Hi Prateek if you want an application ready for use, you can use ntopng Pro for that. At the moment it works in passive-mode only on top of netfilter, but we are adding support for bridge mode soon.
Alfredo > On 04 Nov 2015, at 14:19, PRATEEK MOHANTY <[email protected]> > wrote: > > Hi Alfredo, > > Thanks for update. However, Does ntop's any application supports filtering > out and blocking the packet from coming to browser/application in client > based on host name/address? If yes, How? > > regards > Prateek > > On Wednesday 04 November 2015 06:36 PM, Alfredo Cardigliano wrote: >> Hi Prateek >> if you need to block packets to the same machine you have a few options: >> 1. interacting with the linux firewall, using an hook from userspace for >> inspecting ingress packets and returning a verdict to the firewall >> 2. using ZC drivers for bypassing kernel (opening rx and tx sockets on >> “ethX") and injecting them after inspection back to the kernel using the >> “stack:” module (opening rx and tx sockets on “stack:ethX”, respectively for >> capturing packets going out of the machine, and injecting packets to the >> machine). >> >> Alfredo >> >>> On 04 Nov 2015, at 12:35, PRATEEK MOHANTY >>> <[email protected]> wrote: >>> >>> >>> Hi Alfredo, >>> >>> I am trying to monitor all the packets and based on host >>> name(youtube,facebook,...) I want my system not to accept those packets(i.e >>> block it on coming to browsers). So, for this to work I need to filter each >>> packet based on host name and if the packet host name matches, need to drop >>> it there (either in userspace or kernel space). >>> >>> In my understanding, nDPI example application (ndpiReader) is able to give >>> me the statistics based on time intervals provided. But I am not sure how >>> to block the packets coming to application layer(browser) when it matched >>> with host name provided(facebook or youtube). >>> >>> In PF_RING using "pfcount", I am able to filter out each packets based on >>> host name strings provided. But not sure how to filter and block these >>> packets from coming to browser. >>> >>> I am expecting some kind of solution idea for filtering out the packets >>> based on host name provided. >>> >>> regards >>> Prateek >>> >>> On Wednesday 04 November 2015 04:27 PM, Alfredo Cardigliano wrote: >>>> Prateek >>>> what do you mean with drop? Are you building an inline system? Or just >>>> filtering packets before processing in a passive application? >>>> Anyway, you should look at nDPI/examples/ndpiReader.c for L7 detection >>>> (you can add hosts with -p in the example). >>>> BPF is not what you are looking for. >>>> >>>> Alfredo >>>> >>>>> On 04 Nov 2015, at 11:50, PRATEEK MOHANTY >>>>> <[email protected]> wrote: >>>>> >>>>> Hi Alfredo, >>>>> >>>>> - Okay. What should I pass with "-f" to pfcount so that it will drop the >>>>> packets? >>>>> - So, what "pfcount -f <>" does then? Please provide some examples with >>>>> results where "pfcount -f <>" is used. >>>>> - Is there any way in any ntop package where I can filter and drop the >>>>> packets based on host string name ? >>>>> >>>>> regards >>>>> Prateek >>>>> >>>>> >>>>> On Wednesday 04 November 2015 04:08 PM, Alfredo Cardigliano wrote: >>>>>> Hi Prateek >>>>>> please note that bpf filters (when used with standard drivers) drop >>>>>> packets in kernel space, >>>>>> while string matching happens in userspace inside pfcount.c. You cannot >>>>>> use bpf for string >>>>>> matching. >>>>>> >>>>>> Alfredo >>>>>> >>>>>>> On 04 Nov 2015, at 11:31, PRATEEK MOHANTY >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Hi Alfredo, >>>>>>> >>>>>>> Yes. when running "pfcount --help" show to pass -f <filter> [BPF >>>>>>> filter]. >>>>>>> I am trying to block and drop the packets if matches the host name as >>>>>>> youtube, facebook. In "userland/string.sample", I have kept facebook >>>>>>> and youtube string. I am giving following command. >>>>>>> ex: ./pfcount -i eth0 -x string.sample -o 1.txt >>>>>>> (This is filtering out matched packets and keeping statistics in >>>>>>> 1.txt.log file) >>>>>>> >>>>>>> -> My question is What I should pass with -f <?> to block and drop >>>>>>> those matched packets ? >>>>>>> ex: ./pfcount -i eth0 -x string.sample -o 1.txt -f <?> >>>>>>> >>>>>>> regards >>>>>>> Prateek >>>>>>> >>>>>>> On Wednesday 04 November 2015 02:51 PM, Alfredo Cardigliano wrote: >>>>>>>> Please take a look at pfcount.c, it includes the examples you need. >>>>>>>> -f expects a bpf filter (string) >>>>>>>> >>>>>>>> Alfredo >>>>>>>> >>>>>>>>> On 04 Nov 2015, at 08:49, PRATEEK MOHANTY >>>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi Alfredo, >>>>>>>>> >>>>>>>>> I have checked doxygen docs for bpf_filter, but couldn't find any >>>>>>>>> examples. I am using pfcount application but not sure what to pass >>>>>>>>> with "-f" notation. Could you give some example of commands for >>>>>>>>> BPF,hash/wildcard filters ? >>>>>>>>> >>>>>>>>> regards >>>>>>>>> Prateek >>>>>>>>> >>>>>>>>> On Wednesday 04 November 2015 01:05 PM, PRATEEK MOHANTY wrote: >>>>>>>>>> Hi Alfredo, >>>>>>>>>> >>>>>>>>>> Thanks for reply. I have few doubts, please help me to clear it. >>>>>>>>>> >>>>>>>>>> 1. Can I use PF_RING for per wifi VAPs ? >>>>>>>>>> 2. Can I filter packets based on host strings like facebook,youtube >>>>>>>>>> and drop those packets ? If yes, how? >>>>>>>>>> 3. How nDPI and PF_RING are different ? >>>>>>>>>> 4. Can I use nDPI for wifi vap interfaces with mips processor ? >>>>>>>>>> >>>>>>>>>> regards >>>>>>>>>> Prateek >>>>>>>>>> >>>>>>>>>> On Wednesday 04 November 2015 12:34 PM, Alfredo Cardigliano wrote: >>>>>>>>>>> Hi Prateek >>>>>>>>>>> 1. bpf filters: see documentation for pfring_set_bpf_filter in >>>>>>>>>>> doxygen and pfcount -f as example >>>>>>>>>>> 2. hash filters: see documentation for >>>>>>>>>>> pfring_handle_hash_filtering_rule in doxygen and pfcount -u 1 as >>>>>>>>>>> example >>>>>>>>>>> 3. wildcard filters: see documentation for >>>>>>>>>>> pfring_add_filtering_rule in doxygen and pfcount -u 2 as example >>>>>>>>>>> >>>>>>>>>>> Alfredo >>>>>>>>>>> >>>>>>>>>>>> On 04 Nov 2015, at 07:39, PRATEEK MOHANTY >>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Team, >>>>>>>>>>>> >>>>>>>>>>>> I am new to PF_RING, need to understand the filtering technique in >>>>>>>>>>>> it. >>>>>>>>>>>> Please give some examples for using BPF filters and HASH/WILDCARD >>>>>>>>>>>> filters. Any document would help. >>>>>>>>>>>> >>>>>>>>>>>> thanks >>>>>>>>>>>> Prateek >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Ntop-misc mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Ntop-misc mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>>>> _______________________________________________ >>>>>>>>>> Ntop-misc mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>>> _______________________________________________ >>>>>>>>> Ntop-misc mailing list >>>>>>>>> [email protected] >>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>>> _______________________________________________ >>>>>>>> Ntop-misc mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>>> _______________________________________________ >>>>>>> Ntop-misc mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
