to any that would have netlink type, then we would need to turn on cooked mode generally, so that in such environments Ethernet and Netlink would have both cooked headers. I think that would be useful to adapt the patch towards covering such use cases as well since people might also like to correlate i.e. Netlink events together with network packets. Could you please respin the patch towards supporting this, too? Then I think, it should be ready to go in. ... Then I think link type can be set as LINKTYPE_LINUX_SLL in the pcap header. May be it would be useful to use LINKTYPE_LINUX_SLL by default if 'any' was specified or only if the Netlink device present in UP state ? I'm thinking that the following might be useful for the pcap writer: Have an option --cooked that generally adds cooked header (no matter what the underlying device is, so could be 'any' as well). Whenever we bound our socket specifically to a nlmon device, then we enable that option transparently in the case of default/ns pcap. So, the solution might be - use cooked header automatically if only nlmon device was specified or when --cooked option was specified ? Yes, I would go for that as a start. OK, but it sounds like --cooked option might be as additional feature so I think the current patch can be applied as it is ? I have no problem with re-working the patch, I am just asking :) Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Is it needed to handle SIGSEGV when using sudo ?
HI, I was faced with case when netsniff-ng silently was killed by SIGSEGV but w/o message, I investigated that it was caused by 'sudo' which seems for me somehow aborts this signal, but registering the SIGSEGV handler (which printed the expected Segmentation fault message) in netsniff-ng fixed it. So the question is: should netsniff-ng handle SIGSEGV signal in that case, prints message and die or this is not secured behaviour to let know about Segmentation fault for the user who might have some limitations by sudo ? Actually may be this is only my special case when I'd like to see Segmentation fault message to identify the problem in the code when using sudo. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Fwd: [netsniff-ng] error when running trafgen for the first time.
CC to Perf Tech -- Forwarded message -- From: Vadim Kochan vadi...@gmail.com Date: Thu, Jun 4, 2015 at 11:11 PM Subject: Re: [netsniff-ng] error when running trafgen for the first time. To: netsniff-ng@googlegroups.com On Wed, Jun 3, 2015 at 7:05 PM, Perf Tech perfte...@gmail.com wrote: Hi Guys, New to the tool trafgen (ver 0.5.9-rc4). When I run it on my ubuntu 12.04 server, got errors: $./trafgen -e tmp2.txt $./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us Syntax error at line2, at char 'T'! syntax error, unexpected number, expecting ')'! Not sure what's causing the error. Any ideas? Thanks. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, May be you should add --cpp option ? $./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us --cpp Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] error when running trafgen for the first time.
On Fri, Jun 05, 2015 at 03:04:24PM -0700, Perf Tech wrote: Sorry, I meant to say I got the following. I am stuck with syntax errors :-( # ./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us --cpp Syntax error at line6, at char 't'! syntax error, unexpected number! # ./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us Syntax error at line2, at char 'T'! syntax error, unexpected number, expecting ')'! I think you need to copy trafgen_stddef.h into /etc/netsniff-ng/stddef.h :-) Because when I renamed my /etc/netsniff-ng/stddef.h I got the same error. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Fwd: [netsniff-ng] error when running trafgen for the first time.
On Sat, Jun 06, 2015 at 12:27:46AM +0200, Daniel Borkmann wrote: On 06/06/2015 12:16 AM, Vadim Kochan wrote: ... Do you have cpp installed on your machine? I think in that case there could be a message like: sh: cpp: command not found Failed to invoke C preprocessor! Yes, agreed. Want to send a patch? ;) Sorry, may be I should put some explanations - I did changed invoking cpp command from trafgen_parser.y to something unexistable XXX and I got the above message, so I meant that Perf Tech then should get this message too if he/she have no cpp util. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Fwd: [netsniff-ng] error when running trafgen for the first time.
On Sat, Jun 06, 2015 at 12:08:58AM +0200, Daniel Borkmann wrote: On 06/06/2015 12:02 AM, Perf Tech wrote: Thanks Guys for the reply. The following is what I got, any idea why? # ./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us --cpp Syntax error at line6, at char 't'! syntax error, unexpected number! # ./trafgen --dev eth0 --conf tmp2.txt --rand --gap 1000us Syntax error at line2, at char 'T'! syntax error, unexpected number, expecting ')'! That's what I get: # trafgen -e foo # trafgen --in foo --out em1 --cpp --rand --gap 1000us --num 1 1 packets to schedule 73 bytes in total Running! Hang up with ^C! 1 packets outgoing 73 bytes outgoing 0 sec, 1148 usec on CPU0 (1 packets) Do you have cpp installed on your machine? I think in that case there could be a message like: sh: cpp: command not found Failed to invoke C preprocessor! -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] error when running trafgen for the first time.
On Fri, Jun 05, 2015 at 03:31:30PM -0700, Perf Tech wrote: Did that but still get the same problem. # ls /etc/netsniff-ng/ rules trafgen_stddef.h It should be as stddef.h in /etc/netsniff-ng -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Thu, Jun 18, 2015 at 11:07:12AM +0200, Daniel Borkmann wrote: On 06/18/2015 10:57 AM, Vadim Kochan wrote: ... Not yet, but I will try keep thinking about this, and will let know if I will have some real ideas regarding implementation. Sounds good! Some 1st though which I came up is may be to start extend current trafgen generation api set: { eth { src(), dst(), proto(), } , ip { ver(), src(), dst(), opt(0x1, 20), opt(0x2, 30), }, tcp { dport(), sport(), flags(), }, } and after use them when add cmd line options interface. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 11:13:54PM +0200, Daniel Borkmann wrote: On 06/19/2015 10:58 PM, Vadim Kochan wrote: On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote: ... @@ -737,6 +837,24 @@ static inline void pcap_validate_header(const struct pcap_filehdr *hdr) if (unlikely(hdr-version_minor != PCAP_VERSION_MINOR) ___constant_swab16(hdr-version_minor) != PCAP_VERSION_MINOR) panic(This file has an invalid pcap minor version (must be %d)\n, PCAP_VERSION_MINOR); + + /* Remap to internal *_LL types in case of LINKTYPE_LINUX_SLL. */ + if (linktype == LINKTYPE_LINUX_SLL) { should not link_has_sll_hdr() be used here ? Why? At this point, when reading a pcap file, basic validation has already been done and linktype is in host endianess. In netsniff-ng, we write out the pcap header as LINKTYPE_LINUX_SLL in case of Netlink. In case some other source doesn't use LINKTYPE_LINUX_SLL but LINKTYPE_NETLINK, we actually need not to assume cooked format. My understanding is that linktype might be set to LINKTYPE_NETLINK if it was sniffed only from Netlink interface which uses the same sll header format but with ignoring few fields - address address len. -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote: On 06/18/2015 11:49 AM, Daniel Borkmann wrote: On 06/18/2015 11:42 AM, Vadim Kochan wrote: On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote: I've started splitting this into smaller digestible chunks, couple of more evenings and it should be done from my side. Thanks for your patience. But implementation now is OK in the last original patch series v2 ? The only missing piece from your first patch I need to go through is the pcap i/o parts. I wanted to check if two new dummy types are possible (where we'd have transparent mapping - so it would be semantically the same as this patch), whether they result in a smaller code diff and would have lesser impact on the fast path. If that's the case, I'd go for that, if not I will take the current remaining piece. Will let you know. Okay, here it goes. I tested this with capturing from netsniff-ng, reading via Wireshark and capturing from Wireshark and reading via netsniff-ng. Seems fine, please double check it. All in all this should have less overhead and result in smaller code diff. Apart from that, the pcap_io.h might need some cleanups anyway. [PATCH] pcap_io: add cooked mode support Originally submitted by Vadim in a different form, he wrote: Use Linux cooked header for Netlink interface automatically or as replacement of L2 header if --cooked option is specified: http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html 'Cooked headers' makes sense to use for default or nsec pcap types which does not contain protocol info. Added new LINKTYPE_LINUX_SLL which indicates pcap file with Linux cooked header as L2 layer header. This pcap file is compatible with Wireshark's cooked header vice-versa. Signed-off-by: Vadim Kochan vadi...@gmail.com Signed-off-by: Daniel Borkmann dan...@iogearbox.net --- netsniff-ng.c | 17 ++ pcap_io.h | 192 +++--- 2 files changed, 172 insertions(+), 37 deletions(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index 0a9c620..e593b9d 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -1519,6 +1519,23 @@ int main(int argc, char **argv) if (!ctx.link_type) ctx.link_type = pcap_dev_to_linktype(ctx.device_in); + if (link_has_sll_hdr(ctx.link_type)) { + switch (ctx.magic) { + case ORIGINAL_TCPDUMP_MAGIC: + ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL; + break; + case NSEC_TCPDUMP_MAGIC: + ctx.magic = NSEC_TCPDUMP_MAGIC_LL; + break; + case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC): + ctx.magic = ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL); + break; + case ___constant_swab32(NSEC_TCPDUMP_MAGIC): + ctx.magic = ___constant_swab32(NSEC_TCPDUMP_MAGIC_LL); + break; + } + } + if (!ctx.device_out) { ctx.dump = 0; diff --git a/pcap_io.h b/pcap_io.h index 497e453..5beccf9 100644 --- a/pcap_io.h +++ b/pcap_io.h @@ -27,6 +27,8 @@ #define TCPDUMP_MAGIC0xa1b2c3d4 #define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC #define NSEC_TCPDUMP_MAGIC 0xa1b23c4d +#define ORIGINAL_TCPDUMP_MAGIC_LL0xb1b2c3d4 /* Internal dummy just for mapping */ +#define NSEC_TCPDUMP_MAGIC_LL0xb1b23c4d /* Internal dummy just for mapping */ #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 #define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12 @@ -78,6 +80,20 @@ struct pcap_pkthdr_ns { uint32_t len; }; +struct pcap_pkthdr_ll { + struct pcap_timeval ts; + uint32_t caplen; + uint32_t len; + struct pcap_ll ll; +}; + +struct pcap_pkthdr_ns_ll { + struct pcap_timeval_ns ts; + uint32_t caplen; + uint32_t len; + struct pcap_ll ll; +}; + struct pcap_pkthdr_kuz { struct pcap_timeval ts; uint32_t caplen; @@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm { }; typedef union { - struct pcap_pkthdr ppo; - struct pcap_pkthdr_ns ppn; - struct pcap_pkthdr_kuz ppk; - struct pcap_pkthdr_bkm ppb; - uint8_t raw; + struct pcap_pkthdr ppo; + struct pcap_pkthdr_ns ppn; + struct pcap_pkthdr_ll ppo_ll; + struct pcap_pkthdr_ns_llppn_ll; + struct pcap_pkthdr_kuz ppk; + struct pcap_pkthdr_bkm ppb; + uint8_t raw; } pcap_pkthdr_t; enum
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote: On 06/18/2015 11:49 AM, Daniel Borkmann wrote: On 06/18/2015 11:42 AM, Vadim Kochan wrote: On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote: I've started splitting this into smaller digestible chunks, couple of more evenings and it should be done from my side. Thanks for your patience. But implementation now is OK in the last original patch series v2 ? The only missing piece from your first patch I need to go through is the pcap i/o parts. I wanted to check if two new dummy types are possible (where we'd have transparent mapping - so it would be semantically the same as this patch), whether they result in a smaller code diff and would have lesser impact on the fast path. If that's the case, I'd go for that, if not I will take the current remaining piece. Will let you know. Okay, here it goes. I tested this with capturing from netsniff-ng, reading via Wireshark and capturing from Wireshark and reading via netsniff-ng. Seems fine, please double check it. All in all this should have less overhead and result in smaller code diff. Apart from that, the pcap_io.h might need some cleanups anyway. [PATCH] pcap_io: add cooked mode support Originally submitted by Vadim in a different form, he wrote: Use Linux cooked header for Netlink interface automatically or as replacement of L2 header if --cooked option is specified: http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html 'Cooked headers' makes sense to use for default or nsec pcap types which does not contain protocol info. Added new LINKTYPE_LINUX_SLL which indicates pcap file with Linux cooked header as L2 layer header. This pcap file is compatible with Wireshark's cooked header vice-versa. Signed-off-by: Vadim Kochan vadi...@gmail.com Signed-off-by: Daniel Borkmann dan...@iogearbox.net --- netsniff-ng.c | 17 ++ pcap_io.h | 192 +++--- 2 files changed, 172 insertions(+), 37 deletions(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index 0a9c620..e593b9d 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -1519,6 +1519,23 @@ int main(int argc, char **argv) if (!ctx.link_type) ctx.link_type = pcap_dev_to_linktype(ctx.device_in); + if (link_has_sll_hdr(ctx.link_type)) { + switch (ctx.magic) { + case ORIGINAL_TCPDUMP_MAGIC: + ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL; + break; + case NSEC_TCPDUMP_MAGIC: + ctx.magic = NSEC_TCPDUMP_MAGIC_LL; + break; + case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC): + ctx.magic = ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL); + break; + case ___constant_swab32(NSEC_TCPDUMP_MAGIC): + ctx.magic = ___constant_swab32(NSEC_TCPDUMP_MAGIC_LL); + break; + } + } + if (!ctx.device_out) { ctx.dump = 0; diff --git a/pcap_io.h b/pcap_io.h index 497e453..5beccf9 100644 --- a/pcap_io.h +++ b/pcap_io.h @@ -27,6 +27,8 @@ #define TCPDUMP_MAGIC0xa1b2c3d4 #define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC #define NSEC_TCPDUMP_MAGIC 0xa1b23c4d +#define ORIGINAL_TCPDUMP_MAGIC_LL0xb1b2c3d4 /* Internal dummy just for mapping */ +#define NSEC_TCPDUMP_MAGIC_LL0xb1b23c4d /* Internal dummy just for mapping */ #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 #define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12 @@ -78,6 +80,20 @@ struct pcap_pkthdr_ns { uint32_t len; }; +struct pcap_pkthdr_ll { + struct pcap_timeval ts; + uint32_t caplen; + uint32_t len; + struct pcap_ll ll; +}; + +struct pcap_pkthdr_ns_ll { + struct pcap_timeval_ns ts; + uint32_t caplen; + uint32_t len; + struct pcap_ll ll; +}; + struct pcap_pkthdr_kuz { struct pcap_timeval ts; uint32_t caplen; @@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm { }; typedef union { - struct pcap_pkthdr ppo; - struct pcap_pkthdr_ns ppn; - struct pcap_pkthdr_kuz ppk; - struct pcap_pkthdr_bkm ppb; - uint8_t raw; + struct pcap_pkthdr ppo; + struct pcap_pkthdr_ns ppn; + struct pcap_pkthdr_ll ppo_ll; + struct pcap_pkthdr_ns_llppn_ll; + struct pcap_pkthdr_kuz ppk; + struct pcap_pkthdr_bkm ppb; + uint8_t raw; } pcap_pkthdr_t; enum
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Mon, Jun 22, 2015 at 03:55:01PM +0200, Daniel Borkmann wrote: On 06/21/2015 07:02 PM, Vadim Kochan wrote: ... Not sure if it is necessary to use libnet by trafgen as it is used by mz to generate packets ? It will add the new dependency, but seems it can simplify generation of the proto packets. Yes sure, we shouldn't depend on it, I think some small helper functions inside the netsniff-ng tree could do the job, too. Hm, I missed this email ... anyway I almost developed generic mechanism for proto fields generation which uses the low level trafgen's xxx_byte functions from trafgen_parser.c which I had to export, I have also implemented ethernet arp protocol generation based on the common field generation code, but I can't decide which command line syntax would be good, so I think that something like this might be ok (we should not follow mz style right?): $ trafgen --dev lo -n 1 eth sa=11:22:33:44:55:66 da=11:22:33:44:55:66, arp op=req tip=192.168.1.1 this syntax will allow to easy parse parameters per protocol name just by split whole cmdline by ,. Sure I tried to use mz's style but seems it more complicated: $ trafgen/trafgen --dev lo eth da = AA:BB:CC:DD:EE:FF,sa=11:22:33:44:55:66 arp tip=192.168.1.1 -n 1 by more complicated I mean that it will not allow to use strtok parsing but for each character, but sure it possible. mz seems parses params from the whole command line, but I'd like to separate params per protocol. Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Installation error - netsniff-ng-0.5.9 / Debian 7.8
On Tue, Jun 23, 2015 at 05:40:03PM +, James Burnett wrote: Hi team, I’m using Netsniff (primarily for mausezahn) in a large lab setup. I’ve installed it successfully from source on Ubuntu 14.04 this morning, but when trying to do the same on Debian 7.8 (wheezy), I run into the following error when running the ‘make install’ phase. Note, I have tried this as root and as.. not root. I suspect it’s the leading ` character not being understood. neteam@dfn-1:~/netsniff-ng-0.5.9$ sudo make install INST netsniff-ng/netsniff-ng INST netsniff-ng/netsniff-ng.8.gz install: cannot create regular file `/usr/local/share/man/man8/netsniff-ng.8.gz': No such file or directory make: *** [netsniff-ng_do_install] Error 1 Apologies if this has been reported/fixed elsewhere. Thanks for your time, James Burnett Network Engineer GÉANT - Cambridge Office T: +44 (0)1223 371427 M: +44 (0) 791 45 02186 Networks • Services • People Learn more at www.geant.org​http://www.geant.org/ ​GEANT Limited, trading as GÉANT. Registered in England Wales. Registration Number 2806796. Registered Office – City House, 126-130 Hills Road, Cambridge CB2 1PQ -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, What I am observing on my Arch Linux: I use netsniff-ng mostly from compiled sources, and I see that /usr/local/share/man/man8 does not exist on my system too, so I think I should get the same error. netsniff-ng uses /usr/local as default prefix for destination installed files. So you can specify your own prefix like: $ PREFIX=/usr make install or create /usr/local/share/man/man8 folder with correct permissions. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] Installation error - netsniff-ng-0.5.9 / Debian 7.8
On Wed, Jun 24, 2015 at 09:25:12AM +0300, Vadim Kochan wrote: On Tue, Jun 23, 2015 at 05:40:03PM +, James Burnett wrote: Hi team, I’m using Netsniff (primarily for mausezahn) in a large lab setup. I’ve installed it successfully from source on Ubuntu 14.04 this morning, but when trying to do the same on Debian 7.8 (wheezy), I run into the following error when running the ‘make install’ phase. Note, I have tried this as root and as.. not root. I suspect it’s the leading ` character not being understood. neteam@dfn-1:~/netsniff-ng-0.5.9$ sudo make install INST netsniff-ng/netsniff-ng INST netsniff-ng/netsniff-ng.8.gz install: cannot create regular file `/usr/local/share/man/man8/netsniff-ng.8.gz': No such file or directory make: *** [netsniff-ng_do_install] Error 1 Apologies if this has been reported/fixed elsewhere. Thanks for your time, James Burnett Network Engineer GÉANT - Cambridge Office T: +44 (0)1223 371427 M: +44 (0) 791 45 02186 Networks • Services • People Learn more at www.geant.org​http://www.geant.org/ ​GEANT Limited, trading as GÉANT. Registered in England Wales. Registration Number 2806796. Registered Office – City House, 126-130 Hills Road, Cambridge CB2 1PQ -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Hi, What I am observing on my Arch Linux: I use netsniff-ng mostly from compiled sources, and I see that /usr/local/share/man/man8 does not exist on my system too, so I think I should get the same error. netsniff-ng uses /usr/local as default prefix for destination installed files. So you can specify your own prefix like: $ PREFIX=/usr make install or create /usr/local/share/man/man8 folder with correct permissions. Regards, Sorry, I did not CC to you. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Fri, Jun 19, 2015 at 12:08:57AM +0200, Daniel Borkmann wrote: On 06/18/2015 03:24 PM, Vadim Kochan wrote: On Thu, Jun 18, 2015 at 11:07:12AM +0200, Daniel Borkmann wrote: On 06/18/2015 10:57 AM, Vadim Kochan wrote: ... Not yet, but I will try keep thinking about this, and will let know if I will have some real ideas regarding implementation. Sounds good! Some 1st though which I came up is may be to start extend current trafgen generation api set: { eth { src(), dst(), proto(), } , ip { ver(), src(), dst(), opt(0x1, 20), opt(0x2, 30), }, tcp { dport(), sport(), flags(), }, } Can you elaborate on your idea, what would this config do? I.e. if src() etc is empty. Thanks, Daniel Hi, OK here is another (may be better) design. Here is an example of the cfg script: { eth { dst: eth_addr(AA:BB:CC:DD:EE:FF) proto: ipv4, } ip { src: ip_addr(192.168.1.1) dst: ip_addr(192.168.1.2) } tcp { flags: syn | ack } } Needs some refactoring of trafgen code existing cfg funcs which allows to use manipulate of current packet offset variable. Each proto should be registered via struct proto_gen: struct proto_field { int id; uint32_t offset; uint32_t len; }; struct proto_value { void *value; uint32_t len; }; struct proto_gen { struct cfg_ctx *ctx; /* get field name info - id, len, offset */ struct proto_field *field_parse(struct proto_gen *prot, char *name); /* indicates that this field was filled */ void field_set(struct proto_gen *proto, struct proto_field *field); /* get info about some proto defined const value */ struct proto_value *value_get(struct proto_gen *proto, struct proto_field *field, char *name); /* fill the rest unfilled fields */ void fill(struct proto_gen *prot, uint8_t *hdr); /* finish after whole packet was built */ void finish(struct proto_gen *prot, uint8_t *data, int len); } Each proto hdr field can be filled by specifying field name separated by ':' and macro/func which will fill the bytes.The field may be filled with any existing trafgen macro (const(), rnd() - the field len should be considered). Also some additional macro/funcs should be added - ipv4_addr, eth_addr, etc. The parser will lookup keep struct proto_gen proto_ptr when the proto section was entered (when '#proto {' was parsed), and parser can call the proto_ptr-field_parse to obtain the field information by name (id, offset, len) then change the current packet offset call the macro/func which will fill the field. Then parser should call proto_ptr-field_set to let know to the proto_gen which field was filled. At the end parser will call proto_ptr-fill to fill the rest unfilled fields with some default values fill the csum fields if needed. While filling the default fields values the proto_gen should know some trafgen's context info - interface id, and may be some other info which may help to construct such unfilled fields like dst/src Ethernet addresses or src/dst IP addresses. Also it is possible that each proto_gen may have some own defined values like flag names which can be evaluated via proto_gen-value_get where field pointer may be specified. It might be useful if these values will be a part of expressions like: syn | ack. At the end the parser will walk over each proto from higher layer to do a last call proto_gen-finish where each proto may do some calculations and fill some unfilled fields. Meanwhile I am not sure if it will be needed. Well this is very conceptually and I will try to prepare better version which would consider the existing trafgen code cfg syntax parser. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Sun, Jun 21, 2015 at 08:02:40PM +0300, Vadim Kochan wrote: On Sat, Jun 20, 2015 at 01:10:45AM +0200, Daniel Borkmann wrote: On 06/20/2015 12:25 AM, Vadim Kochan wrote: ... Ok, how would all of this tie together with flex and bison that we use for trafgen as parser generator? It looks on a first glance that this design would be outside of that scope? . You mean that this is out of scope of this thread which was related to mz ? If so, then yes ... may be extend the trafgen's cfg script to describe the protocols and then add the cmd line interface based on this extension ? Or do you think that extending cfg script syntax is not good or may be problematic ? Well, I think may be I can do some just for fun implementation, just for demonstration ... As a start, if you're interested, I think it would be great if you have some cycles to look into: http://thread.gmane.org/gmane.linux.network.netsniff-ng/799 I.e. the idea would be to have a _textual_ replacement initially and then push the config through the lexer/parser. Anyway, back to the topic, as it started out with mz. ;) I do quite like the interactive mode of mz and it's cmdline syntax is fine with me too. mz's implementation rather hacky and uneasy to maintain. trafgen so far has a very low level language on how to define packets. I'm happy to entertain the idea to add an mz-like _interactive_ mode that is libreadline-based with more or less similar feature set. I'm also good if we add a similar direct _cmdline_ usage possibility. Think of it as kind a /clean/ merge of mz which is in staging, into trafgen, together with the (f.e. performance) benefits of having direct packet socket access. Thus, we'd end up having the ability of cmdline, config, and interactive mode in one traffic generator with different levels of granularity. Thanks, Daniel Not sure if it is necessary to use libnet by trafgen as it is used by mz to generate packets ? It will add the new dependency, but seems it can simplify generation of the proto packets. Regards, Well, anyway I am trying to implement basic cmdline mz-like proto generation API with few layered protocols: eth, ip, udp for trafgen utility. If I success with this I will share the patch series (I will try to better split it for easier review). Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] trafgen: Print min packet size in error message
From: Vadim Kochan vadi...@gmail.com Print minimum needed packet size in case if validation error. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/trafgen.c b/trafgen.c index 53320fe..93bb1b4 100644 --- a/trafgen.c +++ b/trafgen.c @@ -138,6 +138,8 @@ struct icmp_filter { #define SMOKE_N_PROBES 100 +#define PKT_MIN_LEN 14 + static void signal_handler(int number) { switch (number) { @@ -791,10 +793,11 @@ static int xmit_packet_precheck(struct ctx *ctx, unsigned int cpu) } for (mtu = device_mtu(ctx-device), i = 0; i plen; ++i) { - if (packets[i].len mtu + 14) + if (packets[i].len mtu + PKT_MIN_LEN) panic(Device MTU than packet%d's size!\n, i); - if (packets[i].len = 14) - panic(Packet%d's size too short!\n, i); + if (packets[i].len = PKT_MIN_LEN) + panic(Packet%d's size must be %d bytes!\n, + i, PKT_MIN_LEN); } return 0; -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [RFC 0/6] trafgen: Proto generation from command like
On Sat, Jun 27, 2015 at 04:57:10AM +0300, Vadim Kochan wrote: Hi, This is the 1-st try version of how I see the protocol generation API for the trafgen util as mz replacement (at least for better performance). I am sending this just because to get your feedback about conceptual idea, and as soon as I got some basic working version I decided to share the code just to get know if I am moving in the right direction. Added high-level command line protocol packet building intreface, which allows to specify protocol parameters to build the header and payload. Each protocol is represented by proto_gen struct which is responsible only for providing field info (size, data) by name to trafgen's low level packet generation layer. All packet generation routine is performed by the generic code in trafgen.c which parses the command line, obtains proto name, param=value list and calls the specific protocol handler to get protocol field info by name, so the TX routine remains the same. The command line syntax looks like: trafgen/trafgen --dev lo eth da = AA:BB:CC:DD:EE:FF sa=11:22:33:44:55:66, arp op=rep tip=192.168.1.1 -n 1 so the first is proto name and after there are param value pairs which are separated by space, in case if there are multiple protocols specified - their should be separated by , after last param value of the previous protocol. I think the picture will be more clear after adding IP protocol with checksum handling. Vadim Kochan (6): trafgen: Move ctx struct to separated header str: Add converting cmdline args vector to str trafgen: Export packet manipulation funcs for proto gen trafgen: Add helper to get current packet str: Add funcs for converting hex string to bytes trafgen: Add basic protocol generation feature layer2_gen.c | 248 + net_utils.c | 41 + net_utils.h | 7 ++ netsniff-ng.c| 18 +--- proto_gen.c | 115 + proto_gen.h | 72 str.c| 87 +++ str.h| 2 + trafgen.c| 255 ++- trafgen.h| 21 + trafgen/Makefile | 3 + trafgen_conf.h | 7 ++ trafgen_parser.y | 13 ++- 13 files changed, 849 insertions(+), 40 deletions(-) create mode 100644 layer2_gen.c create mode 100644 net_utils.c create mode 100644 net_utils.h create mode 100644 proto_gen.c create mode 100644 proto_gen.h create mode 100644 trafgen.h -- 2.4.2 Well, you may find some unused things but this is because they might be used later or this is because I forgot to clean them. Also I just checked that in the eth print_help callback there is wrong command line example (mz-like style) which is not used in the code, thats because in the beginning I tried to follow mz style. So if you want better cleaner code I will prepare, since I continue to work with adding missed things like: - getting default devices parameters from ctx in case if src mac/ip address is not specified; - IPv4 protocl support where it will be nedeed to consider payload (next layer protocol) data to generate checksum opcodes; BTW I am not sure if the 'struct proto_gen' is a good name, may be 'packet_gen' is better. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 2/6] str: Add converting cmdline args vector to str
From: Vadim Kochan vadi...@gmail.com Move piece of code from netsniff-ng.c to str.c as func which converts cmdline args vector to string. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng.c | 18 ++ str.c | 23 +++ str.h | 1 + 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index 91356ba..6720c73 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -1481,22 +1481,8 @@ int main(int argc, char **argv) } } - if (!ctx.filter optind != argc) { - int ret; - off_t offset = 0; - - for (i = optind; i argc; ++i) { - size_t alen = strlen(argv[i]) + 2; - size_t flen = ctx.filter ? strlen(ctx.filter) : 0; - - ctx.filter = xrealloc(ctx.filter, flen + alen); - ret = slprintf(ctx.filter + offset, strlen(argv[i]) + 2, %s , argv[i]); - if (ret 0) - panic(Cannot concatenate filter string!\n); - else - offset += ret; - } - } + if (!ctx.filter optind != argc) + ctx.filter = cmdline_args2str(optind, argc, argv); if (!ctx.device_in) ctx.device_in = xstrdup(any); diff --git a/str.c b/str.c index 7a5cb49..ec221af 100644 --- a/str.c +++ b/str.c @@ -9,6 +9,8 @@ #include stdarg.h #include str.h +#include die.h +#include xmalloc.h size_t strlcpy(char *dest, const char *src, size_t size) { @@ -86,3 +88,24 @@ char *strtrim_right(char *p, char c) return p; } + +char *cmdline_args2str(int from_idx, int argc, char **argv) +{ + off_t offset = 0; + char *str = NULL; + int ret, i; + + for (i = from_idx; i argc; ++i) { + size_t alen = strlen(argv[i]) + 2; + size_t slen = str ? strlen(str) : 0; + + str = xrealloc(str, slen + alen); + ret = slprintf(str + offset, strlen(argv[i]) + 2, %s , argv[i]); + if (ret 0) + panic(Cannot concatenate string!\n); + else + offset += ret; + } + + return str; +} diff --git a/str.h b/str.h index 7b8916c..56456a0 100644 --- a/str.h +++ b/str.h @@ -8,5 +8,6 @@ extern int slprintf(char *dst, size_t size, const char *fmt, ...) __check_forma extern int slprintf_nocheck(char *dst, size_t size, const char *fmt, ...); extern char *strtrim_right(char *p, char c); extern noinline void *xmemset(void *s, int c, size_t n); +extern char *cmdline_args2str(int from_idx, int argc, char **argv); #endif /* STR_H */ -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 4/6] trafgen: Add helper to get current packet
From: Vadim Kochan vadi...@gmail.com Add current_packet() helper for getting current used packet and make it public to other modules. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen_conf.h | 2 ++ trafgen_parser.y | 5 + 2 files changed, 7 insertions(+) diff --git a/trafgen_conf.h b/trafgen_conf.h index b286810..096fd4c 100644 --- a/trafgen_conf.h +++ b/trafgen_conf.h @@ -51,4 +51,6 @@ extern void set_multi_byte(uint8_t *s, size_t len); extern void set_fill(uint8_t val, size_t len); extern void set_byte(uint8_t val); +extern struct packet *current_packet(void); + #endif /* TRAFGEN_CONF */ diff --git a/trafgen_parser.y b/trafgen_parser.y index 4719f55..249fdde 100644 --- a/trafgen_parser.y +++ b/trafgen_parser.y @@ -139,6 +139,11 @@ void realloc_packet(void) __init_new_csum_slot(packet_dyn[packetd_last]); } +struct packet *current_packet(void) +{ + return packets[packet_last]; +} + void set_byte(uint8_t val) { struct packet *pkt = packets[packet_last]; -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 3/6] trafgen: Export packet manipulation funcs for proto gen
From: Vadim Kochan vadi...@gmail.com Make public such funcs: set_byte, set_fill, set_multi_byte, realloc_packet to be used by proto gen code. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen_conf.h | 5 + trafgen_parser.y | 8 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/trafgen_conf.h b/trafgen_conf.h index f92e14c..b286810 100644 --- a/trafgen_conf.h +++ b/trafgen_conf.h @@ -45,5 +45,10 @@ struct packet_dyn { extern int compile_packets(char *file, int verbose, int cpu, bool invoke_cpp); extern void cleanup_packets(void); +extern void realloc_packet(void); + +extern void set_multi_byte(uint8_t *s, size_t len); +extern void set_fill(uint8_t val, size_t len); +extern void set_byte(uint8_t val); #endif /* TRAFGEN_CONF */ diff --git a/trafgen_parser.y b/trafgen_parser.y index ee3d476..4719f55 100644 --- a/trafgen_parser.y +++ b/trafgen_parser.y @@ -121,7 +121,7 @@ static inline void __setup_new_csum16(struct csum16 *s, off_t from, off_t to, s-which = which; } -static void realloc_packet(void) +void realloc_packet(void) { if (test_ignore()) return; @@ -139,7 +139,7 @@ static void realloc_packet(void) __init_new_csum_slot(packet_dyn[packetd_last]); } -static void set_byte(uint8_t val) +void set_byte(uint8_t val) { struct packet *pkt = packets[packet_last]; @@ -151,7 +151,7 @@ static void set_byte(uint8_t val) pkt-payload[payload_last] = val; } -static void set_multi_byte(uint8_t *s, size_t len) +void set_multi_byte(uint8_t *s, size_t len) { size_t i; @@ -159,7 +159,7 @@ static void set_multi_byte(uint8_t *s, size_t len) set_byte(s[i]); } -static void set_fill(uint8_t val, size_t len) +void set_fill(uint8_t val, size_t len) { size_t i; struct packet *pkt = packets[packet_last]; -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 5/6] str: Add funcs for converting hex string to bytes
From: Vadim Kochan vadi...@gmail.com Add str2bytes func for converting hexadecimal string to bytes: abcd a AA:BB - { 0xab 0xcd 0x0a 0xaa 0xbb } It is needed to be used when specifying protocol payload for trafgen proto command line. Signed-off-by: Vadim Kochan vadi...@gmail.com --- str.c | 64 str.h | 1 + 2 files changed, 65 insertions(+) diff --git a/str.c b/str.c index ec221af..3fac290 100644 --- a/str.c +++ b/str.c @@ -5,6 +5,7 @@ */ #include stdio.h +#include ctype.h #include string.h #include stdarg.h @@ -109,3 +110,66 @@ char *cmdline_args2str(int from_idx, int argc, char **argv) return str; } + +static int strhex_bytes_len(char *str) +{ + int count = 0; + + for (; *str; str++) { + if (!isxdigit(*str)) + continue; + + if (isxdigit(*(str + 1))) + str++; + + count++; + } + + return count; +} + +static uint8_t char2hex(char c) +{ + int i; + const char *hex = 0123456789abcdef; + const char *hex_upper = 0123456789ABCDEF; + + if (c = 'A' c = 'F') + hex = hex_upper; + + for (i = 0; i 16; i++) + if (c == hex[i]) + return i; + + return 0; +} + +int str2bytes(char *str, uint8_t **bytes) +{ + int i; + int bytes_len; + uint8_t *byte; + + if (!str || !*str) + return 0; + + bytes_len = strhex_bytes_len(str); + byte = *bytes = xzmalloc(bytes_len); + + for (; *str; str++) { + if (!isxdigit(*str)) + continue; + + if (isxdigit(*(str + 1))) { + *byte = (char2hex(*str) 4) | char2hex(*(str + 1)); + str++; + } else { + *byte = char2hex(*str); + } + + byte++; + i++; + } + + return bytes_len; +} diff --git a/str.h b/str.h index 56456a0..9db4850 100644 --- a/str.h +++ b/str.h @@ -9,5 +9,6 @@ extern int slprintf_nocheck(char *dst, size_t size, const char *fmt, ...); extern char *strtrim_right(char *p, char c); extern noinline void *xmemset(void *s, int c, size_t n); extern char *cmdline_args2str(int from_idx, int argc, char **argv); +extern int str2bytes(char *str, uint8_t **bytes); #endif /* STR_H */ -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 1/6] trafgen: Move ctx struct to separated header
From: Vadim Kochan vadi...@gmail.com Move ctx struct to trafgen.h to be used from other modules. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen.c | 16 +--- trafgen.h | 21 + 2 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 trafgen.h diff --git a/trafgen.c b/trafgen.c index 53320fe..f7402d6 100644 --- a/trafgen.c +++ b/trafgen.c @@ -9,7 +9,6 @@ #include string.h #include getopt.h #include ctype.h -#include stdbool.h #include sched.h #include sys/socket.h #include sys/types.h @@ -24,10 +23,7 @@ #include netinet/ip.h #include linux/icmp.h #include linux/if.h -#include arpa/inet.h #include signal.h -#include stdint.h -#include stdlib.h #include fcntl.h #include time.h #include poll.h @@ -54,17 +50,7 @@ #include timer.h #include ring_tx.h #include csum.h - -struct ctx { - bool rand, rfraw, jumbo_support, verbose, smoke_test, enforce, qdisc_path; - size_t reserve_size; - unsigned long num; - unsigned int cpus; - uid_t uid; gid_t gid; - char *device, *device_trans, *rhost; - struct timespec gap; - struct sockaddr_in dest; -}; +#include trafgen.h struct cpu_stats { unsigned long tv_sec, tv_usec; diff --git a/trafgen.h b/trafgen.h new file mode 100644 index 000..04ed9cb --- /dev/null +++ b/trafgen.h @@ -0,0 +1,21 @@ +#ifndef TRAFGEN_I_H +#define TRAFGEN_I_H + +#include stdint.h +#include stdlib.h +#include arpa/inet.h +#include stdbool.h + +struct ctx { + bool rand, rfraw, jumbo_support, verbose, smoke_test, enforce; + bool qdisc_path; + size_t reserve_size; + unsigned long num; + unsigned int cpus; + uid_t uid; gid_t gid; + char *device, *device_trans, *rhost; + struct timespec gap; + struct sockaddr_in dest; +}; + +#endif -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC 0/6] trafgen: Proto generation from command like
Hi, This is the 1-st try version of how I see the protocol generation API for the trafgen util as mz replacement (at least for better performance). I am sending this just because to get your feedback about conceptual idea, and as soon as I got some basic working version I decided to share the code just to get know if I am moving in the right direction. Added high-level command line protocol packet building intreface, which allows to specify protocol parameters to build the header and payload. Each protocol is represented by proto_gen struct which is responsible only for providing field info (size, data) by name to trafgen's low level packet generation layer. All packet generation routine is performed by the generic code in trafgen.c which parses the command line, obtains proto name, param=value list and calls the specific protocol handler to get protocol field info by name, so the TX routine remains the same. The command line syntax looks like: trafgen/trafgen --dev lo eth da = AA:BB:CC:DD:EE:FF sa=11:22:33:44:55:66, arp op=rep tip=192.168.1.1 -n 1 so the first is proto name and after there are param value pairs which are separated by space, in case if there are multiple protocols specified - their should be separated by , after last param value of the previous protocol. I think the picture will be more clear after adding IP protocol with checksum handling. Vadim Kochan (6): trafgen: Move ctx struct to separated header str: Add converting cmdline args vector to str trafgen: Export packet manipulation funcs for proto gen trafgen: Add helper to get current packet str: Add funcs for converting hex string to bytes trafgen: Add basic protocol generation feature layer2_gen.c | 248 + net_utils.c | 41 + net_utils.h | 7 ++ netsniff-ng.c| 18 +--- proto_gen.c | 115 + proto_gen.h | 72 str.c| 87 +++ str.h| 2 + trafgen.c| 255 ++- trafgen.h| 21 + trafgen/Makefile | 3 + trafgen_conf.h | 7 ++ trafgen_parser.y | 13 ++- 13 files changed, 849 insertions(+), 40 deletions(-) create mode 100644 layer2_gen.c create mode 100644 net_utils.c create mode 100644 net_utils.h create mode 100644 proto_gen.c create mode 100644 proto_gen.h create mode 100644 trafgen.h -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] netsniff-ng nlmsg: Print rtnl neigh info
From: Vadim Kochan vadi...@gmail.com Dissect basic rtnl neighbour info. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_nlmsg.c | 101 ++ 1 file changed, 101 insertions(+) diff --git a/proto_nlmsg.c b/proto_nlmsg.c index 9dc9f6b..5018adf 100644 --- a/proto_nlmsg.c +++ b/proto_nlmsg.c @@ -30,6 +30,15 @@ #define RTA_UINT32(attr) (*(uint32_t *)RTA_DATA(attr)) #define RTA_STR(attr) ((char *)RTA_DATA(attr)) +#ifndef NDA_RTA +#define NDA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg +#endif + +#ifndef NDA_PAYLOAD +#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) +#endif + #define attr_fmt(attr, fmt, ...) \ tprintf(\tA: fmt, ##__VA_ARGS__); \ tprintf(, Len %lu\n, RTA_LEN(attr)); @@ -562,6 +571,93 @@ static void rtnl_print_route(struct nlmsghdr *hdr) } } +static struct flag_name neigh_states[] = { + { incomplete, NUD_INCOMPLETE }, + { reachable, NUD_REACHABLE }, + { stale, NUD_STALE }, + { delay, NUD_DELAY }, + { probe, NUD_PROBE }, + { failed, NUD_FAILED }, + { noarp, NUD_NOARP }, + { permanent, NUD_PERMANENT }, + { none, NUD_NONE }, + { NULL, 0 }, +}; + +static struct flag_name neigh_flags[] = { + { use, NTF_USE }, + { self, NTF_SELF }, + { master, NTF_MASTER }, + { proxy, NTF_PROXY }, +#ifdef NTF_EXT_LEARNED + { ext learned, NTF_EXT_LEARNED }, +#endif + { router, NTF_ROUTER }, + { NULL, 0 }, +}; + +static void rtnl_print_neigh(struct nlmsghdr *hdr) +{ + struct ndmsg *ndm = NLMSG_DATA(hdr); + uint32_t attrs_len = NDA_PAYLOAD(hdr); + struct rtattr *attr = NDA_RTA(ndm); + struct nda_cacheinfo *ci; + int hz = get_user_hz(); + char addr_str[256]; + char hw_addr[30]; + char states[256]; + char flags[256]; + + tprintf( [ Neigh Family %d (%s%s%s), ndm-ndm_family, + colorize_start(bold), + addr_family2str(ndm-ndm_family), + colorize_end()); + tprintf(, Link Index %d, ndm-ndm_ifindex); + tprintf(, State %d (%s%s%s), ndm-ndm_state, + colorize_start(bold), + flags2str(neigh_states, ndm-ndm_state, states, + sizeof(states)), + colorize_end()); + tprintf(, Flags %d (%s%s%s), ndm-ndm_flags, + colorize_start(bold), + flags2str(neigh_flags, ndm-ndm_flags, flags, + sizeof(flags)), + colorize_end()); + tprintf(, Type %d (%s%s%s), ndm-ndm_type, + colorize_start(bold), + route_type2str(ndm-ndm_type), + colorize_end()); + tprintf( ]\n); + + for (; RTA_OK(attr, attrs_len); attr = RTA_NEXT(attr, attrs_len)) { + switch (attr-rta_type) { + case NDA_DST: + attr_fmt(attr, Address %s, addr2str(ndm-ndm_family, + RTA_DATA(attr), addr_str, + sizeof(addr_str))); + break; + case NDA_LLADDR: + attr_fmt(attr, HW Address %s, + device_addr2str(RTA_DATA(attr), + RTA_LEN(attr), 0, hw_addr, + sizeof(hw_addr))); + break; + case NDA_PROBES: + attr_fmt(attr, Probes %d, RTA_UINT32(attr)); + break; + case NDA_CACHEINFO: + ci = RTA_DATA(attr); + tprintf(\tA: Cache (); + tprintf(confirmed(%ds), ci-ndm_confirmed / hz); + tprintf(, used(%ds), ci-ndm_used / hz); + tprintf(, updated(%ds), ci-ndm_updated / hz); + tprintf(, refcnt(%d)), ci-ndm_refcnt); + tprintf(, Len %lu\n, RTA_LEN(attr)); + break; + } + } +} + static void rtnl_msg_print(struct nlmsghdr *hdr) { switch (hdr-nlmsg_type) { @@ -581,6 +677,11 @@ static void rtnl_msg_print(struct nlmsghdr *hdr) case RTM_GETROUTE: rtnl_print_route(hdr); break; + case RTM_NEWNEIGH: + case RTM_DELNEIGH: + case RTM_GETNEIGH: + rtnl_print_neigh(hdr); + break; } } -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d
[netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
Hi, I tried to look over mz tool and try to start adding TX fast path as it is done in trafgen but I am not sure it will be easy, for me it seems the code is not easy to change. I have no some objective arguments but I feel that may be it would be good to start something like pktgen-ng or start writing mz from empty page ? What do you think ? Regards, Vadim Kochan -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote: I've started splitting this into smaller digestible chunks, couple of more evenings and it should be done from my side. Thanks for your patience. Yes I was pulling these changes last night, I will try to follow this way in the future too, anyway you can ask me for that if I forget. Thanks, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Thu, Jun 18, 2015 at 10:51:44AM +0200, Daniel Borkmann wrote: On 06/18/2015 01:30 AM, Vadim Kochan wrote: Hi, I tried to look over mz tool and try to start adding TX fast path as it is done in trafgen but I am not sure it will be easy, for me it seems the code is not easy to change. I have no some objective arguments but I feel that may be it would be good to start something like pktgen-ng or start writing mz from empty page ? What do you think ? I think in general, it would be useful to 'merge' mz into trafgen. No doubt it's quite some work, but that would allow us to have a clean, fresh implementation at some point. By 'merge', I mean to have mostly compatible syntax/features, but the underlying implementation would be from scratch. I.e. to let trafgen have an interactive mode, so you can have it as a shell on an appliance, and for quick tests, the direct cmdline mode from mz. Do you have any plans? Not yet, but I will try keep thinking about this, and will let know if I will have some real ideas regarding implementation. Thanks, Daniel -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote: I've started splitting this into smaller digestible chunks, couple of more evenings and it should be done from my side. Thanks for your patience. But implementation now is OK in the last original patch series v2 ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH 0/3] Add suport for Linux cooked header sniff dissect
This series adds supporting of Linux cooked header http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html which is compatible with Wireshark. Also it can be dissected by new dissector_sll.c while dumping. Needs to test on archs's with different byte ordering. 1) Moved some device's stuff string conversion functions from proto_nlmsg.c to dev.c to be used in dissector_sll.c 2) Add suporting Linux cooked header. Added -w,--cooked option which replaces L2 header frame with cooked header for each frame and allows to dump dissect Ethernet Netlink packets together. Linux cooked header is automatically used for Netlink link type for the other cases (for -i any) it needs to specify --cooked option. Used dgram packet socket when sniffing with --cooked option to pull L2 header and wrap packet with Linux cooked header, it allows compatibility with Wireshark. 3) Added dissector_sll.c to dissect packets with Linux cooked header. Meanwhile it can dump only Netlink Ethernet protos (L3 layer). This dissector is used if link type is LINKTYPE_LINUX_SLL. Vadim Kochan (3): dev: Add device string convertions (addr, dev type) netsniff-ng: Add support of Linux cooked header netsniff-ng: Add dissector for Linux cooked packets dev.c| 111 +++ dev.h| 3 + dissector.c | 12 +- dissector.h | 2 +- dissector_sll.c | 114 +++ dissector_sll.h | 18 +++ linktype.h | 1 + netsniff-ng.8| 16 ++- netsniff-ng.c| 35 +++-- netsniff-ng/Makefile | 1 + pcap_io.h| 390 --- pcap_mm.c| 28 +++- pcap_rw.c| 30 +++- pcap_sg.c| 83 +-- pkt_buff.h | 2 +- proto_nlmsg.c| 120 +--- sock.c | 10 ++ sock.h | 1 + 18 files changed, 688 insertions(+), 289 deletions(-) create mode 100644 dissector_sll.c create mode 100644 dissector_sll.h -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
From: Vadim Kochan vadi...@gmail.com This series adds supporting of Linux cooked header http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html which is compatible with Wireshark. Also it can be dissected by new dissector_sll.c while dumping. Needs to test on archs's with different byte ordering. 1) Add suporting Linux cooked header. Added -w,--cooked option which replaces L2 header frame with cooked header for each frame and allows to dump dissect Ethernet Netlink packets together. Linux cooked header is automatically used for Netlink link type for the other cases (for -i any) it needs to specify --cooked option. Used dgram packet socket when sniffing with --cooked option to pull L2 header and wrap packet with Linux cooked header, it allows compatibility with Wireshark. 2) Added dissector_sll.c to dissect packets with Linux cooked header. Meanwhile it can dump only Netlink Ethernet protos (L3 layer). This dissector is used if link type is LINKTYPE_LINUX_SLL. Vadim Kochan (2): netsniff-ng: Add support of Linux cooked header netsniff-ng: Add dissector for Linux cooked packets dev.c| 2 +- dev.h| 4 +- dissector.c | 12 +- dissector.h | 2 +- dissector_sll.c | 113 ++ dissector_sll.h | 18 +++ linktype.h | 1 + netsniff-ng.8| 12 +- netsniff-ng.c| 36 - netsniff-ng/Makefile | 1 + pcap_io.h| 409 --- pcap_mm.c| 5 +- pcap_rw.c| 4 +- pcap_sg.c| 8 +- pkt_buff.h | 2 +- proto_nlmsg.c| 4 +- sock.c | 10 ++ sock.h | 1 + 18 files changed, 466 insertions(+), 178 deletions(-) create mode 100644 dissector_sll.c create mode 100644 dissector_sll.h -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH 2/2 v2] netsniff-ng: Add dissector for Linux cooked packets
From: Vadim Kochan vadi...@gmail.com Added dissector_sll.c which uses sockaddr_ll to lookup print higher L3 layer protocol. This dissector is mapped by LINKTYPE_LINUX_SLL link type. Sample output of dissected Netlink Ethernet packets. Truncated manually some longer lines by ...: nlmon0 20 1434193547s.717131169ns #6 [ Linux cooked Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ] [ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)... wlp3s0 52 1434194181s.436224709ns #9 [ Linux cooked Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ] [ IPv4 Addr (XXX.XXX.XXX.XXX = 212.42.76.253), Proto (6), TTL (64), TOS (0), ... ), CSum (0x1ef5) is ok ] [ Geo (local = Ukraine) ] [ TCP Port (45849 = 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ... [ Chr .w.Rj).. ] [ Hex XX XX XX XX XX XX XX XX XX XX XX XX ] Signed-off-by: Vadim Kochan vadi...@gmail.com --- dev.c| 2 +- dev.h| 4 +- dissector.c | 12 +- dissector.h | 2 +- dissector_sll.c | 113 +++ dissector_sll.h | 18 netsniff-ng.c| 12 +++--- netsniff-ng/Makefile | 1 + pcap_io.h| 9 +++- pkt_buff.h | 2 +- proto_nlmsg.c| 4 +- 11 files changed, 162 insertions(+), 17 deletions(-) create mode 100644 dissector_sll.c create mode 100644 dissector_sll.h diff --git a/dev.c b/dev.c index a29b4c1..c28fa0e 100644 --- a/dev.c +++ b/dev.c @@ -376,7 +376,7 @@ const char *device_type2str(uint16_t type) } /* Taken from iproute2 ll_addr_n2a func */ -const char *device_addr2str(const char *addr, int alen, int type, +const char *device_addr2str(const unsigned char *addr, int alen, int type, char *buf, int blen) { int i, l; diff --git a/dev.h b/dev.h index 6aa770d..4f987f8 100644 --- a/dev.h +++ b/dev.h @@ -16,6 +16,6 @@ extern u32 device_bitrate(const char *ifname); extern short device_enter_promiscuous_mode(const char *ifname); extern void device_leave_promiscuous_mode(const char *ifname, short oldflags); extern const char *device_type2str(uint16_t type); -extern const char *device_addr2str(const char *addr, int alen, int type, - char *buf, int blen); +extern const char *device_addr2str(const unsigned char *addr, int alen, + int type, char *buf, int blen); #endif /* DEV_H */ diff --git a/dissector.c b/dissector.c index 4cad588..6aa253d 100644 --- a/dissector.c +++ b/dissector.c @@ -14,6 +14,7 @@ #include proto.h #include dissector.h #include dissector_eth.h +#include dissector_sll.h #include dissector_80211.h #include dissector_netlink.h #include linktype.h @@ -61,7 +62,7 @@ static void dissector_main(struct pkt_buff *pkt, struct protocol *start, } void dissector_entry_point(uint8_t *packet, size_t len, int linktype, int mode, - uint16_t proto) + struct sockaddr_ll *sll) { struct protocol *proto_start, *proto_end; struct pkt_buff *pkt; @@ -71,7 +72,7 @@ void dissector_entry_point(uint8_t *packet, size_t len, int linktype, int mode, pkt = pkt_alloc(packet, len); pkt-link_type = linktype; - pkt-proto = proto; + pkt-sll = sll; switch (linktype) { case LINKTYPE_EN10MB: @@ -91,6 +92,11 @@ void dissector_entry_point(uint8_t *packet, size_t len, int linktype, int mode, proto_start = dissector_get_netlink_entry_point(); proto_end = dissector_get_netlink_exit_point(); break; + case LINKTYPE_LINUX_SLL: + case ___constant_swab32(LINKTYPE_LINUX_SLL): + proto_start = dissector_get_sll_entry_point(); + proto_end = dissector_get_sll_exit_point(); + break; default: proto_start = none_ops; proto_end = NULL; @@ -120,6 +126,7 @@ void dissector_init_all(int fnttype) dissector_init_ethernet(fnttype); dissector_init_ieee80211(fnttype); dissector_init_netlink(fnttype); + dissector_init_sll(fnttype); } void dissector_cleanup_all(void) @@ -127,4 +134,5 @@ void dissector_cleanup_all(void) dissector_cleanup_ethernet(); dissector_cleanup_ieee80211(); dissector_cleanup_netlink(); + dissector_cleanup_sll(); } diff --git a/dissector.h b/dissector.h index a99442e..5580110 100644 --- a/dissector.h +++ b/dissector.h @@ -105,7 +105,7 @@ static inline void show_frame_hdr(uint8_t *packet, size_t len, int linktype, extern void dissector_init_all(int fnttype); extern void dissector_entry_point(uint8_t *packet, size_t len, int linktype, - int mode, uint16_t proto); + int mode, struct sockaddr_ll *sll); extern void dissector_cleanup_all
[netsniff-ng] Re: [PATCH v2] netsniff-ng nlmsg: Dissect rtnl link type messages
On Tue, May 19, 2015 at 05:10:38PM +0300, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Dump RTnetlink interface related info with attributes. Hi, Pinging in case if this was lost. Thanks, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] netsniff-ng: Add support of pcap cooked header
On Mon, Jun 01, 2015 at 02:09:39AM +0200, Daniel Borkmann wrote: On 05/22/2015 04:45 PM, Vadim Kochan wrote: Use pcap cooked header for Netlink messages as described here: http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html Signed-off-by: Vadim Kochan vadi...@gmail.com --- RFC - PATCH: 1) Add some clarifications about pcap cooked header in netsniff-ng.8 man page. 2) Consider pcap type when checking if pcap cooked header is needed in pcap_pkthdr_has_ll(...) func. 3) Fix wrong sll_protocol converting in pcap file. Removed converting to big endian in sockaddr_to_pcap_ll(...) func. ... Thanks Vadim for the follow-up! One question below: ... +static inline void pcap_pkthdr_init(pcap_pkthdr_t *phdr, uint32_t link_type) +{ +phdr-link_type = link_type; } Does this assumption still hold when you capture on i.e. '--in any' device, and you have mixed data from Ethernet and Netlink combination to the same pcap file? #define FEATURE_UNKNOWN(0 0) ... Hi, I checked that in this case Ethernet Netlink frames will be mixed in the pcap file, but netsniff-ng tries to identify all the frames as Ethernet, and in this case frames is not wrapped with cooked header. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] netsniff-ng: Add support of pcap cooked header
On Tue, Jun 02, 2015 at 12:57:56PM +0200, Daniel Borkmann wrote: On 06/02/2015 11:24 AM, Vadim Kochan wrote: On Tue, Jun 02, 2015 at 10:51:01AM +0200, Daniel Borkmann wrote: On 06/02/2015 10:44 AM, Vadim Kochan wrote: On Tue, Jun 02, 2015 at 10:36:12AM +0200, Daniel Borkmann wrote: On 06/01/2015 05:43 PM, Vadim Kochan wrote: On Mon, Jun 01, 2015 at 05:14:10PM +0200, Daniel Borkmann wrote: On 06/01/2015 04:23 PM, Vadim Kochan wrote: ... I checked that in this case Ethernet Netlink frames will be mixed in the pcap file, but netsniff-ng tries to identify all the frames as Ethernet, and in this case frames is not wrapped with cooked header. Right, so for that use case, it wouldn't work currently. I'm thinking that in case of 'any' device *and* if there's at least one device present at the time we bind the socket to any that would have netlink type, then we would need to turn on cooked mode generally, so that in such environments Ethernet and Netlink would have both cooked headers. I think that would be useful to adapt the patch towards covering such use cases as well since people might also like to correlate i.e. Netlink events together with network packets. Could you please respin the patch towards supporting this, too? Then I think, it should be ready to go in. ... Then I think link type can be set as LINKTYPE_LINUX_SLL in the pcap header. May be it would be useful to use LINKTYPE_LINUX_SLL by default if 'any' was specified or only if the Netlink device present in UP state ? I'm thinking that the following might be useful for the pcap writer: Have an option --cooked that generally adds cooked header (no matter what the underlying device is, so could be 'any' as well). Whenever we bound our socket specifically to a nlmon device, then we enable that option transparently in the case of default/ns pcap. So, the solution might be - use cooked header automatically if only nlmon device was specified or when --cooked option was specified ? Yes, I would go for that as a start. OK, but it sounds like --cooked option might be as additional feature so I think the current patch can be applied as it is ? I have no problem with re-working the patch, I am just asking :) Ok, sure. I would prefer to have this in a single patch, so would be glad if you could respin/rework your patch towards this. Thanks again, Daniel Will do :) -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] trafgen: Protocol packet generation syntax
Hi, There are some examples of the possible proto syntax: { eth(src=AA:BB:CC:DD:DD:FF, dst=11:22:33:44:55:66, proto=0x0800), tcp(flags=syn|ack, dport=rand) } { dns(q=xxx.com) } Here is an example of little complicated param's value which might require more parameters: dns answer: { dns(a=(host=www.xxx.com, type=INET, addr=192.168.1.1)) } also I think about cases where param name can be omitted and specify value only which is more shorter, of course this is useful only for few such parameters: wlan beacon: { beacon(ssid=my wife-i, ie=(100, 0xabcdef)) } id data can be specified w/o parameter names which is faster to type and not complicated to memorize. I also changed trafgen grammar to have possibility to do not specify '{' '}' which is useful for command line mode: $ echo 'eth(arg=xxx , arg2 = ccc),ip(dst=1.1.1.1)' | trafgen/trafgen --dev lo -i - Also I am not sure which way to choose: 1) have a generic grammar and dynamically lookup proto name from parser, this allows to do not modify parser each time when add new proto (I am in 80% for this). 2) have defined each param in the grammar, this might help with having some special syntax for some proto, but it needs to change modify parser when add new proto it will get parser FATter. Below is just some dirty-draft-demo patch (not a good in parsers): diff --git a/trafgen_lexer.l b/trafgen_lexer.l index a361bfc..d1fb94e 100644 --- a/trafgen_lexer.l +++ b/trafgen_lexer.l @@ -115,6 +115,7 @@ number_ascii([a-zA-Z]) ]{ return ']'; } ,{ return ','; } :{ return ':'; } +={ return '='; } \n { yylineno++; } @@ -150,6 +151,9 @@ number_ascii([a-zA-Z]) '.'{ yylval.number = (uint8_t) (*(yytext + 1)); return number; } +[a-z][a-z0-9]* { yylval.str = xstrdup(yytext); + return name; } + ;[^\n]* {/* NOP */} . { printf(Unknown character '%s', yytext); yyerror(lex Unknown character); } diff --git a/trafgen_parser.y b/trafgen_parser.y index ee3d476..bc9ae89 100644 --- a/trafgen_parser.y +++ b/trafgen_parser.y @@ -324,10 +324,10 @@ static void set_dynamic_incdec(uint8_t start, uint8_t stop, uint8_t stepping, %token ',' '{' '}' '(' ')' '[' ']' ':' '-' '+' '*' '/' '%' '' '|' '' '' '^' -%token number string +%token number string name %type number number expression -%type str string +%type str string name param value %left '-' '+' '*' '/' '%' '' '|' '' '' '^' @@ -360,6 +360,11 @@ noenforce_white | delimiter_nowhite { } ; +skip_white + : {} + | K_WHITE {} + ; + packet : '{' noenforce_white payload noenforce_white '}' { min_cpu = max_cpu = -1; @@ -382,6 +387,7 @@ packet min_cpu = max_cpu = $3; realloc_packet(); } + | proto_expr { } ; payload @@ -411,8 +417,39 @@ elem | csum { } | const { } | inline_comment { } + | proto {} + ; + +proto_expr + : proto { } + | proto_expr ',' proto { } + ; +proto + : name param_list { printf(proto(%s)\n, $1); } + | name { printf(proto(%s)\n, $1); } + ; + +param_list + : '(' param_list_name_value ')' { } ; +param_list_name_value + : name_value { } + | param_list_name_value ',' name_value { } + ; + +name_value + : skip_white param skip_white '=' skip_white value skip_white { } + ; + +param + : name { printf(param=%s\n, $1); } + ; + +value : string { printf(value=%s\n, $1); } + | param_list { } + ; + expression : number { $$ = $1; } -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: trafgen: Protocol packet generation syntax
On Wed, Jul 1, 2015 at 11:38 AM, Vadim Kochan vadi...@gmail.com wrote: Hi, There are some examples of the possible proto syntax: { eth(src=AA:BB:CC:DD:DD:FF, dst=11:22:33:44:55:66, proto=0x0800), tcp(flags=syn|ack, dport=rand) } { dns(q=xxx.com) } Here is an example of little complicated param's value which might require more parameters: dns answer: { dns(a=(host=www.xxx.com, type=INET, addr=192.168.1.1)) } also I think about cases where param name can be omitted and specify value only which is more shorter, of course this is useful only for few such parameters: wlan beacon: { beacon(ssid=my wife-i, ie=(100, 0xabcdef)) } id data can be specified w/o parameter names which is faster to type and not complicated to memorize. I also changed trafgen grammar to have possibility to do not specify '{' '}' which is useful for command line mode: $ echo 'eth(arg=xxx , arg2 = ccc),ip(dst=1.1.1.1)' | trafgen/trafgen --dev lo -i - Also I am not sure which way to choose: 1) have a generic grammar and dynamically lookup proto name from parser, this allows to do not modify parser each time when add new proto (I am in 80% for this). 2) have defined each param in the grammar, this might help with having some special syntax for some proto, but it needs to change modify parser when add new proto it will get parser FATter. Below is just some dirty-draft-demo patch (not a good in parsers): diff --git a/trafgen_lexer.l b/trafgen_lexer.l index a361bfc..d1fb94e 100644 --- a/trafgen_lexer.l +++ b/trafgen_lexer.l @@ -115,6 +115,7 @@ number_ascii([a-zA-Z]) ]{ return ']'; } ,{ return ','; } :{ return ':'; } +={ return '='; } \n { yylineno++; } @@ -150,6 +151,9 @@ number_ascii([a-zA-Z]) '.'{ yylval.number = (uint8_t) (*(yytext + 1)); return number; } +[a-z][a-z0-9]* { yylval.str = xstrdup(yytext); + return name; } + ;[^\n]* {/* NOP */} . { printf(Unknown character '%s', yytext); yyerror(lex Unknown character); } diff --git a/trafgen_parser.y b/trafgen_parser.y index ee3d476..bc9ae89 100644 --- a/trafgen_parser.y +++ b/trafgen_parser.y @@ -324,10 +324,10 @@ static void set_dynamic_incdec(uint8_t start, uint8_t stop, uint8_t stepping, %token ',' '{' '}' '(' ')' '[' ']' ':' '-' '+' '*' '/' '%' '' '|' '' '' '^' -%token number string +%token number string name %type number number expression -%type str string +%type str string name param value %left '-' '+' '*' '/' '%' '' '|' '' '' '^' @@ -360,6 +360,11 @@ noenforce_white | delimiter_nowhite { } ; +skip_white + : {} + | K_WHITE {} + ; + packet : '{' noenforce_white payload noenforce_white '}' { min_cpu = max_cpu = -1; @@ -382,6 +387,7 @@ packet min_cpu = max_cpu = $3; realloc_packet(); } + | proto_expr { } ; payload @@ -411,8 +417,39 @@ elem | csum { } | const { } | inline_comment { } + | proto {} + ; + +proto_expr + : proto { } + | proto_expr ',' proto { } + ; +proto + : name param_list { printf(proto(%s)\n, $1); } + | name { printf(proto(%s)\n, $1); } + ; + +param_list + : '(' param_list_name_value ')' { } ; +param_list_name_value + : name_value { } + | param_list_name_value ',' name_value { } + ; + +name_value + : skip_white param skip_white '=' skip_white value skip_white { } + ; + +param + : name { printf(param=%s\n, $1); } + ; + +value : string { printf(value=%s\n, $1); } + | param_list { } + ; + expression : number { $$ = $1; } Also I am thinking about some alternative proto syntax which might look more nicer when crafting proto header with a lot of fields in the trafgen's script: { eth { type=xxx, dst=FF:FF:FF:FF:FF:FF, }, tcp { flags=syn|ack, dport=56, }, dhcp { opt(...), /* a lot of dhcp options */ } } it should look more nicer than one-line proto description ... wht do you thing ? -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] Re: [RFC v2 00/10] trafgen: Build protocol packet via command line
On Mon, Jun 29, 2015 at 03:58:51AM +0300, Vadim Kochan wrote: Hi, This is the 1-st try version of how I see the protocol generation API for the trafgen util as mz replacement (at least for better performance). I am sending this just because to get your feedback about conceptual idea, and as soon as I got some basic working version I decided to share the code just to get know if I am moving in the right direction. Added high-level command line protocol packet building intreface, which allows to specify protocol parameters to build the header and payload. Each protocol is represented by proto_gen struct which is responsible only for providing field info (size, data) by name to trafgen's low level packet generation layer. All packet generation routine is performed by the generic code in trafgen.c which parses the command line, obtains proto name, param=value list and calls the specific protocol handler to get protocol field info by name, so the TX routine remains the same. The command line syntax looks like: trafgen/trafgen --dev lo eth da = AA:BB:CC:DD:EE:FF sa=11:22:33:44:55:66, arp op=rep tip=192.168.1.1 -n 1 so the first is proto name and after there are param value pairs which are separated by space, in case if there are multiple protocols specified - their should be separated by , after last param value of the previous protocol. I think the picture will be more clear after adding IP protocol with checksum handling. Vadim Kochan (10): trafgen: Move ctx struct to separated header str: Add converting cmdline args vector to str trafgen: Export packet manipulation funcs for proto gen trafgen: Add helper to get current packet str: Add converting hex string to bytes net_utils: Add net_utils module for net helper funcs dev: Add func to get device's hw address trafgen: Add basic protocol generation API layer2_gen: Add Ethernet L2 layer proto generation layer2_gen: Add ARP L2 layer protocol generation dev.c| 23 + dev.h| 1 + layer2_gen.c | 310 +++ net_utils.c | 41 net_utils.h | 7 ++ netsniff-ng.c| 18 +--- proto_gen.c | 160 proto_gen.h | 68 str.c| 87 str.h| 2 + trafgen.c| 254 + trafgen.h| 21 trafgen/Makefile | 3 + trafgen_conf.h | 7 ++ trafgen_parser.y | 13 ++- 15 files changed, 975 insertions(+), 40 deletions(-) create mode 100644 layer2_gen.c create mode 100644 net_utils.c create mode 100644 net_utils.h create mode 100644 proto_gen.c create mode 100644 proto_gen.h create mode 100644 trafgen.h -- 2.4.2 Sorry for a such mess with this ... few things which I still do not like in these changes are: 1) Seems ctx is not needed to move to separated hedaer to use it in 'struct proto_gen' but add needed fields (char *device) in 'struct proto_gen' initialize them after proto lookup in trafgen.c 2) Using 'value' field in 'struct proto_field' seems useless and instead may be just using 'uint8_t *ptr' should be enough. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] netsniff-ng: Incorrect packet count #73: May be closed ?
Hi, Since the possible fix was comitted there was no response from #jonship may be it can be closed ? https://github.com/netsniff-ng/netsniff-ng/issues/73 Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] flowtop: Fix flows disappearing
From: Vadim Kochan vadi...@gmail.com While removing flow which is pointed by 'head' then head is set to NULL and all the list disappears, so fixed by set removing flow next entry to list 'head'. Signed-off-by: Vadim Kochan vadi...@gmail.com --- flowtop.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flowtop.c b/flowtop.c index e7a1bfa..9d1991a 100644 --- a/flowtop.c +++ b/flowtop.c @@ -368,8 +368,10 @@ static void flow_list_destroy_entry(struct flow_list *fl, flow_entry_xfree(n1); } else { + struct flow_entry *next = fl-head-next; + flow_entry_xfree(fl-head); - fl-head = NULL; + fl-head = next; } } } -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] flowtop: Fix hanging while waiting for collector
From: Vadim Kochan vadi...@gmail.com Fixed issue when flowtop hangs be cause of wrong using pthread cond lockiing, so the lock should be locked first by calling thread before call to pthread_cond_wait. Signed-off-by: Vadim Kochan vadi...@gmail.com Fixes: 451275470106 (flowtop: Don't init screen until collector is ready) --- locking.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locking.h b/locking.h index 2cb93d1..6c8b875 100644 --- a/locking.h +++ b/locking.h @@ -97,6 +97,7 @@ static inline void condlock_init(struct condlock *c) { pthread_mutex_init(c-lock, NULL); pthread_cond_init(c-cond, NULL); + pthread_mutex_lock(c-lock); } static inline void condlock_signal(struct condlock *c) @@ -108,7 +109,6 @@ static inline void condlock_signal(struct condlock *c) static inline void condlock_wait(struct condlock *c) { - pthread_mutex_lock(c-lock); pthread_cond_wait(c-cond, c-lock); pthread_mutex_unlock(c-lock); } -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC v2 06/10] net_utils: Add net_utils module for net helper funcs
Add net_utils.c module with str2mac str2addr helper functions. Signed-off-by: Vadim Kochan vadi...@gmail.com --- net_utils.c | 41 + net_utils.h | 7 +++ 2 files changed, 48 insertions(+) create mode 100644 net_utils.c create mode 100644 net_utils.h diff --git a/net_utils.c b/net_utils.c new file mode 100644 index 000..749199b --- /dev/null +++ b/net_utils.c @@ -0,0 +1,41 @@ +/* + * netsniff-ng - the packet sniffing beast + * Subject to the GPL, version 2. + */ + +#include stdio.h +#include stdint.h +#include string.h +#include arpa/inet.h + +int str2mac(char *str, uint8_t *mac) +{ + int i, count; + unsigned int tmp[6]; + + if (!str) + return -1; + + count = sscanf(str, %02X:%02X:%02X:%02X:%02X:%02X, + tmp[0], tmp[1], tmp[2], tmp[3], tmp[4], tmp[5]); + + if (count != 6) + count = sscanf(str, %02x:%02x:%02x:%02x:%02x:%02x, + tmp[0], tmp[1], tmp[2], tmp[3], tmp[4], tmp[5]); + + if (count != 6) + return -1; + + for (i = 0; i 6; i++) + mac[i] = (uint8_t)tmp[i]; + + return 0; +} + +int str2addr(int af, const char *str, uint8_t *addr) +{ + if (inet_pton(af, str, addr)) + return 0; + + return -1; +} diff --git a/net_utils.h b/net_utils.h new file mode 100644 index 000..5bd7b7e --- /dev/null +++ b/net_utils.h @@ -0,0 +1,7 @@ +#ifndef NET_UTILS_I_H +#define NET_UTILS_I_H + +int str2mac(char *str, uint8_t *mac); +int str2addr(int af, const char *str, uint8_t *addr); + +#endif -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC v2 08/10] trafgen: Add basic protocol generation API
Added high-level command line protocol packet building intreface, which allows to specify specified protocol parameters to build the protocol specific header. Each protocol is represented by proto_gen struct which is responsible only for providing field description (size, data) by name to trafgen's low level packet generation layer. All packet generation routine is performed by the generic code in trafgen.c which parses the command line, obtains proto name, param=value list and calls the specific protocol handler to get protocol field info by name. The command line syntax looks like: trafgen/trafgen --dev lo proto param = value ... param=value, proto param=value ... so the first is proto name and after there are param value pairs which are separated by space, in case if there are multiple protocols specified - their should be separated by , after last param value of the previous protocol. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_gen.c | 157 proto_gen.h | 68 trafgen.c| 238 +-- trafgen/Makefile | 1 + 4 files changed, 459 insertions(+), 5 deletions(-) create mode 100644 proto_gen.c create mode 100644 proto_gen.h diff --git a/proto_gen.c b/proto_gen.c new file mode 100644 index 000..eee6227 --- /dev/null +++ b/proto_gen.c @@ -0,0 +1,157 @@ +/* + * netsniff-ng - the packet sniffing beast + * Subject to the GPL, version 2. + */ + +#include stddef.h +#include string.h + +#include proto_gen.h +#include xmalloc.h + +static struct proto_gen *protos; + +struct proto_gen *proto_gen_by_name(char *name) +{ + struct proto_gen *p = protos; + + for (; p; p = p-next) + if (strcmp(p-name, name) == 0) + return p; + + return NULL; +} + +struct proto_gen *proto_gen_by_id(enum net_proto id) +{ + struct proto_gen *p = protos; + + for (; p; p = p-next) + if (p-id == id) + return p; + + return NULL; +} + +void proto_gen_register(struct proto_gen *prot) +{ + prot-next = protos; + protos = prot; +} + +void proto_gen_init(void) +{ +} + +void proto_gen_uninit(void) +{ + struct proto_gen *p = protos; + + for (; p; p = p-next) { + int f; + + if (p-payload) + xfree(p-payload); + + if (!p-fields) + continue; + + for (f = 0; f p-fields_count; f++) + if (p-fields[f].is_allocated) + xfree(p-fields[f].data); + + xfree(p-fields); + } +} + +void proto_gen_set_ctx(struct ctx *ctx) +{ + struct proto_gen *p = protos; + + for (; p; p = p-next) + p-ctx = ctx; +} + +void proto_fields_realloc(struct proto_gen *prot, int count) +{ + int i; + + prot-fields = xrealloc(prot-fields, count * sizeof(*prot-fields)); + + /* zero new fields */ + for (i = count - 1; i = prot-fields_count; i--) + memset(prot-fields[i], 0, sizeof(*prot-fields)); + + /* re-set data pointer to new value offset for small len */ + for (i = 0; i count; i++) { + struct proto_field *field = prot-fields[i]; + + if (prot-fields[i].len = sizeof(field-value)) + field-data = (uint8_t *)field-value; + } + + prot-fields_count = count; +} + +void proto_field_add(struct proto_gen *prot, int id, size_t len) +{ + struct proto_field *field; + + proto_fields_realloc(prot, prot-fields_count + 1); + + field = prot-fields[prot-fields_count - 1]; + + if (len sizeof(field-value)) { + field-data = xzmalloc(len); + field-is_allocated = true; + } else { + field-data = (uint8_t *)field-value; + } + + field-len = len; + field-id = id; +} + +struct proto_field *proto_field_by_id(struct proto_gen *prot, int id) +{ + int i; + + for (i = 0; i prot-fields_count; i++) + if (prot-fields[i].id == id) + return prot-fields[i]; + + return NULL; +} + +int proto_field_set_bytes(struct proto_gen *prot, int id, uint8_t *bytes) +{ + struct proto_field *field = proto_field_by_id(prot, id); + + if (!field) + return -1; + + memcpy(prot-fields[id].data, bytes, prot-fields[id].len); + prot-fields[id].is_set = true; + + return 0; +} + +int proto_field_set_value(struct proto_gen *prot, int id, int value) +{ + return proto_field_set_bytes(prot, id, (uint8_t *)value); +} + +bool proto_field_exist(struct proto_gen *prot, int id) +{ + return !!proto_field_by_id(prot, id); +} + +bool proto_field_is_set(struct proto_gen *prot, int id) +{ + struct proto_field *field = proto_field_by_id(prot, id); + + if (!field) + return
[netsniff-ng] [RFC v2 01/10] trafgen: Move ctx struct to separated header
Move ctx struct to trafgen.h to be used from other modules. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen.c | 16 +--- trafgen.h | 21 + 2 files changed, 22 insertions(+), 15 deletions(-) create mode 100644 trafgen.h diff --git a/trafgen.c b/trafgen.c index 53320fe..f7402d6 100644 --- a/trafgen.c +++ b/trafgen.c @@ -9,7 +9,6 @@ #include string.h #include getopt.h #include ctype.h -#include stdbool.h #include sched.h #include sys/socket.h #include sys/types.h @@ -24,10 +23,7 @@ #include netinet/ip.h #include linux/icmp.h #include linux/if.h -#include arpa/inet.h #include signal.h -#include stdint.h -#include stdlib.h #include fcntl.h #include time.h #include poll.h @@ -54,17 +50,7 @@ #include timer.h #include ring_tx.h #include csum.h - -struct ctx { - bool rand, rfraw, jumbo_support, verbose, smoke_test, enforce, qdisc_path; - size_t reserve_size; - unsigned long num; - unsigned int cpus; - uid_t uid; gid_t gid; - char *device, *device_trans, *rhost; - struct timespec gap; - struct sockaddr_in dest; -}; +#include trafgen.h struct cpu_stats { unsigned long tv_sec, tv_usec; diff --git a/trafgen.h b/trafgen.h new file mode 100644 index 000..04ed9cb --- /dev/null +++ b/trafgen.h @@ -0,0 +1,21 @@ +#ifndef TRAFGEN_I_H +#define TRAFGEN_I_H + +#include stdint.h +#include stdlib.h +#include arpa/inet.h +#include stdbool.h + +struct ctx { + bool rand, rfraw, jumbo_support, verbose, smoke_test, enforce; + bool qdisc_path; + size_t reserve_size; + unsigned long num; + unsigned int cpus; + uid_t uid; gid_t gid; + char *device, *device_trans, *rhost; + struct timespec gap; + struct sockaddr_in dest; +}; + +#endif -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC v2 05/10] str: Add converting hex string to bytes
Add str2bytes func for converting hexadecimal string to bytes: abcd a AA:BB - { 0xab 0xcd 0x0a 0xaa 0xbb } It is needed to be used when specifying protocol payload for trafgen proto command line. Signed-off-by: Vadim Kochan vadi...@gmail.com --- str.c | 64 str.h | 1 + 2 files changed, 65 insertions(+) diff --git a/str.c b/str.c index ec221af..3fac290 100644 --- a/str.c +++ b/str.c @@ -5,6 +5,7 @@ */ #include stdio.h +#include ctype.h #include string.h #include stdarg.h @@ -109,3 +110,66 @@ char *cmdline_args2str(int from_idx, int argc, char **argv) return str; } + +static int strhex_bytes_len(char *str) +{ + int count = 0; + + for (; *str; str++) { + if (!isxdigit(*str)) + continue; + + if (isxdigit(*(str + 1))) + str++; + + count++; + } + + return count; +} + +static uint8_t char2hex(char c) +{ + int i; + const char *hex = 0123456789abcdef; + const char *hex_upper = 0123456789ABCDEF; + + if (c = 'A' c = 'F') + hex = hex_upper; + + for (i = 0; i 16; i++) + if (c == hex[i]) + return i; + + return 0; +} + +int str2bytes(char *str, uint8_t **bytes) +{ + int i; + int bytes_len; + uint8_t *byte; + + if (!str || !*str) + return 0; + + bytes_len = strhex_bytes_len(str); + byte = *bytes = xzmalloc(bytes_len); + + for (; *str; str++) { + if (!isxdigit(*str)) + continue; + + if (isxdigit(*(str + 1))) { + *byte = (char2hex(*str) 4) | char2hex(*(str + 1)); + str++; + } else { + *byte = char2hex(*str); + } + + byte++; + i++; + } + + return bytes_len; +} diff --git a/str.h b/str.h index 56456a0..9db4850 100644 --- a/str.h +++ b/str.h @@ -9,5 +9,6 @@ extern int slprintf_nocheck(char *dst, size_t size, const char *fmt, ...); extern char *strtrim_right(char *p, char c); extern noinline void *xmemset(void *s, int c, size_t n); extern char *cmdline_args2str(int from_idx, int argc, char **argv); +extern int str2bytes(char *str, uint8_t **bytes); #endif /* STR_H */ -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC v2 04/10] trafgen: Add helper to get current packet
Add current_packet() helper for getting current used packet and make it public to other modules. Signed-off-by: Vadim Kochan vadi...@gmail.com --- trafgen_conf.h | 2 ++ trafgen_parser.y | 5 + 2 files changed, 7 insertions(+) diff --git a/trafgen_conf.h b/trafgen_conf.h index b286810..096fd4c 100644 --- a/trafgen_conf.h +++ b/trafgen_conf.h @@ -51,4 +51,6 @@ extern void set_multi_byte(uint8_t *s, size_t len); extern void set_fill(uint8_t val, size_t len); extern void set_byte(uint8_t val); +extern struct packet *current_packet(void); + #endif /* TRAFGEN_CONF */ diff --git a/trafgen_parser.y b/trafgen_parser.y index 4719f55..249fdde 100644 --- a/trafgen_parser.y +++ b/trafgen_parser.y @@ -139,6 +139,11 @@ void realloc_packet(void) __init_new_csum_slot(packet_dyn[packetd_last]); } +struct packet *current_packet(void) +{ + return packets[packet_last]; +} + void set_byte(uint8_t val) { struct packet *pkt = packets[packet_last]; -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] flowtop man: Add note about activate ct by iptables
From: Vadim Kochan vadi...@gmail.com Add the same note about using iptables to activate conntrack as it is already described in 'flowtop -h', just to keep it in the man page too. Signed-off-by: Vadim Kochan vadi...@gmail.com --- flowtop.8 | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/flowtop.8 b/flowtop.8 index 761f4a7..61be0f6 100644 --- a/flowtop.8 +++ b/flowtop.8 @@ -37,7 +37,15 @@ The following information will be presented in flowtop's output: * Transport protocol state machine information .PP In order for flowtop to work, netfilter must be active and running -on your machine, thus kernel-side connection tracking is active. +on your machine, thus kernel-side connection tracking is active. If netfilter +is not running, you can activate it with iptables(8): +.in +4 +.sp +$ iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT +.sp +$ iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT +.in -4 + .PP flowtop's intention is just to get a quick look over your active connections. If you want logging support, have a look at netfilter's conntrack(8) tools @@ -125,7 +133,8 @@ Borkmann dbor...@tik.ee.ethz.ch. .BR ifpps (8), .BR bpfc (8), .BR astraceroute (8), -.BR curvetun (8) +.BR curvetun (8), +.BR iptables (8) .PP .SH AUTHOR Manpage was written by Daniel Borkmann. -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH 1/2] netsniff-ng: vlan: Use helpers when parse vlan header
From: Vadim Kochan vadi...@gmail.com Add proto_vlan.h with helpers to parse VLAN fields. Signed-off-by: Vadim Kochan vadi...@gmail.com --- proto_vlan.c | 7 --- proto_vlan.h | 27 +++ 2 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 proto_vlan.h diff --git a/proto_vlan.c b/proto_vlan.c index a175dde..c1b3e65 100644 --- a/proto_vlan.c +++ b/proto_vlan.c @@ -10,6 +10,7 @@ #include netinet/in.h/* for ntohs() */ #include proto.h +#include proto_vlan.h #include dissector_eth.h #include pkt_buff.h @@ -29,9 +30,9 @@ static void vlan(struct pkt_buff *pkt) tci = ntohs(vlan-h_vlan_TCI); tprintf( [ VLAN ); - tprintf(Prio (%d), , (tci 0xE000) 13); - tprintf(CFI (%d), , (tci 0x1000) 12); - tprintf(ID (%d), , (tci 0x0FFF)); + tprintf(Prio (%d), , vlan_tci2prio(tci)); + tprintf(CFI (%d), , vlan_tci2cfi(tci)); + tprintf(ID (%d), , vlan_tci2vid(tci)); tprintf(Proto (0x%.4x), ntohs(vlan-h_vlan_encapsulated_proto)); tprintf( ]\n); diff --git a/proto_vlan.h b/proto_vlan.h new file mode 100644 index 000..dc31cfa --- /dev/null +++ b/proto_vlan.h @@ -0,0 +1,27 @@ +/* + * proto_vlan.h - VLAN proto helpers declarations + * Subject to the GPL, version 2. + */ + +#ifndef PROTO_VLAN_H +#define PROTO_VLAN_H + +#include stdbool.h +#include inttypes.h + +static inline uint16_t vlan_tci2prio(uint16_t tci) +{ + return (tci 0xe000) 13; +} + +static inline uint16_t vlan_tci2cfi(uint16_t tci) +{ + return (tci 0x1000) 12; +} + +static inline uint16_t vlan_tci2vid(uint16_t tci) +{ + return tci 0x0fff; +} + +#endif -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH 0/2] netsniff-ng: vlan: Print vlan info from tpacket v3 struct
It might be useful to sniff for vlan header info which might be not injected into packet if reordering is on and if physical device supports VLAN offloading. But these fields are kept in skb and are stored in tpacket v2/v3 struct, so they can be printed. Meanwhile tpacket v3 struct is used, v2 will be used when there will be some unified tpacket struct with version field, because current code can indicate only if tpacket v3 is used. Vadim Kochan (2): netsniff-ng: vlan: Use helpers when parse vlan header netsniff-ng: vlan: Show vlan info from tpacket v3 dissector.h | 11 +++ proto_vlan.c | 7 --- proto_vlan.h | 27 +++ ring.h | 24 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 proto_vlan.h -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [RFC] netsniff-ng: Show total rx stats for multi pcap mode
Allow to collect rx stats for multiple pcap mode, by storing them in separated variables before switch to the next pcap file. It allows to have the one approach when dump for single or multiple pcap(s) mode. Signed-off-by: Vadim Kochan vadi...@gmail.com --- netsniff-ng.c | 115 ++ ring_rx.c | 22 +-- ring_rx.h | 2 +- 3 files changed, 70 insertions(+), 69 deletions(-) diff --git a/netsniff-ng.c b/netsniff-ng.c index 57edc43..4b20d86 100644 --- a/netsniff-ng.c +++ b/netsniff-ng.c @@ -22,6 +22,7 @@ #include stdbool.h #include pthread.h #include fcntl.h +#include inttypes.h #include ring_rx.h #include ring_tx.h @@ -64,6 +65,8 @@ struct ctx { gid_t gid; uint32_t link_type, magic; uint32_t fanout_group, fanout_type; + uint64_t pkts_seen, pkts_recvd, pkts_drops; + uint64_t pkts_recvd_last, pkts_drops_last; }; static volatile sig_atomic_t sigint = 0, sighup = 0; @@ -203,6 +206,35 @@ static inline void setup_rfmon_mac80211_dev(struct ctx *ctx, char **rfmon_dev) panic_handler_add(on_panic_del_rfmon, *rfmon_dev); } +static void update_rx_stats(struct ctx *ctx, int sock, bool is_v3) +{ + uint64_t packets = 0, drops = 0; + + get_rx_net_stats(sock, packets, drops, is_v3); + + ctx-pkts_recvd += packets; + ctx-pkts_drops += drops; + ctx-pkts_recvd_last = packets; + ctx-pkts_drops_last = drops; +} + +static void dump_rx_stats(struct ctx *ctx, int sock, bool is_v3) +{ + update_rx_stats(ctx, sock, is_v3); + + printf(\r%12PRIu64 packets incoming (%PRIu64 unread on exit)\n, + is_v3 ? ctx-pkts_seen : ctx-pkts_recvd, + is_v3 ? ctx-pkts_recvd - ctx-pkts_seen : 0); + printf(\r%12PRIu64 packets passed filter\n, + ctx-pkts_recvd - ctx-pkts_drops); + printf(\r%12PRIu64 packets failed filter (out of space)\n, + ctx-pkts_drops); + + if (ctx-pkts_recvd 0) + printf(\r%12.4lf%% packet droprate\n, + (1.0 * ctx-pkts_drops / ctx-pkts_recvd) * 100.0); +} + static void pcap_to_xmit(struct ctx *ctx) { uint8_t *out = NULL; @@ -376,7 +408,6 @@ static void receive_to_xmit(struct ctx *ctx) int rx_sock, ifindex_in, ifindex_out, ret; size_t size_in, size_out; unsigned int it_in = 0, it_out = 0; - unsigned long frame_count = 0; struct frame_map *hdr_in, *hdr_out; struct ring tx_ring, rx_ring; struct pollfd rx_poll; @@ -428,7 +459,7 @@ static void receive_to_xmit(struct ctx *ctx) hdr_in = rx_ring.frames[it_in].iov_base; in = ((uint8_t *) hdr_in) + hdr_in-tp_h.tp_mac; - frame_count++; + ctx-pkts_seen++; if (ctx-packet_type != -1) if (ctx-packet_type != hdr_in-s_ll.sll_pkttype) @@ -465,14 +496,14 @@ static void receive_to_xmit(struct ctx *ctx) show_frame_hdr(in, hdr_in-tp_h.tp_snaplen, ctx-link_type, hdr_in, ctx-print_mode, - frame_count); + ctx-pkts_seen); dissector_entry_point(in, hdr_in-tp_h.tp_snaplen, ctx-link_type, ctx-print_mode, hdr_in-s_ll); if (frame_count_max != 0) { - if (frame_count = frame_count_max) { + if (ctx-pkts_seen = frame_count_max) { sigint = 1; break; } @@ -499,7 +530,7 @@ next: out: timer_purge(); - sock_rx_net_stats(rx_sock, 0); + dump_rx_stats(ctx, rx_sock, false); bpf_release(bpf_ops); @@ -844,26 +875,8 @@ static int begin_single_pcap_file(struct ctx *ctx) return fd; } -static void print_pcap_file_stats(int sock, struct ctx *ctx) -{ - int ret; - struct tpacket_stats kstats; - socklen_t slen = sizeof(kstats); - - fmemset(kstats, 0, sizeof(kstats)); - - ret = getsockopt(sock, SOL_PACKET, PACKET_STATISTICS, kstats, slen); - if (unlikely(ret)) - panic(Cannot get packet statistics!\n); - - if (ctx-print_mode == PRINT_NONE) { - printf(.(+%u/-%u), kstats.tp_packets - kstats.tp_drops, - kstats.tp_drops); - fflush(stdout); - } -} - -static void update_pcap_next_dump(struct ctx *ctx, unsigned long snaplen, int *fd, int sock) +static void update_pcap_next_dump(struct ctx *ctx, unsigned long snaplen, + int *fd, int sock, bool is_v3) { if (!dump_to_pcap(ctx
Re: [netsniff-ng] [RFC v2 00/10] trafgen: Build protocol packet via command line
On Tue, Jun 30, 2015 at 11:41:04AM +0200, Daniel Borkmann wrote: On 06/29/2015 02:58 AM, Vadim Kochan wrote: Hi, This is the 1-st try version of how I see the protocol generation API for the trafgen util as mz replacement (at least for better performance). I am sending this just because to get your feedback about conceptual idea, and as soon as I got some basic working version I decided to share the code just to get know if I am moving in the right direction. Added high-level command line protocol packet building intreface, which allows to specify protocol parameters to build the header and payload. Each protocol is represented by proto_gen struct which is responsible only for providing field info (size, data) by name to trafgen's low level packet generation layer. All packet generation routine is performed by the generic code in trafgen.c which parses the command line, obtains proto name, param=value list and calls the specific protocol handler to get protocol field info by name, so the TX routine remains the same. The command line syntax looks like: trafgen/trafgen --dev lo eth da = AA:BB:CC:DD:EE:FF sa=11:22:33:44:55:66, arp op=rep tip=192.168.1.1 -n 1 so the first is proto name and after there are param value pairs which are separated by space, in case if there are multiple protocols specified - their should be separated by , after last param value of the previous protocol. I think the picture will be more clear after adding IP protocol with checksum handling. First of all, thanks for working on this, Vadim! I like seeing something like this integrated after we've resolved all outstanding issues. I'll certainly make trafgen also easier to use. Before digging into the very details, I have a couple of high-level comments/ thoughts. All the manual string parsing you are doing, isn't it easier to just extend the flex/bison files with the related protocol information? So you mean to make command line script parsing through the same flex/bison ? I.e. I was thinking of 1) make the current configuration syntax also available for the direct command line interface, and after that 2) extend the flex/bison parser with L2, L3, etc information in a similar syntax as you did above (e.g. multiple packets could also here be defined with separator { ... }, if no separator Also I was thinking in the future to use the following template for proto specifying in the script: { eth { } ip { } } is provided, we assume a single packet). This would give the flexibility of having a mz-like cmdline syntax and at the same time one could also use it in the config file. Do you see any major obstacles with that? I will think about unify command line script syntaxes in the same flex/bison ... But again should we really support the same mz syntax ? Regarding the default values, f.e. if we've specified only L3 information (e.g. IPv4), but no L2 information, we should look up src/dst mac based on the output interface resp. the neighbor cache. We should be careful with broadcasts, i.e. if no other information is available for determining a dst, only then we should use broadcast (f.e. if only L2 was specified w/o a dst mac, etc); in all other cases we should try hard to resolve all needed information from the kernel. Sure I was thinking about using neigh cache info and default route if higher proto is specified w/o L2 dst info. Anything I've missed, Tobias? :) Thanks again, Daniel OK the main points which are clear to me are: 1) Make avialable conf script to be accessed from command line 2) Extend conf script syntax to use protocol info extension. Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH] flowtop: Fix collector stuck while flush IPv6 flows
On Mon, Jul 27, 2015 at 11:01:10AM +0300, Vadim Kochan wrote: On Mon, Jul 27, 2015 at 09:53:58AM +0200, Daniel Borkmann wrote: On 07/27/2015 12:20 AM, Vadim Kochan wrote: On Sun, Jul 26, 2015 at 09:57:04PM +0300, Vadim Kochan wrote: On Sun, Jul 26, 2015 at 08:39:04PM +0200, Daniel Borkmann wrote: On 07/25/2015 06:09 PM, Vadim Kochan wrote: From: Vadim Kochan vadi...@gmail.com Seems it was caused by specifying all netfilter groups when flushing connections. Used separated nfct instance w/o netfilter groups to flush ipv4/ipv6 connections. More info can be fetched from the issue item on github: https://github.com/netsniff-ng/netsniff-ng/issues/145 Signed-off-by: Vadim Kochan vadi...@gmail.com Applied, thanks. BTW is it really needs to flush connections ? Because counters will be cleared too, and they will not reflect the real data flow through the connection ? Regards, Seems I understand, this is for catch existing connections through the event-driven way, but I assume it will be possible too if dump everything once to save the counters, and then do a polling. Yes, I agree it's a bit suboptimal currently. Fuf, I found new flowtop issue, which seems mystic for me meanwhile. Two cases: #1 Have some downloading on background (e.g. ~600KB/s) Then run flowtop ACTUAL: Bytes counter seems show increases correct. #2 Run flowtop, then run downloading process (e.g. ~600KB/s). ACTUAL: Bytes counter increases very slow for this connection. #2 seems buggy, but I don't know why, will try to investigate it. It seems that in these different cases good bytes are in different directions - repl or orig, what do you think if it would be correct to use ATTR_ORIG_COUNTER_BYTES + ATTR_REPL_COUNTER_BYTES, and probably the same for packets ? Regards, -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] flowtop: Show counters by direction
From: Vadim Kochan vadi...@gmail.com Show bytes/pkts counters per src/dst direction. By default counters originated from dst are showed. Src counters are showed only if '-s' is specified. Signed-off-by: Vadim Kochan vadi...@gmail.com --- flowtop.c | 40 +--- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/flowtop.c b/flowtop.c index 6466b47..144dd1d 100644 --- a/flowtop.c +++ b/flowtop.c @@ -48,7 +48,8 @@ struct flow_entry { uint32_t ip6_src_addr[4], ip6_dst_addr[4]; uint16_t port_src, port_dst; uint8_t tcp_state, tcp_flags, sctp_state, dccp_state; - uint64_t counter_pkts, counter_bytes; + uint64_t src_pkts, src_bytes; + uint64_t dst_pkts, dst_bytes; uint64_t timestamp_start, timestamp_stop; char country_src[128], country_dst[128]; char city_src[128], city_dst[128]; @@ -493,8 +494,11 @@ static void flow_entry_from_ct(struct flow_entry *n, struct nf_conntrack *ct) CP_NFCT(sctp_state, ATTR_SCTP_STATE, 8); CP_NFCT(dccp_state, ATTR_DCCP_STATE, 8); - CP_NFCT(counter_pkts, ATTR_ORIG_COUNTER_PACKETS, 64); - CP_NFCT(counter_bytes, ATTR_ORIG_COUNTER_BYTES, 64); + CP_NFCT(src_pkts, ATTR_ORIG_COUNTER_PACKETS, 64); + CP_NFCT(src_bytes, ATTR_ORIG_COUNTER_BYTES, 64); + + CP_NFCT(dst_pkts, ATTR_REPL_COUNTER_PACKETS, 64); + CP_NFCT(dst_bytes, ATTR_REPL_COUNTER_BYTES, 64); CP_NFCT(timestamp_start, ATTR_TIMESTAMP_START, 64); CP_NFCT(timestamp_stop, ATTR_TIMESTAMP_STOP, 64); @@ -784,18 +788,8 @@ static void presenter_screen_do_line(WINDOW *screen, struct flow_entry *n, printw(:%s, pname); attroff(A_BOLD); } - printw( -); - - /* Number packets, bytes */ - if (n-counter_pkts 0 n-counter_bytes 0) { - char bytes_str[64]; - - printw( (%PRIu64 pkts, %s bytes) -, n-counter_pkts, - bandw2str(n-counter_bytes, bytes_str, -sizeof(bytes_str) - 1)); - } - /* Show source information: reverse DNS, port, country, city */ + /* Show source information: reverse DNS, port, country, city, counters */ if (show_src) { attron(COLOR_PAIR(1)); mvwprintw(screen, ++(*line), 8, src: %s, n-rev_dns_src); @@ -816,10 +810,18 @@ static void presenter_screen_do_line(WINDOW *screen, struct flow_entry *n, printw()); } + if (n-src_pkts 0 n-src_bytes 0) { + char bytes_str[64]; + + printw( - (%PRIu64 pkts, %s bytes), n-src_pkts, + bandw2str(n-src_bytes, bytes_str, + sizeof(bytes_str) - 1)); + } + printw( = ); } - /* Show dest information: reverse DNS, port, country, city */ + /* Show dest information: reverse DNS, port, country, city, counters */ attron(COLOR_PAIR(2)); mvwprintw(screen, ++(*line), 8, dst: %s, n-rev_dns_dst); attroff(COLOR_PAIR(2)); @@ -838,6 +840,14 @@ static void presenter_screen_do_line(WINDOW *screen, struct flow_entry *n, printw()); } + + if (n-dst_pkts 0 n-dst_bytes 0) { + char bytes_str[64]; + + printw( - (%PRIu64 pkts, %s bytes), n-dst_pkts, + bandw2str(n-dst_bytes, bytes_str, + sizeof(bytes_str) - 1)); + } } static inline bool presenter_flow_wrong_state(struct flow_entry *n) -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[netsniff-ng] [PATCH] man flowtop: Add notes about traffic accounting enabling
From: Vadim Kochan vadi...@gmail.com Add some explanation about traffic counters enabling via sysctl and its limitation. Signed-off-by: Vadim Kochan vadi...@gmail.com --- flowtop.8 | 19 ++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/flowtop.8 b/flowtop.8 index c850f12..f059e15 100644 --- a/flowtop.8 +++ b/flowtop.8 @@ -35,6 +35,7 @@ The following information will be presented in flowtop's output: * Used protocols (IPv4, IPv6, TCP, UDP, SCTP, ICMP, ...) * Flow port's service name heuristic * Transport protocol state machine information +* Bytes/packets counters (if they are enabled) .PP In order for flowtop to work, netfilter must be active and running on your machine, thus kernel-side connection tracking is active. If netfilter @@ -47,6 +48,19 @@ iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT .in -4 .PP +To dump bytes/packets counters flowtop enables sysctl(8) parameter via: +.in +4 +.sp +echo 1 /proc/sys/net/netfilter/nf_conntrack_acct +.sp +.in -4 +and resets it on exit. But these counters will take effect only on connections +which were created after accounting was enabled, so to have these counters to +be active all the time the sysctl(8) parameter should be enabled after system +is up. To make it automatically enabled the sysctl.conf(8) and sysctl.d(8) +might be used. + +.PP flowtop's intention is just to get a quick look over your active connections. If you want logging support, have a look at netfilter's conntrack(8) tools instead. @@ -134,7 +148,10 @@ Borkmann dbor...@tik.ee.ethz.ch. .BR bpfc (8), .BR astraceroute (8), .BR curvetun (8), -.BR iptables (8) +.BR iptables (8), +.BR sysctl (8), +.BR sysctl.conf (8), +.BR sysctl.d (8) .PP .SH AUTHOR Manpage was written by Daniel Borkmann. -- 2.4.2 -- You received this message because you are subscribed to the Google Groups netsniff-ng group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.