lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 13 Dec 2011 17:34:22 +0530
From:	raviraj joshi <raviraj.j1991@...il.com>
To:	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
	netfilter@...r.kernel.org
Subject: Re: kenel level packet capturing

Hi,
    We have to implement a kernel module for capturing of packets and
dumping onto disk as a part of our BE project.
We have decided to use PF_RING(a kernel module to capture packets) for
the same due to the number of advantages.

We have to now write a kernel module that will interact with pf_ring
module to get data and dump it onto disk.
To do this we figured out two approaches :

1. pf_ring has provided userland code to communicate with kernel
module which in turn used "socket" system calls and specified protocol
family as PF_RING(socket(PF_RING, SOCK_RAW, htons(ETH_P_ALL));) and
subsequently used other functions like setsockopt to get packets.
So one approach can be to use kernel counterparts of socket and
setsockopt and reuse the userland code in our kernel module(this will
save us from writing code to built some specific data structures and
handleing exceptional conditions).

2. second approach can be to identify functions which capture packets
in PF_RING kernel module and invoke them from our
kernel moduel.

Can anyone please comment on these approachs or tell us about other
options available, we have to essentially use services provided by
pf_ring module via a kernel module?

and what things should we follow to accomplish these approaches ?



PF_RING specific questions(if any one is aware of pf_ring please answer this):
We went through the userland code of pf_ring and got to know that
using pf_ring involves
1.setting up socket connection
2.binding the address
3.setting socket options
4.enabling socket ring
5.use packet_recv function to get packets
6.finally display packets and close the socket connection.
is this procedure which we figured out right?

we also found that the data we receive has two parts
1.pfring_pkthdr
2.sk_buff struct

is this correct?

we know this is not the right place to ask questions about pf_ring and
we are extremely sorry for this ,but we posted the
same questions on ntop mailing list and there was no response.

thanking,
Raviraj Joshi
PICT,Pune.

On Wed, Oct 19, 2011 at 6:07 PM, Benjamin Poirier
<benjamin.poirier@...il.com> wrote:
> On 11/10/19 12:24, raviraj joshi wrote:
>> Hi,
>>
>> We are making a kernel level packet capture module as a part of our BE project .
>> We are finding it difficult to understand kenel networking code.
>> We studied structures and functions like sk_buff, netif_rx(),dev_alloc_skb.
>>
>> However we were not able to trace the actual path a simple packet follows.
>
> You might find
> http://vger.kernel.org/netconf2011_slides/jesse_brandeburg_netconf2011.pdf
> interesting. It contains call chains of UDP processing at all levels in
> the stack (driver, below ip stack, above ip stack) for tx and rx.
>
> -Ben
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ