Documente Academic
Documente Profesional
Documente Cultură
Beraldo Leal
1 / 25
Outline
Beraldo Leal
2 / 25
Introduction
Beraldo Leal
3 / 25
Sniers
tcpdump, wireshark, snort, etc; Using the well-known library libpcap; Not suitable for > 10 Gbps; Packet loss;
Beraldo Leal
4 / 25
Commodity hardware for packet capture; 3COM Intel endace, ... Many Interruptions NEW API or NAPI (interruption coalescence) zero-copy Direct Memory Access - DMA mmap()
Beraldo Leal
5 / 25
1 2
net/ number of les: 1.293 ( 3.5% ) drivers/net/ number of les: 1.935 ( 5.27% ) Kernel SLOC: 9.723.525 net/ SLOC: 480.928 ( 5% ) drivers/net/ SLOC: 1.155.317 ( 12% )
1 2
Beraldo Leal
Network stack
L5: Application
http, ftp, ssh, telnet, ... (message)
L4: Transport
tcp, udp, ... (segment)
L3: Network
ipv4, ipv6, ... (datagram/packet)
Beraldo Leal
8 / 25
Beraldo Leal
9 / 25
net device (include/linux/netdevice.h) unsigned int mtu unsigned int flags unsigned char dev addr[MAX ADDR LEN] int promiscuity
Beraldo Leal
10 / 25
Beraldo Leal
11 / 25
Important sk bu routines
alloc skb(); dev alloc skb(); kfree skb(); dev kfree skb(); skb clone(); skb network header(skb); skb transport header(skb); skb mac header(skb);
Beraldo Leal
12 / 25
Packet ingress ow
When working in interrupt driven model, the nic registers an
interrupt handler; This interrupt handler will be called when a frame is received; Typically in the handler, we allocate sk buff by calling dev alloc skb(); Copies data from nics buer to this struct just created; nic call generic reception routine netif rx(); netif rx() put frame in per cpu queue; if queue is full, drop! net rx action() decision based on skb->protocol; This function basically dequeues the frame and delivery a copy for every protocol handler;
ptype all and ptype base queues
25th October 2011 Network packet capture in Linux kernelspace 13 / 25
Beraldo Leal
Packet ingress ow
ip v4 rcv() will receive the ip datagram (if is a ipv4 packet); ip checksum, check ip headers, .... ip rcv finish() makes route decision (ip forward() or
ip local delivery())
ip local delivery() defrag fragmented packets, and call
Beraldo Leal
14 / 25
<continue>
NF_IP_FORWARD
"a)er&*& Net$or% ip_local_deliver() (net/ipv4/ip_input.c) defra& fra&mented packets ip_rcv_nish() (net/ipv4/ip_input.c) "nd route and hand!e IP options
NF_IP_"O#A"_IN
ip_for$ard() (net/ipv4/ip_for'ard.c) hand!e route a!ert( send redirect if necessary( decrease ))*( verify if fra& is possib!e (mtu) ip_error() (net/ipv4/route.c) routin& error, send icmp pkt <...>
NF_IP_PRE_ROU IN!
ip_rcv() pac%et_rcv() arp_rcv() (net/ipv4/ip_input.c) <tcpdump_process> (hand!e arp re#uests verify skb, IP headers <dhcpd process> and rep!ies) and IP checksum <...>
netif_rx() (net/core/dev.c)
input_#ueue $cpu%
Net$or%&Drivers (drivers'net'()
Applica&ion
,serspace 'ernelspace
)oc'e&$La#er (ne&*core*soc'+c) &cp_v(_do_rcv() (net/ipv4/tcp_ipv4.c) check for socket state __&cp_v(_loo',p() (net/ipv4/tcp_ipv4.c) check for socket in %)T*+" with dst_port
#...$
La#er$($ Transpor&
#continue$
NF_IP_FORWARD
La#er$%$ Ne&"or' ip_local_deliver() (net/ipv4/ip_input.c) defrag fragmented packets ip_rcv_nish() (net/ipv4/ip_input.c) nd route and handle %( options
NF_IP_LO AL_IN
ip_!or"ard() (net/ipv4/ip_forward.c) handle route alert; send redirect if necessary; decrease TT ; verify if frag is possi!le (mtu) ip_error() (net/ipv4/route.c) routing error" send icmp pkt
NF_IP_PRE_ROUTING
protocol handler register a function to handler packets with dev add pack() netlter hooks userspace tools; socket AF PACKET, libpcap, ...
Beraldo Leal
17 / 25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
struct packet type my proto; int my packet rcv(struct sk bu skb, struct net device dev, struct packet type pt, struct net device orig dev) { printk(KERN ERR + 1!\n); kfree skb(skb); return 0; } static int hello init(void) { printk(<1> Hello world!\n); my proto.type = htons(ETH P ALL); my proto.dev = NULL; my proto.func = my packet rcv; dev add pack(&my proto); return 0; } static void hello exit(void) { dev remove pack(&my proto); printk(<1> Bye, cruel world\n); } module init(hello init); module exit(hello exit);
Beraldo Leal
18 / 25
int my packet rcv(struct sk bu skb, struct net device dev, struct packet type pt, struct net device orig dev) { switch (skb>pkt type) { case PACKET HOST: printk(PACKET HOST ); break; case PACKET BROADCAST: printk(PACKET BROADCAST ); break; case PACKET MULTICAST: printk(PACKET MULTICAST ); break; case PACKET OTHERHOST: printk(PACKET OTHERHOST ); break; case PACKET OUTGOING: printk(PACKET OUTGOING ); break; case PACKET LOOPBACK: printk(PACKET LOOPBACK ); break; case PACKET FASTROUTE: printk(PACKET FASTROUTE ); break; } printk(%s 0x%.4X 0x%.4X \n, skb>dev>name, ntohs(skb>protocol), ip hdr(skb)>protocol) kfree skb(skb); return 0; } Beraldo Leal 25th October 2011 Network packet capture in Linux kernelspace 19 / 25
Netlter hooks
iptables = userspace; netlter = kernelspace; Netlter is merely a series of hooks in various points in a
protocol stack;
packet ltering, network address [and port] translation
Beraldo Leal
20 / 25
References
Beraldo Leal
23 / 25
Thankyou! Question?
Beraldo Leal
24 / 25
Beraldo Leal
25 / 25