[netsniff-ng] Re: [PATCH v3 00/16] trafgen: Add proto header generation

2016-01-28 Thread Tobias Klauser 
On 2016-01-26 at 21:24:56 +0100, Vadim Kochan  wrote:
> Add new trafgen proto generation framework which allows to describe
> proto header fields and easy build the proto header by set/get proto
> header fields value.
> 
> Meanwhile implemented Ethernet, ARP, IPv4 & UDP proto headers generation,
> with fixed header size. Each proto has its own syntax rules
> to specify header field, but really looks similary:
> 
> { (=,, =) }
> 
> Proto statement might be combined with other packet funcs like:
> 
> { ip4(mf, proto=0x1), fill(0xff, 100) }
> 
> Each proto generates some default header so it is not possible to fill packet
> only with some set of header fields and rest - via fill(..) func.

I applied patches 1-11 from this series now. There were still a few
edges which I want to have a deeper look at, but any changes there can
be done in follow-up patches by myself.

As for patches 12-16: I didn't apply them because I'd like to see the
commit messages for the parser syntax parts (patches  a bit extended. I didn't 
do
this myself due to lack of time...

Please have a look at the amended commit messages for patches 8 and 11
I edited them quite heavily to include documentation for all supported
keywords, including default values. Please resend the patches for IPv4
and UDP syntax with similar commit messages.

For commit messages in general - and also for user visible messages and
documentation - please don't use abbreviations such as 'func' or 'proto'
but always spell out the full word. This makes it much easier to read
IMO.

As for the manpage part, I'll respond with detailed review comments
there, but in general it looks very good.

Thanks a lot!

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] Synchronize file creation between netsniff-ng processes possible?

2016-01-28 Thread Tobias Klauser 
On 2016-01-28 at 13:17:30 +0100, e.bengts...@gmail.com  
wrote:
> 
> 
> Den onsdag 27 januari 2016 kl. 18:02:23 UTC+1 skrev e.ben...@gmail.com:
> >
> >
> >
> > Den onsdag 27 januari 2016 kl. 16:17:46 UTC+1 skrev Tobias Klauser:
> >>
> >> Hi again 
> >>
> >> On 2016-01-27 at 16:10:30 +0100, Tobias Klauser  
> >> wrote: 
> >> > On 2016-01-27 at 14:40:55 +0100, Erik Bengtsson  
> >> wrote: 
> >> > > By "start time" I mean file creation time. It is totally possible to 
> >> post 
> >> > > process all log files and synchronize them using pcap timestamps, as 
> >> you 
> >> > > suggested, but I'm afraid that it will be less effective for us since 
> >> there 
> >> > > will be a huge amount of data to move around and process. 
> >> > 
> >> > Ah ok, I see. Thanks for clarifying. 
> >> > 
> >> > In that case, I'm afraid there currently is no method to synchronize 
> >> the file 
> >> > creation among multiple instances of netsniff-ng. As Daniel suggested, 
> >> > timerfd might be an option to implement a feature along these lines. If 
> >> > you want, feel free to have a look into it - patches are gladly 
> >> accepted 
> >> > :) 
> >>
> >> Something which I completely forgot about... 
> >>
> >> There might be an option (though a bit curde) to solve this using the 
> >> permature rotation caused by SIGHUP. You could set up a separate task 
> >> simultaneously sending a SIGHUP every minute to your netsniff-ng 
> >> processes. See commit 46289df6bc8f573bc01be4fb4aa93343ecc6d50a 
> >> ("netsniff-ng: Rotate pcap files prematurely on SIGHUP") for details. 
> >>
> >> Tobias 
> >>
> >
> > That sounds really interesting! :-)
> >
> > I ended up using signal USR2 since i didn't want to change how SIGHUP was 
> > used. When USR2 is received, the current time is saved and used when naming 
> > the next file (which is created when the next packet is received).
> >
> > A patch is included if you want to have a look.
> >
> > / Erik
> >  
> >
> 
> I've continued working on this a bit and have a solution that seems to be 
> working. The patch is included if someone wants to have a look.

Nice, thanks a lot. I think we don't even need to have a command line
option for this but could just make it the default behavior to record
the timestamp of the sighup in the filename. The file creation time will
still reflect the actual time of when the first packet arrived.

I'll adjust the patch accordingly and commit it with your Signed-off-by,
if that's ok with you.

Thanks
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[netsniff-ng] Re: [PATCH 0/4] trafgen: Add IPv4 and UDP protocol generation

2016-01-28 Thread Tobias Klauser 
On 2016-01-28 at 23:06:23 +0100, Vadim Kochan  wrote:
> Reworded commit message of 12-14 patches from series:
> 
> "[PATCH v3 00/16] trafgen: Add proto header generation"
> 
> 1) Added parameters & default values description.
> 2) Functionality was not changed.

Perfect, thanks a lot! Series now applied. I also took the manpage patch
from your previous series and I'll directly fold in my few minor changes.

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[netsniff-ng] [PATCH 2/4] trafgen: parser: Add syntax for IPv4 protocol generation

2016-01-28 Thread Vadim Kochan 
Add 'ip4(), ipv4()' function to build IPv4 header.

Fields supported:

ihl IPv4 header length (default 5 )
ver|version IPv4 version (default 4)
ttl Time To Live (TTL) field (default 0)
dscpDiffServ field (default 0)
ecn ECN bits (default 0)
tos TOS (DSCP + ECN) field (default 0)
len|length  IPv4 header + payload length (calculated by default)
id  Identifier (default 0)
flags   Flags field (default 0)
fragFragment offset (default 0)
csumIPv4 header checksum (calculated by default)
df  Set DF (Dont Fragment) bit to 1 (default is 0)
mf  Set MF (More Fragments) bit to 1 (default is 0)
sa|saddrIPv4 source address (default used from output device)
da|daddrIPv4 destination address (default 0.0.0.0)
proto   IPv4 protocol id (default 0)

Example:

{ ip4(df, mf, frag=100, prot=0x1, ecn=2, dscp=20) }
{ ip4(da=1.1.1.1), ip4(sa=3.3.3.3, da=3.3.3.4) }

Last example generates IP-in-IP packet.

Signed-off-by: Vadim Kochan 
---
 trafgen_lexer.l  | 15 +++
 trafgen_parser.y | 51 +++
 2 files changed, 66 insertions(+)

diff --git a/trafgen_lexer.l b/trafgen_lexer.l
index 5467c70..eeb252f 100644
--- a/trafgen_lexer.l
+++ b/trafgen_lexer.l
@@ -119,8 +119,23 @@ ip_addr([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
 "htype"{ return K_HTYPE; }
 "ptype"{ return K_PTYPE; }
 
+"ihl"  { return K_IHL; }
+"ver"|"version"{ return K_VER; }
+"ttl"  { return K_TTL; }
+"dscp" { return K_DSCP; }
+"ecn"  { return K_ECN; }
+"tos"  { return K_TOS; }
+"len"|"length" { return K_LEN; }
+"id"   { return K_ID; }
+"flags"{ return K_FLAGS; }
+"frag" { return K_FRAG; }
+"csum" { return K_CSUM; }
+"df"   { return K_DF; }
+"mf"   { return K_MF; }
+
 "eth"  { return K_ETH; }
 "arp"  { return K_ARP; }
+"ip4"|"ipv4"   { return K_IP4; }
 
 [ ]*"-"[ ]*{ return '-'; }
 [ ]*"+"[ ]*{ return '+'; }
diff --git a/trafgen_parser.y b/trafgen_parser.y
index 16f9025..ebc4054 100644
--- a/trafgen_parser.y
+++ b/trafgen_parser.y
@@ -25,6 +25,7 @@
 #include "trafgen_conf.h"
 #include "trafgen_proto.h"
 #include "trafgen_l2.h"
+#include "trafgen_l3.h"
 #include "built_in.h"
 #include "die.h"
 #include "str.h"
@@ -350,9 +351,11 @@ static void proto_add(enum proto_id pid)
 
 %token K_DADDR K_SADDR K_PROT
 %token K_OPER K_SHA K_SPA K_THA K_TPA K_REQUEST K_REPLY K_PTYPE K_HTYPE
+%token K_TTL K_DSCP K_ECN K_TOS K_LEN K_ID K_FLAGS K_FRAG K_IHL K_VER K_CSUM 
K_DF K_MF
 
 %token K_ETH
 %token K_ARP
+%token K_IP4
 
 %token ',' '{' '}' '(' ')' '[' ']' ':' '-' '+' '*' '/' '%' '&' '|' '<' '>' '^'
 
@@ -574,6 +577,7 @@ ddec
 proto
: eth_proto { }
| arp_proto { }
+   | ip4_proto { }
;
 
 eth_proto
@@ -637,6 +641,53 @@ arp
: K_ARP { proto_add(PROTO_ARP); }
;
 
+ip4_proto
+   : ip4 '(' ip4_param_list ')' { }
+   ;
+
+ip4_param_list
+   : { }
+   | ip4_field { }
+   | ip4_field delimiter ip4_param_list { }
+   ;
+
+ip4_field
+   : K_VER skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_VER, $5); }
+   | K_IHL skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_IHL, $5); }
+   | K_DADDR  skip_white '=' skip_white ip_addr
+   { proto_field_set_u32(hdr, IP4_DADDR, $5.s_addr); }
+   | K_SADDR  skip_white '=' skip_white ip_addr
+   { proto_field_set_u32(hdr, IP4_SADDR, $5.s_addr); }
+   | K_PROT skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_PROTO, $5); }
+   | K_TTL skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_TTL, $5); }
+   | K_DSCP skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_DSCP, $5); }
+   | K_ECN skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_ECN, $5); }
+   | K_TOS skip_white '=' skip_white number
+   { proto_field_set_u8(hdr, IP4_TOS, $5); }
+   | K_LEN skip_white '=' skip_white number
+   { proto_field_set_be16(hdr, IP4_LEN, $5); }
+   | K_ID skip_white '=' skip_white number
+   { proto_field_set_be16(hdr, IP4_ID, $5); }
+   | K_FLAGS skip_white '=' skip_white number
+   { proto_field_set_be16(hdr, IP4_FLAGS, $5); }
+   | K_DF  { proto_field_set_be16(hdr, IP4_DF, 1); }
+   | K_MF  { proto_field_set_be16(hdr, IP4_MF, 1); }
+   | K_FRAG skip_white '=' skip_white number
+   { proto_field_set_be16(hdr, IP4_FRAG_OFFS, $5); }
+   | K_CSUM skip_white '=' skip_white number

[netsniff-ng] [PATCH 3/4] trafgen: l4: Add UDP header generation logic

2016-01-28 Thread Vadim Kochan 
Add trafgen_l4.c module with generation UDP header fields.

UDP protocol generation logic automaticaly sets by default
IPPROTO_UDP to the lower protocol (if it is IPv4), also checksum &
length are calculated if it is not set by user.

Signed-off-by: Vadim Kochan 
---
 trafgen/Makefile |  1 +
 trafgen_l4.c | 71 
 trafgen_l4.h | 14 +++
 trafgen_proto.c  |  2 ++
 4 files changed, 88 insertions(+)
 create mode 100644 trafgen_l4.c
 create mode 100644 trafgen_l4.h

diff --git a/trafgen/Makefile b/trafgen/Makefile
index 4f342ca..3f78f07 100644
--- a/trafgen/Makefile
+++ b/trafgen/Makefile
@@ -22,6 +22,7 @@ trafgen-objs =xmalloc.o \
trafgen_proto.o \
trafgen_l2.o \
trafgen_l3.o \
+   trafgen_l4.o \
trafgen_lexer.yy.o \
trafgen_parser.tab.o \
trafgen.o
diff --git a/trafgen_l4.c b/trafgen_l4.c
new file mode 100644
index 000..286e54a
--- /dev/null
+++ b/trafgen_l4.c
@@ -0,0 +1,71 @@
+/*
+ * netsniff-ng - the packet sniffing beast
+ * Subject to the GPL, version 2.
+ */
+
+#include 
+#include 
+
+#include "die.h"
+#include "csum.h"
+#include "built_in.h"
+#include "trafgen_l3.h"
+#include "trafgen_l4.h"
+#include "trafgen_conf.h"
+#include "trafgen_proto.h"
+
+static struct proto_field udp_fields[] = {
+   { .id = UDP_SPORT,  .len = 2,   .offset = 0 },
+   { .id = UDP_DPORT,  .len = 2,   .offset = 2 },
+   { .id = UDP_LEN,.len = 2,   .offset = 4 },
+   { .id = UDP_CSUM,   .len = 2,   .offset = 6 },
+};
+
+static void udp_header_init(struct proto_hdr *hdr)
+{
+   struct proto_hdr *lower;
+
+   proto_lower_default_add(PROTO_IP4);
+
+   lower = proto_current_header();
+
+   if (lower->id == PROTO_IP4)
+   proto_field_set_default_u8(lower, IP4_PROTO, IPPROTO_UDP);
+
+   proto_header_fields_add(hdr, udp_fields, array_size(udp_fields));
+}
+
+static void udp_packet_finish(struct proto_hdr *hdr)
+{
+   struct proto_hdr *lower = proto_lower_header(hdr);
+   struct packet *pkt = current_packet();
+   uint16_t total_len;
+   uint16_t csum;
+
+   total_len = pkt->len - hdr->pkt_offset;
+   proto_field_set_default_be16(hdr, UDP_LEN, total_len);
+
+   if (proto_field_is_set(hdr, UDP_CSUM))
+   return;
+
+   if (!lower || lower->id != PROTO_IP4)
+   return;
+
+   total_len = proto_field_get_u16(hdr, UDP_LEN);
+   csum = p4_csum((void *) proto_header_ptr(lower), proto_header_ptr(hdr),
+   total_len, IPPROTO_UDP);
+
+   proto_field_set_be16(hdr, UDP_CSUM, bswap_16(csum));
+}
+
+static struct proto_hdr udp_hdr = {
+   .id = PROTO_UDP,
+   .layer  = PROTO_L4,
+   .header_init= udp_header_init,
+   .packet_finish  = udp_packet_finish,
+};
+
+void protos_l4_init(void)
+{
+   proto_header_register(_hdr);
+}
diff --git a/trafgen_l4.h b/trafgen_l4.h
new file mode 100644
index 000..1a60ea5
--- /dev/null
+++ b/trafgen_l4.h
@@ -0,0 +1,14 @@
+#ifndef TRAFGEN_L4_I_H
+#define TRAFGEN_L4_I_H
+
+enum udp_field {
+   UDP_SPORT,
+   UDP_DPORT,
+   UDP_LEN,
+   UDP_CSUM,
+};
+
+extern void protos_l4_init(void);
+
+#endif /* TRAFGEN_L4_I_H */
+
diff --git a/trafgen_proto.c b/trafgen_proto.c
index 75556f9..5fcb5cc 100644
--- a/trafgen_proto.c
+++ b/trafgen_proto.c
@@ -13,6 +13,7 @@
 #include "trafgen_conf.h"
 #include "trafgen_l2.h"
 #include "trafgen_l3.h"
+#include "trafgen_l4.h"
 #include "trafgen_proto.h"
 
 #define field_shift_and_mask(f, v) (((v) << (f)->shift) & \
@@ -362,6 +363,7 @@ void protos_init(const char *dev)
 
protos_l2_init();
protos_l3_init();
+   protos_l4_init();
 
for (p = registered; p; p = p->next)
p->ctx = 
-- 
2.6.3

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[netsniff-ng] [PATCH 1/4] trafgen: l3: Add IPv4 header generation backend

2016-01-28 Thread Vadim Kochan 
Add L3 module for implement L3 layer protocols generation.

Implemented setting of IPv4 header with all fields except options.
By default IPv4 address of output device is used as src ip address.
On finish (after packet is specified) - total len & checksum are calculated.

Meanwhile Ethernet protocol is initialized as default lower header.

If the lower protocol is IPv4 then IPv4 protocol id is set
to IP-in-IP in lower protocol header.

Signed-off-by: Vadim Kochan 
---
 trafgen/Makefile |  1 +
 trafgen_l3.c | 82 
 trafgen_l3.h | 26 ++
 trafgen_proto.c  |  2 ++
 4 files changed, 111 insertions(+)
 create mode 100644 trafgen_l3.c
 create mode 100644 trafgen_l3.h

diff --git a/trafgen/Makefile b/trafgen/Makefile
index 1c95118..4f342ca 100644
--- a/trafgen/Makefile
+++ b/trafgen/Makefile
@@ -21,6 +21,7 @@ trafgen-objs =xmalloc.o \
cpp.o \
trafgen_proto.o \
trafgen_l2.o \
+   trafgen_l3.o \
trafgen_lexer.yy.o \
trafgen_parser.tab.o \
trafgen.o
diff --git a/trafgen_l3.c b/trafgen_l3.c
new file mode 100644
index 000..dd45395
--- /dev/null
+++ b/trafgen_l3.c
@@ -0,0 +1,82 @@
+/*
+ * netsniff-ng - the packet sniffing beast
+ * Subject to the GPL, version 2.
+ */
+
+#include 
+
+#include "csum.h"
+#include "built_in.h"
+#include "trafgen_l2.h"
+#include "trafgen_l3.h"
+#include "trafgen_proto.h"
+#include "trafgen_conf.h"
+
+static struct proto_field ipv4_fields[] = {
+   { .id = IP4_VER,   .len = 1, .offset = 0, .shift = 4, .mask = 0xf0 
},
+   { .id = IP4_IHL,   .len = 1, .offset = 0, .shift = 0, .mask = 0x0f 
},
+   { .id = IP4_DSCP,  .len = 1, .offset = 1, .shift = 2, .mask = 0xfc 
},
+   { .id = IP4_ECN,   .len = 1, .offset = 1, .shift = 0, .mask = 0x03 
},
+   { .id = IP4_TOS,   .len = 1, .offset = 1 },
+   { .id = IP4_LEN,   .len = 2, .offset = 2 },
+   { .id = IP4_ID,.len = 2, .offset = 4 },
+   { .id = IP4_FLAGS, .len = 2, .offset = 6, .shift = 13, .mask = 
0xe000 },
+   { .id = IP4_MF,.len = 2, .offset = 6, .shift = 13, .mask = 
0x2000 },
+   { .id = IP4_DF,.len = 2, .offset = 6, .shift = 14, .mask = 
0x4000 },
+   { .id = IP4_FRAG_OFFS, .len = 2, .offset = 6, .shift = 0,  .mask = 
0x1fff },
+   { .id = IP4_TTL,   .len = 1, .offset = 8 },
+   { .id = IP4_PROTO, .len = 1, .offset = 9 },
+   { .id = IP4_CSUM,  .len = 2, .offset = 10 },
+   { .id = IP4_SADDR, .len = 4, .offset = 12 },
+   { .id = IP4_DADDR, .len = 4, .offset = 16 },
+};
+
+static void ipv4_header_init(struct proto_hdr *hdr)
+{
+   struct proto_hdr *lower;
+
+   proto_lower_default_add(PROTO_ETH);
+
+   lower = proto_current_header();
+
+   if (lower->id == PROTO_ETH)
+   proto_field_set_default_be16(lower, ETH_PROTO_ID, ETH_P_IP);
+   else if (lower->id == PROTO_IP4)
+   proto_field_set_default_u8(lower, IP4_PROTO, IPPROTO_IPIP);
+
+   proto_header_fields_add(hdr, ipv4_fields, array_size(ipv4_fields));
+
+   proto_field_set_default_u8(hdr, IP4_VER, 4);
+   proto_field_set_default_u8(hdr, IP4_IHL, 5);
+   proto_field_set_default_dev_ipv4(hdr, IP4_SADDR);
+}
+
+static void ipv4_packet_finish(struct proto_hdr *hdr)
+{
+   struct packet *pkt = current_packet();
+   uint16_t total_len;
+
+   total_len = pkt->len - hdr->pkt_offset;
+   proto_field_set_default_be16(hdr, IP4_LEN, total_len);
+
+   if (!proto_field_is_set(hdr, IP4_CSUM)) {
+   uint16_t csum;
+   uint8_t ihl;
+
+   ihl = proto_field_get_u8(hdr, IP4_IHL);
+   csum = htons(calc_csum(>payload[hdr->pkt_offset], ihl * 
4));
+   proto_field_set_u16(hdr, IP4_CSUM, bswap_16(csum));
+   }
+}
+
+static struct proto_hdr ipv4_hdr = {
+   .id = PROTO_IP4,
+   .layer  = PROTO_L3,
+   .header_init= ipv4_header_init,
+   .packet_finish  = ipv4_packet_finish,
+};
+
+void protos_l3_init(void)
+{
+   proto_header_register(_hdr);
+}
diff --git a/trafgen_l3.h b/trafgen_l3.h
new file mode 100644
index 000..d215d09
--- /dev/null
+++ b/trafgen_l3.h
@@ -0,0 +1,26 @@
+#ifndef TRAFGEN_L3_I_H
+#define TRAFGEN_L3_I_H
+
+enum ip4_field {
+   IP4_VER,
+   IP4_IHL,
+   IP4_DSCP,
+   IP4_ECN,
+   IP4_TOS,
+   IP4_LEN,
+   IP4_ID,
+   IP4_FLAGS,
+   IP4_FRAG_OFFS,
+   IP4_TTL,
+   IP4_PROTO,
+   IP4_CSUM,
+   IP4_SADDR,
+   IP4_DADDR,
+   IP4_DF,
+   IP4_MF,
+};
+
+extern void protos_l3_init(void);
+
+#endif /* TRAFGEN_L2_I_H */
+
diff --git a/trafgen_proto.c b/trafgen_proto.c
index 2c090b2..75556f9 100644
--- a/trafgen_proto.c
+++ b/trafgen_proto.c
@@ -12,6 +12,7 @@
 #include "xmalloc.h"
 #include "trafgen_conf.h"

[netsniff-ng] [PATCH 0/4] trafgen: Add IPv4 and UDP protocol generation

2016-01-28 Thread Vadim Kochan 
Reworded commit message of 12-14 patches from series:

"[PATCH v3 00/16] trafgen: Add proto header generation"

1) Added parameters & default values description.
2) Functionality was not changed.


Vadim Kochan (4):
  trafgen: l3: Add IPv4 header generation backend
  trafgen: parser: Add syntax for IPv4 protocol generation
  trafgen: l4: Add UDP header generation logic
  trafgen: parser: Add syntax to build UDP header

 trafgen/Makefile |  2 ++
 trafgen_l3.c | 82 
 trafgen_l3.h | 26 ++
 trafgen_l4.c | 71 
 trafgen_l4.h | 14 ++
 trafgen_lexer.l  | 19 +
 trafgen_parser.y | 80 ++
 trafgen_proto.c  |  4 +++
 8 files changed, 298 insertions(+)
 create mode 100644 trafgen_l3.c
 create mode 100644 trafgen_l3.h
 create mode 100644 trafgen_l4.c
 create mode 100644 trafgen_l4.h

-- 
2.6.3

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] Synchronize file creation between netsniff-ng processes possible?

2016-01-28 Thread e . bengtsson 


Den onsdag 27 januari 2016 kl. 18:02:23 UTC+1 skrev e.ben...@gmail.com:
>
>
>
> Den onsdag 27 januari 2016 kl. 16:17:46 UTC+1 skrev Tobias Klauser:
>>
>> Hi again 
>>
>> On 2016-01-27 at 16:10:30 +0100, Tobias Klauser  
>> wrote: 
>> > On 2016-01-27 at 14:40:55 +0100, Erik Bengtsson  
>> wrote: 
>> > > By "start time" I mean file creation time. It is totally possible to 
>> post 
>> > > process all log files and synchronize them using pcap timestamps, as 
>> you 
>> > > suggested, but I'm afraid that it will be less effective for us since 
>> there 
>> > > will be a huge amount of data to move around and process. 
>> > 
>> > Ah ok, I see. Thanks for clarifying. 
>> > 
>> > In that case, I'm afraid there currently is no method to synchronize 
>> the file 
>> > creation among multiple instances of netsniff-ng. As Daniel suggested, 
>> > timerfd might be an option to implement a feature along these lines. If 
>> > you want, feel free to have a look into it - patches are gladly 
>> accepted 
>> > :) 
>>
>> Something which I completely forgot about... 
>>
>> There might be an option (though a bit curde) to solve this using the 
>> permature rotation caused by SIGHUP. You could set up a separate task 
>> simultaneously sending a SIGHUP every minute to your netsniff-ng 
>> processes. See commit 46289df6bc8f573bc01be4fb4aa93343ecc6d50a 
>> ("netsniff-ng: Rotate pcap files prematurely on SIGHUP") for details. 
>>
>> Tobias 
>>
>
> That sounds really interesting! :-)
>
> I ended up using signal USR2 since i didn't want to change how SIGHUP was 
> used. When USR2 is received, the current time is saved and used when naming 
> the next file (which is created when the next packet is received).
>
> A patch is included if you want to have a look.
>
> / Erik
>  
>

I've continued working on this a bit and have a solution that seems to be 
working. The patch is included if someone wants to have a look.

Best regards, Erik



 

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
>From 02ea1c96cce854f0691d18ba782113006cb61532 Mon Sep 17 00:00:00 2001
From: Erik Bengtsson 
Date: Thu, 28 Jan 2016 13:01:41 +0100
Subject: [PATCH] Added support for using SIGHUP's time when rotating files
 prematurely

---
 netsniff-ng.c | 26 +-
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/netsniff-ng.c b/netsniff-ng.c
index e5d1886..ccce27a 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -58,7 +58,7 @@ struct ctx {
 	int cpu, rfraw, dump, print_mode, dump_dir, packet_type;
 	unsigned long kpull, dump_interval, tx_bytes, tx_packets;
 	size_t reserve_size;
-	bool randomize, promiscuous, enforce, jumbo, dump_bpf, hwtimestamp, verbose;
+	bool randomize, promiscuous, enforce, jumbo, dump_bpf, hwtimestamp, verbose, pre_timestamp;
 	enum pcap_ops_groups pcap;
 	enum dump_mode dump_mode;
 	uid_t uid;
@@ -71,9 +71,10 @@ struct ctx {
 
 static volatile sig_atomic_t sigint = 0, sighup = 0;
 static volatile bool next_dump = false;
+static volatile sig_atomic_t sighup_time = 0;
 
 static const char *short_options =
-	"d:i:o:rf:MNJt:S:k:n:b:HQmcsqXlvhF:RGAP:Vu:g:T:DBUC:K:L:w";
+	"d:i:o:rf:MNJt:S:k:n:b:HQmcsqXlvhF:RGAP:pVu:g:T:DBUC:K:L:w";
 static const struct option long_options[] = {
 	{"dev",			required_argument,	NULL, 'd'},
 	{"in",			required_argument,	NULL, 'i'},
@@ -92,6 +93,7 @@ static const struct option long_options[] = {
 	{"fanout-group",	required_argument,	NULL, 'C'},
 	{"fanout-type",		required_argument,	NULL, 'K'},
 	{"fanout-opts",		required_argument,	NULL, 'L'},
+	{"pre-timestamp",	no_argument,		NULL, 'p'},
 	{"rand",		no_argument,		NULL, 'r'},
 	{"rfraw",		no_argument,		NULL, 'R'},
 	{"mmap",		no_argument,		NULL, 'm'},
@@ -129,6 +131,7 @@ static const char *copyright = "Please report bugs to pcap]
 
@@ -142,6 +145,7 @@ static void signal_handler(int number)
 		break;
 	case SIGHUP:
 		sighup = 1;
+		sighup_time = (sig_atomic_t)(time(NULL) - start_time);
 		break;
 	default:
 		break;
@@ -776,8 +780,14 @@ static int next_multi_pcap_file(struct ctx *ctx, int fd)
 
 	close(fd);
 
+	time_t ftime = time(NULL);
+	if (ctx->pre_timestamp && sighup_time > 0) {
+		ftime = (time_t)(start_time + sighup_time);
+		sighup_time = 0;
+	}
+
 	slprintf(fname, sizeof(fname), "%s/%s%lu.pcap", ctx->device_out,
-		 ctx->prefix ? : "dump-", time(NULL));
+		 ctx->prefix ? : "dump-", ftime);
 
 	fd = open_or_die_m(fname, O_RDWR | O_CREAT | O_TRUNC |
 			   O_LARGEFILE, DEFFILEMODE);
@@ -816,7 +826,7 @@ static int