Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On 06/19/2015 10:46 AM, Vadim Kochan wrote:
...
OK here is another (may be better) design.
Here is an example of the cfg script:
{
eth
{
dst: eth_addr(AA:BB:CC:DD:EE:FF)
proto: ipv4,
}
ip
{
src: ip_addr(192.168.1.1)
dst: ip_addr(192.168.1.2)
}
tcp
{
flags: syn | ack
}
}
Needs some refactoring of trafgen code existing cfg funcs which allows to use
manipulate of
current packet offset variable.
Each proto should be registered via struct proto_gen:
struct proto_field {
int id;
uint32_t offset;
uint32_t len;
};
struct proto_value {
void *value;
uint32_t len;
};
struct proto_gen {
struct cfg_ctx *ctx;
/* get field name info - id, len, offset */
struct proto_field *field_parse(struct proto_gen *prot, char *name);
/* indicates that this field was filled */
void field_set(struct proto_gen *proto, struct proto_field *field);
/* get info about some proto defined const value */
struct proto_value *value_get(struct proto_gen *proto, struct proto_field
*field, char *name);
/* fill the rest unfilled fields */
void fill(struct proto_gen *prot, uint8_t *hdr);
/* finish after whole packet was built */
void finish(struct proto_gen *prot, uint8_t *data, int len);
}
Each proto hdr field can be filled by specifying field name separated by ':' and
macro/func which will fill the bytes.The field may be filled with any
existing trafgen macro (const(), rnd() - the field len should be
considered). Also some additional macro/funcs should be added - ipv4_addr,
eth_addr, etc.
The parser will lookup keep struct proto_gen proto_ptr when the proto section
was entered (when '#proto {' was parsed), and parser can call the
proto_ptr-field_parse to obtain the field information by name (id,
offset, len) then change the current packet offset call the macro/func
which will fill the field. Then parser should call proto_ptr-field_set
to let know to the proto_gen which field was filled. At the end parser
will call proto_ptr-fill to fill the rest unfilled fields with some
default values fill the csum fields if needed.
While filling the default fields values the proto_gen should know some
trafgen's context info - interface id, and may be some other info which may
help to construct such unfilled fields like dst/src Ethernet addresses or
src/dst IP addresses.
Also it is possible that each proto_gen may have some own defined values like
flag names which can be evaluated via proto_gen-value_get where field pointer
may be specified. It might be useful if these values will be a part of
expressions
like: syn | ack.
At the end the parser will walk over each proto from higher layer to do a last
call
proto_gen-finish where each proto may do some calculations and fill some
unfilled fields.
Meanwhile I am not sure if it will be needed.
Well this is very conceptually and I will try to prepare better version which
would consider the existing trafgen code cfg syntax parser.
Ok, how would all of this tie together with flex and bison that we
use for trafgen as parser generator? It looks on a first glance that
this design would be outside of that scope?
Cheers,
Daniel
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On 06/20/2015 12:38 AM, Vadim Kochan wrote:
...
Regarding cleanups ... what do you think about change pcap_pkthdr_t to:
typedef struct {
union {
struct pcap_pkthdr ppo;
struct pcap_pkthdr_ns ppn;
struct pcap_pkthdr_ll ppo_ll;
struct pcap_pkthdr_ns_llppn_ll;
struct pcap_pkthdr_kuz ppk;
struct pcap_pkthdr_bkm ppb;
uint8_t raw;
} h;
pcap_type_t type;
} pcap_pkthdr_t;
which will allow to remove 'type' argument from I/O other pcap functions ...
and
makes calling of these functions shorter ...
Seems okay with me, but depends on how the actual code looks eventually. ;)
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 11:13:54PM +0200, Daniel Borkmann wrote:
On 06/19/2015 10:58 PM, Vadim Kochan wrote:
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote:
...
@@ -737,6 +837,24 @@ static inline void pcap_validate_header(const struct
pcap_filehdr *hdr)
if (unlikely(hdr-version_minor != PCAP_VERSION_MINOR)
___constant_swab16(hdr-version_minor) !=
PCAP_VERSION_MINOR)
panic(This file has an invalid pcap minor version (must be
%d)\n, PCAP_VERSION_MINOR);
+
+ /* Remap to internal *_LL types in case of LINKTYPE_LINUX_SLL. */
+ if (linktype == LINKTYPE_LINUX_SLL) {
should not link_has_sll_hdr() be used here ?
Why? At this point, when reading a pcap file, basic validation has already
been done and linktype is in host endianess. In netsniff-ng, we write out
the pcap header as LINKTYPE_LINUX_SLL in case of Netlink.
In case some other source doesn't use LINKTYPE_LINUX_SLL but LINKTYPE_NETLINK,
we actually need not to assume cooked format.
My understanding is that linktype might be set to LINKTYPE_NETLINK if it
was sniffed only from Netlink interface which uses the same sll header
format but with ignoring few fields - address address len.
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On 06/19/2015 11:37 PM, Vadim Kochan wrote:
...
Never applied patches from emails, I tried to do in mutt by saving as
attachments or mbox, I even cut till 'diff' line but with no luck to
apply this. May be you can suggest some work flow with mutt for
patches via email ?
Ok, so here's both as an attachment, also your dissector on top,
which works fine for me.
(I usually save the whole source and git am it.)
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
From 045e9395ca9c2971ab7f7a886f5d6b4cf679c7fd Mon Sep 17 00:00:00 2001
Message-Id: 045e9395ca9c2971ab7f7a886f5d6b4cf679c7fd.1434749532.git.dan...@iogearbox.net
From: Daniel Borkmann dan...@iogearbox.net
Date: Fri, 19 Jun 2015 00:30:31 +0200
Subject: [PATCH 1/2] pcap_io: add cooked mode support
Originally submitted by Vadim in a different form, he wrote:
Use Linux cooked header for Netlink interface automatically or
as replacement of L2 header if --cooked option is specified:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
'Cooked headers' makes sense to use for default or nsec pcap
types which does not contain protocol info.
Added new LINKTYPE_LINUX_SLL which indicates pcap file with
Linux cooked header as L2 layer header. This pcap file is
compatible with Wireshark's cooked header vice-versa.
Signed-off-by: Vadim Kochan vadi...@gmail.com
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
---
netsniff-ng.c | 17 ++
pcap_io.h | 192 +++---
2 files changed, 172 insertions(+), 37 deletions(-)
diff --git a/netsniff-ng.c b/netsniff-ng.c
index 0a9c620..e593b9d 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -1519,6 +1519,23 @@ int main(int argc, char **argv)
if (!ctx.link_type)
ctx.link_type = pcap_dev_to_linktype(ctx.device_in);
+ if (link_has_sll_hdr(ctx.link_type)) {
+ switch (ctx.magic) {
+ case ORIGINAL_TCPDUMP_MAGIC:
+ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL;
+break;
+ case NSEC_TCPDUMP_MAGIC:
+ctx.magic = NSEC_TCPDUMP_MAGIC_LL;
+break;
+ case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC):
+ctx.magic = ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL);
+break;
+ case ___constant_swab32(NSEC_TCPDUMP_MAGIC):
+ctx.magic = ___constant_swab32(NSEC_TCPDUMP_MAGIC_LL);
+break;
+ }
+ }
+
if (!ctx.device_out) {
ctx.dump = 0;
diff --git a/pcap_io.h b/pcap_io.h
index 497e453..5beccf9 100644
--- a/pcap_io.h
+++ b/pcap_io.h
@@ -27,6 +27,8 @@
#define TCPDUMP_MAGIC0xa1b2c3d4
#define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC
#define NSEC_TCPDUMP_MAGIC 0xa1b23c4d
+#define ORIGINAL_TCPDUMP_MAGIC_LL 0xb1b2c3d4 /* Internal dummy just for mapping */
+#define NSEC_TCPDUMP_MAGIC_LL 0xb1b23c4d /* Internal dummy just for mapping */
#define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34
#define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12
@@ -78,6 +80,20 @@ struct pcap_pkthdr_ns {
uint32_t len;
};
+struct pcap_pkthdr_ll {
+ struct pcap_timeval ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
+struct pcap_pkthdr_ns_ll {
+ struct pcap_timeval_ns ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
struct pcap_pkthdr_kuz {
struct pcap_timeval ts;
uint32_t caplen;
@@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm {
};
typedef union {
- struct pcap_pkthdr ppo;
- struct pcap_pkthdr_ns ppn;
- struct pcap_pkthdr_kuz ppk;
- struct pcap_pkthdr_bkm ppb;
- uint8_t raw;
+ struct pcap_pkthdr ppo;
+ struct pcap_pkthdr_ns ppn;
+ struct pcap_pkthdr_ll ppo_ll;
+ struct pcap_pkthdr_ns_ll ppn_ll;
+ struct pcap_pkthdr_kuz ppk;
+ struct pcap_pkthdr_bkm ppb;
+ uint8_traw;
} pcap_pkthdr_t;
enum pcap_type {
DEFAULT = ORIGINAL_TCPDUMP_MAGIC,
NSEC = NSEC_TCPDUMP_MAGIC,
+ DEFAULT_LL = ORIGINAL_TCPDUMP_MAGIC_LL,
+ NSEC_LL = NSEC_TCPDUMP_MAGIC_LL,
KUZNETZOV = KUZNETZOV_TCPDUMP_MAGIC,
BORKMANN = BORKMANN_TCPDUMP_MAGIC,
DEFAULT_SWAPPED = ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC),
NSEC_SWAPPED = ___constant_swab32(NSEC_TCPDUMP_MAGIC),
+ DEFAULT_LL_SWAPPED = ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL),
+ NSEC_LL_SWAPPED = ___constant_swab32(NSEC_TCPDUMP_MAGIC_LL),
KUZNETZOV_SWAPPED = ___constant_swab32(KUZNETZOV_TCPDUMP_MAGIC),
BORKMANN_SWAPPED = ___constant_swab32(BORKMANN_TCPDUMP_MAGIC),
};
@@ -244,6 +266,19 @@ static inline int pcap_devtype_to_linktype(int dev_type)
}
}
+static inline bool link_has_sll_hdr(uint32_t link_type)
+{
+ switch (link_type) {
+ case LINKTYPE_NETLINK:
+ case LINKTYPE_LINUX_SLL:
+ case ___constant_swab32(LINKTYPE_NETLINK):
+ case ___constant_swab32(LINKTYPE_LINUX_SLL):
+ return true;
+ default:
+ return false;
+ }
+}
+
static inline int pcap_dev_to_linktype(const char *ifname)
{
return
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On 06/18/2015 11:49 AM, Daniel Borkmann wrote:
On 06/18/2015 11:42 AM, Vadim Kochan wrote:
On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote:
I've started splitting this into smaller digestible chunks,
couple of more evenings and it should be done from my side.
Thanks for your patience.
But implementation now is OK in the last original patch series v2 ?
The only missing piece from your first patch I need to go through
is the pcap i/o parts. I wanted to check if two new dummy types
are possible (where we'd have transparent mapping - so it would be
semantically the same as this patch), whether they result in a
smaller code diff and would have lesser impact on the fast path.
If that's the case, I'd go for that, if not I will take the current
remaining piece. Will let you know.
Okay, here it goes. I tested this with capturing from netsniff-ng,
reading via Wireshark and capturing from Wireshark and reading via
netsniff-ng.
Seems fine, please double check it.
All in all this should have less overhead and result in smaller
code diff. Apart from that, the pcap_io.h might need some cleanups
anyway.
[PATCH] pcap_io: add cooked mode support
Originally submitted by Vadim in a different form, he wrote:
Use Linux cooked header for Netlink interface automatically or
as replacement of L2 header if --cooked option is specified:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
'Cooked headers' makes sense to use for default or nsec pcap
types which does not contain protocol info.
Added new LINKTYPE_LINUX_SLL which indicates pcap file with
Linux cooked header as L2 layer header. This pcap file is
compatible with Wireshark's cooked header vice-versa.
Signed-off-by: Vadim Kochan vadi...@gmail.com
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
---
netsniff-ng.c | 17 ++
pcap_io.h | 192 +++---
2 files changed, 172 insertions(+), 37 deletions(-)
diff --git a/netsniff-ng.c b/netsniff-ng.c
index 0a9c620..e593b9d 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -1519,6 +1519,23 @@ int main(int argc, char **argv)
if (!ctx.link_type)
ctx.link_type = pcap_dev_to_linktype(ctx.device_in);
+ if (link_has_sll_hdr(ctx.link_type)) {
+ switch (ctx.magic) {
+ case ORIGINAL_TCPDUMP_MAGIC:
+ ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL;
+ break;
+ case NSEC_TCPDUMP_MAGIC:
+ ctx.magic = NSEC_TCPDUMP_MAGIC_LL;
+ break;
+ case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL);
+ break;
+ case ___constant_swab32(NSEC_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(NSEC_TCPDUMP_MAGIC_LL);
+ break;
+ }
+ }
+
if (!ctx.device_out) {
ctx.dump = 0;
diff --git a/pcap_io.h b/pcap_io.h
index 497e453..5beccf9 100644
--- a/pcap_io.h
+++ b/pcap_io.h
@@ -27,6 +27,8 @@
#define TCPDUMP_MAGIC 0xa1b2c3d4
#define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC
#define NSEC_TCPDUMP_MAGIC 0xa1b23c4d
+#define ORIGINAL_TCPDUMP_MAGIC_LL 0xb1b2c3d4 /* Internal
dummy just for mapping */
+#define NSEC_TCPDUMP_MAGIC_LL 0xb1b23c4d /* Internal
dummy just for mapping */
#define KUZNETZOV_TCPDUMP_MAGIC0xa1b2cd34
#define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12
@@ -78,6 +80,20 @@ struct pcap_pkthdr_ns {
uint32_t len;
};
+struct pcap_pkthdr_ll {
+ struct pcap_timeval ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
+struct pcap_pkthdr_ns_ll {
+ struct pcap_timeval_ns ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
struct pcap_pkthdr_kuz {
struct pcap_timeval ts;
uint32_t caplen;
@@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm {
};
typedef union {
- struct pcap_pkthdr ppo;
- struct pcap_pkthdr_ns ppn;
- struct pcap_pkthdr_kuz ppk;
- struct pcap_pkthdr_bkm ppb;
- uint8_t raw;
+ struct pcap_pkthdr ppo;
+ struct pcap_pkthdr_ns ppn;
+ struct pcap_pkthdr_ll ppo_ll;
+ struct pcap_pkthdr_ns_llppn_ll;
+ struct pcap_pkthdr_kuz ppk;
+ struct pcap_pkthdr_bkm ppb;
+ uint8_t raw;
} pcap_pkthdr_t;
enum pcap_type {
DEFAULT = ORIGINAL_TCPDUMP_MAGIC,
NSEC = NSEC_TCPDUMP_MAGIC,
+
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote:
On 06/18/2015 11:49 AM, Daniel Borkmann wrote:
On 06/18/2015 11:42 AM, Vadim Kochan wrote:
On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote:
I've started splitting this into smaller digestible chunks,
couple of more evenings and it should be done from my side.
Thanks for your patience.
But implementation now is OK in the last original patch series v2 ?
The only missing piece from your first patch I need to go through
is the pcap i/o parts. I wanted to check if two new dummy types
are possible (where we'd have transparent mapping - so it would be
semantically the same as this patch), whether they result in a
smaller code diff and would have lesser impact on the fast path.
If that's the case, I'd go for that, if not I will take the current
remaining piece. Will let you know.
Okay, here it goes. I tested this with capturing from netsniff-ng,
reading via Wireshark and capturing from Wireshark and reading via
netsniff-ng.
Seems fine, please double check it.
All in all this should have less overhead and result in smaller
code diff. Apart from that, the pcap_io.h might need some cleanups
anyway.
[PATCH] pcap_io: add cooked mode support
Originally submitted by Vadim in a different form, he wrote:
Use Linux cooked header for Netlink interface automatically or
as replacement of L2 header if --cooked option is specified:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
'Cooked headers' makes sense to use for default or nsec pcap
types which does not contain protocol info.
Added new LINKTYPE_LINUX_SLL which indicates pcap file with
Linux cooked header as L2 layer header. This pcap file is
compatible with Wireshark's cooked header vice-versa.
Signed-off-by: Vadim Kochan vadi...@gmail.com
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
---
netsniff-ng.c | 17 ++
pcap_io.h | 192
+++---
2 files changed, 172 insertions(+), 37 deletions(-)
diff --git a/netsniff-ng.c b/netsniff-ng.c
index 0a9c620..e593b9d 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -1519,6 +1519,23 @@ int main(int argc, char **argv)
if (!ctx.link_type)
ctx.link_type = pcap_dev_to_linktype(ctx.device_in);
+ if (link_has_sll_hdr(ctx.link_type)) {
+ switch (ctx.magic) {
+ case ORIGINAL_TCPDUMP_MAGIC:
+ ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL;
+ break;
+ case NSEC_TCPDUMP_MAGIC:
+ ctx.magic = NSEC_TCPDUMP_MAGIC_LL;
+ break;
+ case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL);
+ break;
+ case ___constant_swab32(NSEC_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(NSEC_TCPDUMP_MAGIC_LL);
+ break;
+ }
+ }
+
if (!ctx.device_out) {
ctx.dump = 0;
diff --git a/pcap_io.h b/pcap_io.h
index 497e453..5beccf9 100644
--- a/pcap_io.h
+++ b/pcap_io.h
@@ -27,6 +27,8 @@
#define TCPDUMP_MAGIC0xa1b2c3d4
#define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC
#define NSEC_TCPDUMP_MAGIC 0xa1b23c4d
+#define ORIGINAL_TCPDUMP_MAGIC_LL0xb1b2c3d4 /* Internal
dummy just for mapping */
+#define NSEC_TCPDUMP_MAGIC_LL0xb1b23c4d /*
Internal dummy just for mapping */
#define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34
#define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12
@@ -78,6 +80,20 @@ struct pcap_pkthdr_ns {
uint32_t len;
};
+struct pcap_pkthdr_ll {
+ struct pcap_timeval ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
+struct pcap_pkthdr_ns_ll {
+ struct pcap_timeval_ns ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
struct pcap_pkthdr_kuz {
struct pcap_timeval ts;
uint32_t caplen;
@@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm {
};
typedef union {
- struct pcap_pkthdr ppo;
- struct pcap_pkthdr_ns ppn;
- struct pcap_pkthdr_kuz ppk;
- struct pcap_pkthdr_bkm ppb;
- uint8_t raw;
+ struct pcap_pkthdr ppo;
+ struct pcap_pkthdr_ns ppn;
+ struct pcap_pkthdr_ll ppo_ll;
+ struct pcap_pkthdr_ns_llppn_ll;
+ struct pcap_pkthdr_kuz ppk;
+ struct pcap_pkthdr_bkm ppb;
+ uint8_t raw;
} pcap_pkthdr_t;
enum
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote:
On 06/18/2015 11:49 AM, Daniel Borkmann wrote:
On 06/18/2015 11:42 AM, Vadim Kochan wrote:
On Thu, Jun 18, 2015 at 10:45:29AM +0200, Daniel Borkmann wrote:
I've started splitting this into smaller digestible chunks,
couple of more evenings and it should be done from my side.
Thanks for your patience.
But implementation now is OK in the last original patch series v2 ?
The only missing piece from your first patch I need to go through
is the pcap i/o parts. I wanted to check if two new dummy types
are possible (where we'd have transparent mapping - so it would be
semantically the same as this patch), whether they result in a
smaller code diff and would have lesser impact on the fast path.
If that's the case, I'd go for that, if not I will take the current
remaining piece. Will let you know.
Okay, here it goes. I tested this with capturing from netsniff-ng,
reading via Wireshark and capturing from Wireshark and reading via
netsniff-ng.
Seems fine, please double check it.
All in all this should have less overhead and result in smaller
code diff. Apart from that, the pcap_io.h might need some cleanups
anyway.
[PATCH] pcap_io: add cooked mode support
Originally submitted by Vadim in a different form, he wrote:
Use Linux cooked header for Netlink interface automatically or
as replacement of L2 header if --cooked option is specified:
http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
'Cooked headers' makes sense to use for default or nsec pcap
types which does not contain protocol info.
Added new LINKTYPE_LINUX_SLL which indicates pcap file with
Linux cooked header as L2 layer header. This pcap file is
compatible with Wireshark's cooked header vice-versa.
Signed-off-by: Vadim Kochan vadi...@gmail.com
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
---
netsniff-ng.c | 17 ++
pcap_io.h | 192
+++---
2 files changed, 172 insertions(+), 37 deletions(-)
diff --git a/netsniff-ng.c b/netsniff-ng.c
index 0a9c620..e593b9d 100644
--- a/netsniff-ng.c
+++ b/netsniff-ng.c
@@ -1519,6 +1519,23 @@ int main(int argc, char **argv)
if (!ctx.link_type)
ctx.link_type = pcap_dev_to_linktype(ctx.device_in);
+ if (link_has_sll_hdr(ctx.link_type)) {
+ switch (ctx.magic) {
+ case ORIGINAL_TCPDUMP_MAGIC:
+ ctx.magic = ORIGINAL_TCPDUMP_MAGIC_LL;
+ break;
+ case NSEC_TCPDUMP_MAGIC:
+ ctx.magic = NSEC_TCPDUMP_MAGIC_LL;
+ break;
+ case ___constant_swab32(ORIGINAL_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(ORIGINAL_TCPDUMP_MAGIC_LL);
+ break;
+ case ___constant_swab32(NSEC_TCPDUMP_MAGIC):
+ ctx.magic =
___constant_swab32(NSEC_TCPDUMP_MAGIC_LL);
+ break;
+ }
+ }
+
if (!ctx.device_out) {
ctx.dump = 0;
diff --git a/pcap_io.h b/pcap_io.h
index 497e453..5beccf9 100644
--- a/pcap_io.h
+++ b/pcap_io.h
@@ -27,6 +27,8 @@
#define TCPDUMP_MAGIC0xa1b2c3d4
#define ORIGINAL_TCPDUMP_MAGIC TCPDUMP_MAGIC
#define NSEC_TCPDUMP_MAGIC 0xa1b23c4d
+#define ORIGINAL_TCPDUMP_MAGIC_LL0xb1b2c3d4 /* Internal
dummy just for mapping */
+#define NSEC_TCPDUMP_MAGIC_LL0xb1b23c4d /*
Internal dummy just for mapping */
#define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34
#define BORKMANN_TCPDUMP_MAGIC 0xa1e2cb12
@@ -78,6 +80,20 @@ struct pcap_pkthdr_ns {
uint32_t len;
};
+struct pcap_pkthdr_ll {
+ struct pcap_timeval ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
+struct pcap_pkthdr_ns_ll {
+ struct pcap_timeval_ns ts;
+ uint32_t caplen;
+ uint32_t len;
+ struct pcap_ll ll;
+};
+
struct pcap_pkthdr_kuz {
struct pcap_timeval ts;
uint32_t caplen;
@@ -99,21 +115,27 @@ struct pcap_pkthdr_bkm {
};
typedef union {
- struct pcap_pkthdr ppo;
- struct pcap_pkthdr_ns ppn;
- struct pcap_pkthdr_kuz ppk;
- struct pcap_pkthdr_bkm ppb;
- uint8_t raw;
+ struct pcap_pkthdr ppo;
+ struct pcap_pkthdr_ns ppn;
+ struct pcap_pkthdr_ll ppo_ll;
+ struct pcap_pkthdr_ns_llppn_ll;
+ struct pcap_pkthdr_kuz ppk;
+ struct pcap_pkthdr_bkm ppb;
+ uint8_t raw;
} pcap_pkthdr_t;
enum
Re: [netsniff-ng] [PATCH 0/2 v2] Add suport for Linux cooked header sniff dissect
On 06/19/2015 10:58 PM, Vadim Kochan wrote:
On Fri, Jun 19, 2015 at 10:47:49PM +0200, Daniel Borkmann wrote:
...
@@ -737,6 +837,24 @@ static inline void pcap_validate_header(const struct
pcap_filehdr *hdr)
if (unlikely(hdr-version_minor != PCAP_VERSION_MINOR)
___constant_swab16(hdr-version_minor) !=
PCAP_VERSION_MINOR)
panic(This file has an invalid pcap minor version (must be
%d)\n, PCAP_VERSION_MINOR);
+
+ /* Remap to internal *_LL types in case of LINKTYPE_LINUX_SLL. */
+ if (linktype == LINKTYPE_LINUX_SLL) {
should not link_has_sll_hdr() be used here ?
Why? At this point, when reading a pcap file, basic validation has already
been done and linktype is in host endianess. In netsniff-ng, we write out
the pcap header as LINKTYPE_LINUX_SLL in case of Netlink.
In case some other source doesn't use LINKTYPE_LINUX_SLL but LINKTYPE_NETLINK,
we actually need not to assume cooked format.
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [netsniff-ng] mausezahn: TX fast path ... or may be rewrite everything ?
On Fri, Jun 19, 2015 at 12:08:57AM +0200, Daniel Borkmann wrote:
On 06/18/2015 03:24 PM, Vadim Kochan wrote:
On Thu, Jun 18, 2015 at 11:07:12AM +0200, Daniel Borkmann wrote:
On 06/18/2015 10:57 AM, Vadim Kochan wrote:
...
Not yet, but I will try keep thinking about this, and will let know if I
will have some real ideas regarding implementation.
Sounds good!
Some 1st though which I came up is may be to start extend current
trafgen generation api set:
{
eth
{
src(),
dst(),
proto(),
}
,
ip
{
ver(),
src(),
dst(),
opt(0x1, 20),
opt(0x2, 30),
},
tcp
{
dport(),
sport(),
flags(),
},
}
Can you elaborate on your idea, what would this config do? I.e. if src()
etc is empty.
Thanks,
Daniel
Hi,
OK here is another (may be better) design.
Here is an example of the cfg script:
{
eth
{
dst: eth_addr(AA:BB:CC:DD:EE:FF)
proto: ipv4,
}
ip
{
src: ip_addr(192.168.1.1)
dst: ip_addr(192.168.1.2)
}
tcp
{
flags: syn | ack
}
}
Needs some refactoring of trafgen code existing cfg funcs which allows to use
manipulate of
current packet offset variable.
Each proto should be registered via struct proto_gen:
struct proto_field {
int id;
uint32_t offset;
uint32_t len;
};
struct proto_value {
void *value;
uint32_t len;
};
struct proto_gen {
struct cfg_ctx *ctx;
/* get field name info - id, len, offset */
struct proto_field *field_parse(struct proto_gen *prot, char *name);
/* indicates that this field was filled */
void field_set(struct proto_gen *proto, struct proto_field *field);
/* get info about some proto defined const value */
struct proto_value *value_get(struct proto_gen *proto, struct proto_field
*field, char *name);
/* fill the rest unfilled fields */
void fill(struct proto_gen *prot, uint8_t *hdr);
/* finish after whole packet was built */
void finish(struct proto_gen *prot, uint8_t *data, int len);
}
Each proto hdr field can be filled by specifying field name separated by ':' and
macro/func which will fill the bytes.The field may be filled with any
existing trafgen macro (const(), rnd() - the field len should be
considered). Also some additional macro/funcs should be added - ipv4_addr,
eth_addr, etc.
The parser will lookup keep struct proto_gen proto_ptr when the proto section
was entered (when '#proto {' was parsed), and parser can call the
proto_ptr-field_parse to obtain the field information by name (id,
offset, len) then change the current packet offset call the macro/func
which will fill the field. Then parser should call proto_ptr-field_set
to let know to the proto_gen which field was filled. At the end parser
will call proto_ptr-fill to fill the rest unfilled fields with some
default values fill the csum fields if needed.
While filling the default fields values the proto_gen should know some
trafgen's context info - interface id, and may be some other info which may
help to construct such unfilled fields like dst/src Ethernet addresses or
src/dst IP addresses.
Also it is possible that each proto_gen may have some own defined values like
flag names which can be evaluated via proto_gen-value_get where field pointer
may be specified. It might be useful if these values will be a part of
expressions
like: syn | ack.
At the end the parser will walk over each proto from higher layer to do a last
call
proto_gen-finish where each proto may do some calculations and fill some
unfilled fields.
Meanwhile I am not sure if it will be needed.
Well this is very conceptually and I will try to prepare better version which
would consider the existing trafgen code cfg syntax parser.
Regards,
--
You received this message because you are subscribed to the Google Groups
netsniff-ng group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
