Re: [tcpdump-workers] Libpcap capturing point

2003-07-31 Thread Guy Harris 
On Thu, Jul 24, 2003 at 07:49:12PM +0200, Jorge Lanza wrote:
> We've been developing a virtual network device and now we are exporting it 
> to the netfilter phylosophy. When capturing packets with libpcap (ethereal) 
> we are not sure at which level the packet is got. I say so, cause when 
> using netfilter we modify the packet information, and in ethereal the 
> information displayed is the packet with the modifications (some private 
> headers has been removed)
> 
> So there's our doubt. Where does libpcap capture the packet? Before or 
> after the driver or after crossing all the ip stack?

It depends on the way your network stack is set up, including your
virtual network device, and on the way the packet capture mechanism in
your OS works, and on the network interface on which you're capturing.

> We want to see it as 
> it's received from the network without any modifications, is it
> possible?

If your virtual network device gets its input from a real network
device, try capturing on the real network device.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]

Re: [tcpdump-workers] Libpcap capturing point

2003-07-28 Thread Jorge Lanza 
I've continued with my tests, and I think there's no way in doing what I 
like with pcap.

I've write a very simple netfilter module (modification of an example find 
on the web), which I attach. I have print some value of the packet while it 
is crossing netfilter. I modified this packet in order to see what is 
displayed in the ethereal window. Then I have set the packet to be drop 
just to see if pcap captures all the packet or only the ones that passes 
all the linux network stack.

Example dropping ICMP packet
Value not modified data[50] = 2A
Value modified data[50] = FF
Well the packets are display, even the ones that should be drop. However 
the value displayed in ethereal is the modified one (FF). So it seems to be 
that pcap captures the packet someway in between the packet arrival at the 
network card and the end of the linux network stack.

Can anyone, probably a developer, explain that? In which point is the 
packet captured? Probably some other has come up with this problem.
I'm trying to get some statistics and I need to get then before the packet 
has been modified. I would like to avoid writing another kernel module or 
modifying the already done.

Any help is really welcomed.

TA.

P.D.: If you like to test it, just insmod the module and ping with -s 172 
(that way the packet is modified and then discard) while ethereal is 
capturing. Then read the info of ethereal. You'll see a value FF where it 
should be another.

At 11:12 24/07/2003 -0700, Guy Harris wrote:
>On Thu, Jul 24, 2003 at 07:49:12PM +0200, Jorge Lanza wrote:m
>> We've been developing a virtual network device and now we are exporting it
>> to the netfilter phylosophy. When capturing packets with libpcap 
(ethereal)
>> we are not sure at which level the packet is got. I say so, cause when
>> using netfilter we modify the packet information, and in ethereal the
>> information displayed is the packet with the modifications (some private
>> headers has been removed)
>>
>> So there's our doubt. Where does libpcap capture the packet? Before or
>> after the driver or after crossing all the ip stack?
>
>It depends on the way your network stack is set up, including your
>virtual network device, and on the way the packet capture mechanism in
>your OS works, and on the network interface on which you're capturing.
>
>> We want to see it as
>> it's received from the network without any modifications, is it
>> possible?
>
>If your virtual network device gets its input from a real network
>device, try capturing on the real network device.
>-
>This is the TCPDUMP workers list. It is archived at
>http://www.tcpdump.org/lists/workers/index.html
>To unsubscribe use 
mailto:[EMAIL PROTECTED]



Jorge Lanza Calderón
Departamento Ingeniería Comunicaciones
Grupo de Ingeniería Telemática
Universidad de Cantabria
Avda. de los Castros, s/n
39005 - Santander  (España)
Tel: +34 942 200914
Fax: +34 942 201488
mailto:[EMAIL PROTECTED]
Web: http://www.tlmat.unican.es

/* netfilter hook example
 * Compile with: gcc -O -c -Wall nfexample.c
 * -O is needed
 * Insert the module using 'insmod nfexample'
 */

#define __KERNEL__
#define MODULE


#include 
#include 
//#include 
//#include 
//#include 

#include 
//#include 

//#include 
#include 
//#include 
//#include 

struct nf_hook_ops hook_ex;

unsigned int function_hook( unsigned int hook, struct sk_buff **pskb, const struct 
net_device *in,
const struct net_device *out, int (*okfn)(struct sk_buff 
*))
{
  struct iphdr *ip;
  unsigned char *data;
  int i;

  ip = (*pskb)->nh.iph;
data = (*pskb)->nh.raw + (ip->ihl) * 4;
  
  (*pskb)->nfcache |= NFC_UNKNOWN;

  switch ((*pskb)->len) {
case 200:
  printk("Example dropping ICMP packet\n");
  printk("Value not modified data[50] = %02X\n", data[50]);
  data[50] = 0xFF;
  printk("Value modified data[50] = %02X\n", data[50]);
  
  (*pskb)->nfcache |= NFC_ALTERED;
  return NF_DROP;

default:
  return NF_ACCEPT;
  }
}

// static struct nf_hooks_ops hook_ex = { { NULL, NULL }, function_hook, PF_INET, 
NF_IP_LOCAL_OUT, 0};


static int __init init(void)
{
  // hook
  hook_ex.list.next = NULL;
  hook_ex.list.prev = NULL;
  hook_ex.hook = function_hook;
  //  hook_ex.list.flush = NULL;
  hook_ex.pf = PF_INET;
  //hook_ex.hooknum = NF_IP_LOCAL_OUT;
  hook_ex.hooknum = NF_IP_PRE_ROUTING;

  return nf_register_hook(&hook_ex);
}

static void __exit fini(void)
{
  nf_unregister_hook(&hook_ex);
}

module_init(init);
module_exit(fini);