Hi Alfredo,
Thanks for update. However, Does ntop's any application supports
filtering out and blocking the packet from coming to browser/application
in client based on host name/address? If yes, How?
regards
Prateek
On Wednesday 04 November 2015 06:36 PM, Alfredo Cardigliano wrote:
Hi Prateek
if you need to block packets to the same machine you have a few options:
1. interacting with the linux firewall, using an hook from userspace for
inspecting ingress packets and returning a verdict to the firewall
2. using ZC drivers for bypassing kernel (opening rx and tx sockets on “ethX")
and injecting them after inspection back to the kernel using the “stack:” module
(opening rx and tx sockets on “stack:ethX”, respectively for capturing packets going
out of the machine, and injecting packets to the machine).
Alfredo
On 04 Nov 2015, at 12:35, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
I am trying to monitor all the packets and based on host
name(youtube,facebook,...) I want my system not to accept those packets(i.e
block it on coming to browsers). So, for this to work I need to filter each
packet based on host name and if the packet host name matches, need to drop it
there (either in userspace or kernel space).
In my understanding, nDPI example application (ndpiReader) is able to give me
the statistics based on time intervals provided. But I am not sure how to block
the packets coming to application layer(browser) when it matched with host name
provided(facebook or youtube).
In PF_RING using "pfcount", I am able to filter out each packets based on host
name strings provided. But not sure how to filter and block these packets from coming to
browser.
I am expecting some kind of solution idea for filtering out the packets based
on host name provided.
regards
Prateek
On Wednesday 04 November 2015 04:27 PM, Alfredo Cardigliano wrote:
Prateek
what do you mean with drop? Are you building an inline system? Or just
filtering packets before processing in a passive application?
Anyway, you should look at nDPI/examples/ndpiReader.c for L7 detection (you can
add hosts with -p in the example).
BPF is not what you are looking for.
Alfredo
On 04 Nov 2015, at 11:50, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
- Okay. What should I pass with "-f" to pfcount so that it will drop the
packets?
- So, what "pfcount -f <>" does then? Please provide some examples with results where
"pfcount -f <>" is used.
- Is there any way in any ntop package where I can filter and drop the packets
based on host string name ?
regards
Prateek
On Wednesday 04 November 2015 04:08 PM, Alfredo Cardigliano wrote:
Hi Prateek
please note that bpf filters (when used with standard drivers) drop packets in
kernel space,
while string matching happens in userspace inside pfcount.c. You cannot use bpf
for string
matching.
Alfredo
On 04 Nov 2015, at 11:31, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
Yes. when running "pfcount --help" show to pass -f <filter> [BPF filter].
I am trying to block and drop the packets if matches the host name as youtube, facebook.
In "userland/string.sample", I have kept facebook and youtube string. I am
giving following command.
ex: ./pfcount -i eth0 -x string.sample -o 1.txt
(This is filtering out matched packets and keeping statistics in 1.txt.log file)
-> My question is What I should pass with -f <?> to block and drop those
matched packets ?
ex: ./pfcount -i eth0 -x string.sample -o 1.txt -f <?>
regards
Prateek
On Wednesday 04 November 2015 02:51 PM, Alfredo Cardigliano wrote:
Please take a look at pfcount.c, it includes the examples you need.
-f expects a bpf filter (string)
Alfredo
On 04 Nov 2015, at 08:49, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Alfredo,
I have checked doxygen docs for bpf_filter, but couldn't find any examples. I am using
pfcount application but not sure what to pass with "-f" notation. Could you
give some example of commands for BPF,hash/wildcard filters ?
regards
Prateek
On Wednesday 04 November 2015 01:05 PM, PRATEEK MOHANTY wrote:
Hi Alfredo,
Thanks for reply. I have few doubts, please help me to clear it.
1. Can I use PF_RING for per wifi VAPs ?
2. Can I filter packets based on host strings like facebook,youtube and drop
those packets ? If yes, how?
3. How nDPI and PF_RING are different ?
4. Can I use nDPI for wifi vap interfaces with mips processor ?
regards
Prateek
On Wednesday 04 November 2015 12:34 PM, Alfredo Cardigliano wrote:
Hi Prateek
1. bpf filters: see documentation for pfring_set_bpf_filter in doxygen and
pfcount -f as example
2. hash filters: see documentation for pfring_handle_hash_filtering_rule in
doxygen and pfcount -u 1 as example
3. wildcard filters: see documentation for pfring_add_filtering_rule in doxygen
and pfcount -u 2 as example
Alfredo
On 04 Nov 2015, at 07:39, PRATEEK MOHANTY <[email protected]>
wrote:
Hi Team,
I am new to PF_RING, need to understand the filtering technique in it.
Please give some examples for using BPF filters and HASH/WILDCARD filters. Any
document would help.
thanks
Prateek
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
