Hi Alfredo,
I am trying to monitor all the packets and based on host
name(youtube,facebook,...) I want my system not to accept those
packets(i.e block it on coming to browsers). So, for this to work I need
to filter each packet based on host name and if the packet host name
matches, need to drop it there (either in userspace or kernel space).
In my understanding, nDPI example application (ndpiReader) is able to
give me the statistics based on time intervals provided. But I am not
sure how to block the packets coming to application layer(browser) when
it matched with host name provided(facebook or youtube).
In PF_RING using "pfcount", I am able to filter out each packets based
on host name strings provided. But not sure how to filter and block
these packets from coming to browser.
I am expecting some kind of solution idea for filtering out the packets
based on host name provided.
regards
Prateek
On Wednesday 04 November 2015 04:27 PM, Alfredo Cardigliano wrote:
Prateek
what do you mean with drop? Are you building an inline system? Or just
filtering packets before processing in a passive application?
Anyway, you should look at nDPI/examples/ndpiReader.c for L7 detection (you can
add hosts with -p in the example).
BPF is not what you are looking for.
Alfredo
On 04 Nov 2015, at 11:50, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
- Okay. What should I pass with "-f" to pfcount so that it will drop the
packets?
- So, what "pfcount -f <>" does then? Please provide some examples with results where
"pfcount -f <>" is used.
- Is there any way in any ntop package where I can filter and drop the packets
based on host string name ?
regards
Prateek
On Wednesday 04 November 2015 04:08 PM, Alfredo Cardigliano wrote:
Hi Prateek
please note that bpf filters (when used with standard drivers) drop packets in
kernel space,
while string matching happens in userspace inside pfcount.c. You cannot use bpf
for string
matching.
Alfredo
On 04 Nov 2015, at 11:31, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
Yes. when running "pfcount --help" show to pass -f <filter> [BPF filter].
I am trying to block and drop the packets if matches the host name as youtube, facebook.
In "userland/string.sample", I have kept facebook and youtube string. I am
giving following command.
ex: ./pfcount -i eth0 -x string.sample -o 1.txt
(This is filtering out matched packets and keeping statistics in 1.txt.log file)
-> My question is What I should pass with -f <?> to block and drop those
matched packets ?
ex: ./pfcount -i eth0 -x string.sample -o 1.txt -f <?>
regards
Prateek
On Wednesday 04 November 2015 02:51 PM, Alfredo Cardigliano wrote:
Please take a look at pfcount.c, it includes the examples you need.
-f expects a bpf filter (string)
Alfredo
On 04 Nov 2015, at 08:49, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
I have checked doxygen docs for bpf_filter, but couldn't find any examples. I am using
pfcount application but not sure what to pass with "-f" notation. Could you
give some example of commands for BPF,hash/wildcard filters ?
regards
Prateek
On Wednesday 04 November 2015 01:05 PM, PRATEEK MOHANTY wrote:
Hi Alfredo,
Thanks for reply. I have few doubts, please help me to clear it.
1. Can I use PF_RING for per wifi VAPs ?
2. Can I filter packets based on host strings like facebook,youtube and drop
those packets ? If yes, how?
3. How nDPI and PF_RING are different ?
4. Can I use nDPI for wifi vap interfaces with mips processor ?
regards
Prateek
On Wednesday 04 November 2015 12:34 PM, Alfredo Cardigliano wrote:
Hi Prateek
1. bpf filters: see documentation for pfring_set_bpf_filter in doxygen and
pfcount -f as example
2. hash filters: see documentation for pfring_handle_hash_filtering_rule in
doxygen and pfcount -u 1 as example
3. wildcard filters: see documentation for pfring_add_filtering_rule in doxygen
and pfcount -u 2 as example
Alfredo
On 04 Nov 2015, at 07:39, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Team,
I am new to PF_RING, need to understand the filtering technique in it.
Please give some examples for using BPF filters and HASH/WILDCARD filters. Any
document would help.
thanks
Prateek
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
