Hi Prateek if you need to block packets to the same machine you have a few options: 1. interacting with the linux firewall, using an hook from userspace for inspecting ingress packets and returning a verdict to the firewall 2. using ZC drivers for bypassing kernel (opening rx and tx sockets on “ethX") and injecting them after inspection back to the kernel using the “stack:” module (opening rx and tx sockets on “stack:ethX”, respectively for capturing packets going out of the machine, and injecting packets to the machine).
Alfredo > On 04 Nov 2015, at 12:35, PRATEEK MOHANTY <[email protected]> > wrote: > > > Hi Alfredo, > > I am trying to monitor all the packets and based on host > name(youtube,facebook,...) I want my system not to accept those packets(i.e > block it on coming to browsers). So, for this to work I need to filter each > packet based on host name and if the packet host name matches, need to drop > it there (either in userspace or kernel space). > > In my understanding, nDPI example application (ndpiReader) is able to give me > the statistics based on time intervals provided. But I am not sure how to > block the packets coming to application layer(browser) when it matched with > host name provided(facebook or youtube). > > In PF_RING using "pfcount", I am able to filter out each packets based on > host name strings provided. But not sure how to filter and block these > packets from coming to browser. > > I am expecting some kind of solution idea for filtering out the packets based > on host name provided. > > regards > Prateek > > On Wednesday 04 November 2015 04:27 PM, Alfredo Cardigliano wrote: >> Prateek >> what do you mean with drop? Are you building an inline system? Or just >> filtering packets before processing in a passive application? >> Anyway, you should look at nDPI/examples/ndpiReader.c for L7 detection (you >> can add hosts with -p in the example). >> BPF is not what you are looking for. >> >> Alfredo >> >>> On 04 Nov 2015, at 11:50, PRATEEK MOHANTY >>> <[email protected]> wrote: >>> >>> Hi Alfredo, >>> >>> - Okay. What should I pass with "-f" to pfcount so that it will drop the >>> packets? >>> - So, what "pfcount -f <>" does then? Please provide some examples with >>> results where "pfcount -f <>" is used. >>> - Is there any way in any ntop package where I can filter and drop the >>> packets based on host string name ? >>> >>> regards >>> Prateek >>> >>> >>> On Wednesday 04 November 2015 04:08 PM, Alfredo Cardigliano wrote: >>>> Hi Prateek >>>> please note that bpf filters (when used with standard drivers) drop >>>> packets in kernel space, >>>> while string matching happens in userspace inside pfcount.c. You cannot >>>> use bpf for string >>>> matching. >>>> >>>> Alfredo >>>> >>>>> On 04 Nov 2015, at 11:31, PRATEEK MOHANTY >>>>> <[email protected]> wrote: >>>>> >>>>> Hi Alfredo, >>>>> >>>>> Yes. when running "pfcount --help" show to pass -f <filter> [BPF filter]. >>>>> I am trying to block and drop the packets if matches the host name as >>>>> youtube, facebook. In "userland/string.sample", I have kept facebook and >>>>> youtube string. I am giving following command. >>>>> ex: ./pfcount -i eth0 -x string.sample -o 1.txt >>>>> (This is filtering out matched packets and keeping statistics in >>>>> 1.txt.log file) >>>>> >>>>> -> My question is What I should pass with -f <?> to block and drop those >>>>> matched packets ? >>>>> ex: ./pfcount -i eth0 -x string.sample -o 1.txt -f <?> >>>>> >>>>> regards >>>>> Prateek >>>>> >>>>> On Wednesday 04 November 2015 02:51 PM, Alfredo Cardigliano wrote: >>>>>> Please take a look at pfcount.c, it includes the examples you need. >>>>>> -f expects a bpf filter (string) >>>>>> >>>>>> Alfredo >>>>>> >>>>>>> On 04 Nov 2015, at 08:49, PRATEEK MOHANTY >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Hi Alfredo, >>>>>>> >>>>>>> I have checked doxygen docs for bpf_filter, but couldn't find any >>>>>>> examples. I am using pfcount application but not sure what to pass with >>>>>>> "-f" notation. Could you give some example of commands for >>>>>>> BPF,hash/wildcard filters ? >>>>>>> >>>>>>> regards >>>>>>> Prateek >>>>>>> >>>>>>> On Wednesday 04 November 2015 01:05 PM, PRATEEK MOHANTY wrote: >>>>>>>> Hi Alfredo, >>>>>>>> >>>>>>>> Thanks for reply. I have few doubts, please help me to clear it. >>>>>>>> >>>>>>>> 1. Can I use PF_RING for per wifi VAPs ? >>>>>>>> 2. Can I filter packets based on host strings like facebook,youtube >>>>>>>> and drop those packets ? If yes, how? >>>>>>>> 3. How nDPI and PF_RING are different ? >>>>>>>> 4. Can I use nDPI for wifi vap interfaces with mips processor ? >>>>>>>> >>>>>>>> regards >>>>>>>> Prateek >>>>>>>> >>>>>>>> On Wednesday 04 November 2015 12:34 PM, Alfredo Cardigliano wrote: >>>>>>>>> Hi Prateek >>>>>>>>> 1. bpf filters: see documentation for pfring_set_bpf_filter in >>>>>>>>> doxygen and pfcount -f as example >>>>>>>>> 2. hash filters: see documentation for >>>>>>>>> pfring_handle_hash_filtering_rule in doxygen and pfcount -u 1 as >>>>>>>>> example >>>>>>>>> 3. wildcard filters: see documentation for pfring_add_filtering_rule >>>>>>>>> in doxygen and pfcount -u 2 as example >>>>>>>>> >>>>>>>>> Alfredo >>>>>>>>> >>>>>>>>>> On 04 Nov 2015, at 07:39, PRATEEK MOHANTY >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi Team, >>>>>>>>>> >>>>>>>>>> I am new to PF_RING, need to understand the filtering technique in >>>>>>>>>> it. >>>>>>>>>> Please give some examples for using BPF filters and HASH/WILDCARD >>>>>>>>>> filters. Any document would help. >>>>>>>>>> >>>>>>>>>> thanks >>>>>>>>>> Prateek >>>>>>>>>> _______________________________________________ >>>>>>>>>> Ntop-misc mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>>> _______________________________________________ >>>>>>>>> Ntop-misc mailing list >>>>>>>>> [email protected] >>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>> _______________________________________________ >>>>>>>> Ntop-misc mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>> _______________________________________________ >>>>>>> Ntop-misc mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
