RE: [netsniff-ng] netlink

2015-10-19 Thread Geoff Ladwig 
Tobias,

Either way works for me. 
The issue I had was that the only way I could see all the data was with
--hex , but then didn't get the headers- which are pretty handy!

Regards,
Geoff

-Original Message-
From: Tobias Klauser [mailto:tklau...@distanz.ch] 
Sent: Monday, October 19, 2015 6:40 AM
To: Geoff Ladwig
Cc: netsniff-ng@googlegroups.com
Subject: Re: [netsniff-ng] netlink

Hi Geoff

My initial reply seem to have gone only to the list, sorry. So here it is
again, in case you're not subscribed to the list.

On 2015-10-15 at 16:14:09 +0200, Geoff Ladwig 
wrote:
> Vadim,
> 
> Thanks for responding.
> 
> I have never found much use for the ASCII output... but would be happy 
> either way.
> 
> Possibly a --headers options so you can individually select --header, 
> --hex --ascii..?
> 
>  
> 
> I did not necessarily think this would be a new feature.. it seemed to 
> work this way be default in an older version (0.5.7)
> 
> Running on a different machine with the older version below, you can 
> see the header, asiii and hex all presented. This has no command line 
> options. I'm guessing the display function shows things it has decoded 
> and then shows the rest (the packet data in this case) in hex.

Exactly, that's the default behavior. But it looks like with the nlmsg
dissector (which wasn't included in 0.5.7 yet) this doesn't work.

As suggested in the reply to Vadim, I'd like to refrain from introducing new
command-line options and instead stick to the standard behavior (dump
disectable data as such and the rest as hex/ascii) for nlmsg as well.
Dumpping both the known headers as well as the _full_ packet in hex/ascii
doesn't seem very intuitive to me.

> The net link version seems to skip the last step - where it displays 
> in hex the parts of the packet it hasn't decoded?

Yes, looks like it. I'll check whether I can come up with a fix.

Thanks
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread Tobias Klauser 
On 2015-10-17 at 11:08:22 +0200, Vadim Kochan  wrote:
> OK you can get changes from:
> https://github.com/vkochan/netsniff-ng/tree/netsniff_print_headers
> 
> I added -z,--headers option, you can find it in usage output.
> This option allows the following combinations:
> 
> --headers --hex
> --headers --ascii
> --headers --hex --ascii

Is it really necessary to indtroduce a new command-line option for this?
Couldn't we just dump the trailing, undissected data of the nlmsg in
hex by default (like we do e.g. with IP packets)?

Cheers
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread Tobias Klauser 
On 2015-10-15 at 16:14:09 +0200, Geoff Ladwig  
wrote:
> Vadim,
> 
> Thanks for responding.
> 
> I have never found much use for the ASCII output... but would be happy
> either way.
> 
> Possibly a --headers options so you can individually select --header, --hex
> --ascii..?
> 
>  
> 
> I did not necessarily think this would be a new feature.. it seemed to work
> this way be default in an older version (0.5.7)
> 
> Running on a different machine with the older version below, you can see the
> header, asiii and hex all presented. This has no command line options. I'm
> guessing the display function shows things it has decoded and then shows the
> rest (the packet data in this case) in hex.

Exactly, that's the default behavior. But it looks like with the nlmsg
dissector (which wasn't included in 0.5.7 yet) this doesn't work.

As suggested in the reply to Vadim, I'd like to refrain from introducing
new command-line options and instead stick to the standard behavior
(dump disectable data as such and the rest as hex/ascii) for nlmsg as
well. Dumpping both the known headers as well as the _full_ packet in
hex/ascii doesn't seem very intuitive to me.

> The net link version seems to skip the last step - where it displays in hex
> the parts of the packet it hasn't decoded?

Yes, looks like it. I'll check whether I can come up with a fix.

Thanks
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread vkochan 
On Mon, Oct 19, 2015 at 12:36:42PM +0200, Tobias Klauser wrote:
> On 2015-10-15 at 16:14:09 +0200, Geoff Ladwig  
> wrote:
> > Vadim,
> > 
> > Thanks for responding.
> > 
> > I have never found much use for the ASCII output... but would be happy
> > either way.
> > 
> > Possibly a --headers options so you can individually select --header, --hex
> > --ascii..?
> > 
> >  
> > 
> > I did not necessarily think this would be a new feature.. it seemed to work
> > this way be default in an older version (0.5.7)
> > 
> > Running on a different machine with the older version below, you can see the
> > header, asiii and hex all presented. This has no command line options. I'm
> > guessing the display function shows things it has decoded and then shows the
> > rest (the packet data in this case) in hex.
> 
> Exactly, that's the default behavior. But it looks like with the nlmsg
> dissector (which wasn't included in 0.5.7 yet) this doesn't work.

Sorry, seems I broke it ...

> 
> As suggested in the reply to Vadim, I'd like to refrain from introducing
> new command-line options and instead stick to the standard behavior
> (dump disectable data as such and the rest as hex/ascii) for nlmsg as
> well. Dumpping both the known headers as well as the _full_ packet in
> hex/ascii doesn't seem very intuitive to me.
> 
> > The net link version seems to skip the last step - where it displays in hex
> > the parts of the packet it hasn't decoded?
> 
> Yes, looks like it. I'll check whether I can come up with a fix.
> 
> Thanks
> Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread Tobias Klauser 
On 2015-10-19 at 14:09:19 +0200, Geoff Ladwig  
wrote:
> Tobias,
> 
> Either way works for me. 
> The issue I had was that the only way I could see all the data was with
> --hex , but then didn't get the headers- which are pretty handy!

Ok, great. Would it be possible for you to send me a pcap file with some
example traffic that shows the incorrect behaviour in netsniff-ng?

Thanks
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread Tobias Klauser 
On 2015-10-19 at 16:24:07 +0200, Geoff Ladwig  
wrote:
> Here is a .pcap generated using
> netsniff-ng --dev nlmon0 -o netlink.pcap

Perfect, thanks!

I just pushed a fix for this issue to the master branch. Could you
please check whether this fixes the issue for you?

Thanks
Tobias

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [netsniff-ng] netlink

2015-10-19 Thread Vadim Kochan 
On Mon, Oct 19, 2015 at 05:37:04PM +0200, Tobias Klauser wrote:
> On 2015-10-19 at 12:43:33 +0200, vkochan  wrote:
> > On Mon, Oct 19, 2015 at 12:36:42PM +0200, Tobias Klauser wrote:
> > > On 2015-10-15 at 16:14:09 +0200, Geoff Ladwig 
> > >  wrote:
> > > > Vadim,
> > > > 
> > > > Thanks for responding.
> > > > 
> > > > I have never found much use for the ASCII output... but would be happy
> > > > either way.
> > > > 
> > > > Possibly a --headers options so you can individually select --header, 
> > > > --hex
> > > > --ascii..?
> > > > 
> > > >  
> > > > 
> > > > I did not necessarily think this would be a new feature.. it seemed to 
> > > > work
> > > > this way be default in an older version (0.5.7)
> > > > 
> > > > Running on a different machine with the older version below, you can 
> > > > see the
> > > > header, asiii and hex all presented. This has no command line options. 
> > > > I'm
> > > > guessing the display function shows things it has decoded and then 
> > > > shows the
> > > > rest (the packet data in this case) in hex.
> > > 
> > > Exactly, that's the default behavior. But it looks like with the nlmsg
> > > dissector (which wasn't included in 0.5.7 yet) this doesn't work.
> > 
> > Sorry, seems I broke it ...
> 
> No problem! I fixed it in commit
> f5f002fd8966b78ece5b4e1757e639379619670a. I would be glad if you could
> check whether you see any problems with it.
> 
> Thanks!

Well I tested 'iw dev' with output:

K->U nlmon0 32 1445268957s.544314304ns #65 
 [ NLMSG Family 16 (Generic), Len 32, Type 0x0010 (0x10), Flags 0x0005 
(REQUEST,ACK), Seq-Nr 1445268957, PID 4211086186 (unknown proces
   s) ]
 [ Chr nl80211. ]
 [ Hex  03 01 00 00 0c 00 02 00 6e 6c 38 30 32 31 31 00 ]

K->U nlmon0 1936 1445268957s.544352436ns #66 
 [ NLMSG Family 16 (Generic), Len 1936, Type 0x0010 (0x10), Flags 0x 
(none), Seq-Nr 1445268957, PID 4211086186 (unknown process
   ) ]
 [ Chr 
nl80211.
   

   
k...
   
!...
    ...K. 
.L.!.%.".&.#.'.$.(.%.+.&.
   
,.'...(.0.).1.*.2.+.4.,.5.-.6...
   
7./.8.0.9.1.:.2.;.3.C.4.=.5.>.6.
   
?.7.A.8.B.9.D.:.E.;.l.<.m.=.I.>.
   
J.?.O.@.R.A.Q.B.S.C.T.D.U.E.W.F.
   
Y.G.Z.H.\.I.].J.^.K._.L.`.M.b.N.
   
c.O.d.P.e.Q.f.R.g.S.h.T.i.U.j.V.
   
o.W.p...config..scanregulatory..mlmevend
   or.. ]
 [ Hex  01 02 00 00 0c 00 02 00 6e 6c 38 30 32 31 31 00 06 00 01 00 1a 00 00 00 
08 00 03 00 01 00 00 00 08 00 04 00 00 00 00 00 08 00 05 00 dc 00 00 00 d0 06 
06 00
   14 00 01 00 08 00 01 00 01 00 00 00 08 00 02 00 0e 00 00 00 14 00 02 00 08 
00 01 00 02 00 00 00 08 00 02 00 0b 00 00 00 14 00 03 00 08 00 01 00 05 00 00 
00 08 0
   0 02 00 0e 00 00 00 14 00 04 00 08 00 01 00 06 00 00 00 08 00 02 00 0b 00 00 
00 14 00 05 00 08 00 01 00 07 00 00 00 08 00 02 00 0b 00 00 00 14 00 06 00 08 
00 01
   00 08 00 00 00 08 00 02 00 0b 00 00 00 14 00 07 00 08 00 01 00 09 00 00 00 
08 00 02 00 0b 00 00 00 14 00 08 00 08 00 01 00 0a 00 00 00 08 00 02 00 0b 00 
00 00 1
   4 00 09 00 08 00 01 00 0b 00 00 00 08 00 02 00 0b 00 00 00 14 00 0a 00 08 00 
01 00 0c 00 00 00 08 00 02 00 0b 00 00 00 14 00 0b 00 08 00 01 00 0e 00 00 00 
08 00
   02 00 0b 00 00 00 14 00 0c 00 08 00 01 00 0f 00 00 00 08 00 02 00 0b 00 00 
00 14 00 0d 00 08 00 01 00 10 00 00 00 08 00 02 00 0b 00 00 00 14 00 0e 00 08 
00 01 0
   0 11 00 00 00 08 00 02 00 0e 00 00 00 14 00 0f

Re: [netsniff-ng] netlink

2015-10-19 Thread Tobias Klauser 
On 2015-10-19 at 17:38:03 +0200, Vadim Kochan  wrote:
> On Mon, Oct 19, 2015 at 05:37:04PM +0200, Tobias Klauser wrote:
> > On 2015-10-19 at 12:43:33 +0200, vkochan  wrote:
> > > On Mon, Oct 19, 2015 at 12:36:42PM +0200, Tobias Klauser wrote:
> > > > On 2015-10-15 at 16:14:09 +0200, Geoff Ladwig 
> > > >  wrote:
> > > > > Vadim,
> > > > > 
> > > > > Thanks for responding.
> > > > > 
> > > > > I have never found much use for the ASCII output... but would be happy
> > > > > either way.
> > > > > 
> > > > > Possibly a --headers options so you can individually select --header, 
> > > > > --hex
> > > > > --ascii..?
> > > > > 
> > > > >  
> > > > > 
> > > > > I did not necessarily think this would be a new feature.. it seemed 
> > > > > to work
> > > > > this way be default in an older version (0.5.7)
> > > > > 
> > > > > Running on a different machine with the older version below, you can 
> > > > > see the
> > > > > header, asiii and hex all presented. This has no command line 
> > > > > options. I'm
> > > > > guessing the display function shows things it has decoded and then 
> > > > > shows the
> > > > > rest (the packet data in this case) in hex.
> > > > 
> > > > Exactly, that's the default behavior. But it looks like with the nlmsg
> > > > dissector (which wasn't included in 0.5.7 yet) this doesn't work.
> > > 
> > > Sorry, seems I broke it ...
> > 
> > No problem! I fixed it in commit
> > f5f002fd8966b78ece5b4e1757e639379619670a. I would be glad if you could
> > check whether you see any problems with it.
> > 
> > Thanks!
> 
> Well I tested 'iw dev' with output:

Great, thanks for testing!

-- 
You received this message because you are subscribed to the Google Groups 
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [netsniff-ng] netlink

2015-10-19 Thread Geoff Ladwig 
Vadim,

 

This works great.

 

Regards,

 

Geoff

 



 

-Original Message-
From: Vadim Kochan [mailto:vadi...@gmail.com] 
Sent: Saturday, October 17, 2015 5:08 AM
To: Geoff Ladwig
Cc: 'vkochan'; netsniff-ng@googlegroups.com
Subject: Re: [netsniff-ng] netlink

 

On Thu, Oct 15, 2015 at 07:19:37PM +0300, Vadim Kochan wrote:

> On Thu, Oct 15, 2015 at 10:14:09AM -0400, Geoff Ladwig wrote:

> > Vadim,

> > 

> > Thanks for responding.

> > 

> > I have never found much use for the ASCII output... but would be 

> > happy either way.

> > 

> > Possibly a --headers options so you can individually select 

> > --header, --hex --ascii..?

> > 

> >  

> > 

> > I did not necessarily think this would be a new feature.. it seemed 

> > to work this way be default in an older version (0.5.7)

> > 

> > Running on a different machine with the older version below, you can 

> > see the header, asiii and hex all presented. This has no command 

> > line options. I'm guessing the display function shows things it has 

> > decoded and then shows the rest (the packet data in this case) in hex.

> > 

> > The net link version seems to skip the last step - where it displays 

> > in hex the parts of the packet it hasn't decoded?

> > 

> > Regards,

> > 

> > Geoff

> > 

> >  

> > 

> > 

> > 

> >  

> > 

> > -Original Message-

> > From: vkochan [  mailto:vadi...@gmail.com]

> > Sent: Thursday, October 15, 2015 9:34 AM

> > To: Geoff Ladwig

> > Cc:   netsniff-ng@googlegroups.com

> > Subject: Re: [netsniff-ng] netlink

> > 

> >  

> > 

> > On Thu, Oct 15, 2015 at 09:16:35AM -0400, Geoff Ladwig wrote:

> > 

> > > This is using the NETLINK_FIB_LOOKUP family (slightly extended data).

> > 

> > > 

> > 

> > > Below is a run without -hex and one with -hex.

> > 

> > > 

> > 

> > > I don't expect this obscure netlink  capabily is fully decoded.. 

> > > but

> > 

> > > the headers are handy to locate the packets.

> > 

> > > 

> > 

> > > In a previous version (that displayed these as Ethernet packets - 

> > > so I

> > 

> > > had to pick the netlink header out of the

> > 

> > > 

> > 

> > > Ethernet src/dst) I could see both the "decoded" header and the 

> > > data as

> > hex.

> > 

> > > With this version, it seems to

> > 

> > > 

> > 

> > > be one or the other.

> > 

> > > 

> > 

> > > Thanks again

> > 

> > > 

> > 

> > >  

> > 

> > > 

> > 

> > > nlsniff-ng -dev nlmon0

> > 

> > > 

> > 

> > > 

> > 

> > > 

> > 

> > >  

> > 

> > > 

> > 

> > > Nlsniff-ng -dev nlmon0 --hex

> > 

> > > 

> > 

> > >  

> > 

> > > 

> > 

> > > 

> > 

> > > 

> > 

> > >  

> > 

> > > 

> > 

> > > -Original Message-

> > 

> > > From: vkochan [ <  mailto:vadi...@gmail.com>


> > >   mailto:vadi...@gmail.com]

> > 

> > > Sent: Thursday, October 15, 2015 3:28 AM

> > 

> > > To: Geoff Ladwig

> > 

> > > Cc:  < 
mailto:netsniff-ng@googlegroups.com> 

> > >   netsniff-ng@googlegroups.com

> > 

> > > Subject: Re: [netsniff-ng] netlink

> > 

> > > 

> > 

> > >  

> > 

> > > 

> > 

> > > On Wed, Oct 14, 2015 at 09:17:15PM -0400, Geoff Ladwig wrote:

> > 

> > > 

> > 

> > > > Hi,

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > I downloaded, built the latest git master.

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > I can now decode netlink message (great!) but only get the header.

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > I imagine this is because not all messages are fully decoded. Is 

> > > > it

> > 

> > > 

> > 

> > > > possible to get both the decoded header and the hex version

> > 

> > > simultaneously?

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > If I add -hex, it then doesn't print the header.

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > Thanks,

> > 

> > > 

> > 

> > > > Geoff

> > 

> > > 

> > 

> > > > 

> > 

> > > 

> > 

> > > > --

> > 

> > > 

> > 

> > > > You received this message because you are subscribed to the 

> > > > Google

> > 

> > > > Groups

> > 

> > > "netsniff-ng" group.

> > 

> > > 

> > 

> > > > To unsubscribe from this group and stop receiving emails from 

> > > > it,

> > 

> > > > send an

> > 

> > > email to  < < 
mailto:netsniff-ng+unsubscr...@googlegroups.com>

> >  
mailto:netsniff-ng+unsubscr...@googlegroups.com>

> > 

> > >  < 
mailto:netsniff-ng+unsubscr...@googlegroups.com>

> >  
netsniff-ng+unsubscr...@googlegroups.com.

> > 

> > > 

> > 

> > > > For more options, visit  < < 
https://groups.google.com/d/optout>

> >