[tcpdump-workers] capturing the netlink socket on Linux
Please correct my understanding. The libpcap/pcap-netfilter-linux.c file is about capturing NFLOG packets from the netlink socket, i.e. ones that came from netfilter's --log target. On the other hand, we have: /* * Link-layer header type for the netlink protocol (nlmon devices). */ #define LINKTYPE_NETLINK253 which suggests that I can capture all netlink messages (which is what I want to do) into a pcap file. I'm unclear if our tcpdump forces printer might know how to decode those netlink messages (not in an IP/TCP enclosure); I suspect not? Ultimately, I want to capture netlink traffic on a machine that has upwards of 7000 interfaces (with 1000s coming/going as PPP links go up/down under testing), and determine why another daemon is crashing. http://lwn.net/Articles/556183/ seems to agree. Maybe that code isn't upstream yet, certainly not in stock debian yet. The discussion at: http://www.spinics.net/lists/netdev/msg243327.html + modprobe nlmon + ip link add type nlmon + ip link set nlmon0 up + tcpdump -i nlmon0 + ip link set nlmon0 down + ip link del dev nlmon0 + rmmod nlmon suggests that it all just works... I will report when I know what kernel I need to make this work, and I guess we should have a web page on doing this, and what is going on. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] capturing the netlink socket on Linux
On Oct 23, 2014, at 11:29 AM, Michael Richardson wrote: > On the other hand, we have: > /* > * Link-layer header type for the netlink protocol (nlmon devices). > */ > #define LINKTYPE_NETLINK 253 > > which suggests that I can capture all netlink messages (which is what I want > to do) into a pcap file. I'm unclear if our tcpdump forces printer might > know how to decode those netlink messages (not in an IP/TCP enclosure); I > suspect not? The Wireshark dissector for those messages indicates that they begin with a LINKTYPE_LINUX_SLL-type header of the form: 2 unused bytes; 2 bytes of big-endian "hardware address type"; 10 unused bytes; 2 bytes of big-endian netlink family values (NETLINK_ values from ; followed by a sequence of netlink messages, each of which has: a Netlink message header, as per section 2.3.2 "Netlink Message Header" of RFC 3549 (the Wireshark dissector assumes the fields are little-endian - but are they really *host*-endian?); Netlink message data (presumably as per RFC 3549 and, for types not described there, the Linux kernel). I'll leave it to someone more clueful than me to indicate whether Netlink messages resemble those of what print-forces.c prints or not. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Handling Corrupted Packets Inside Pcap Files?
Argh, nevermind. I think the corrupted packet caused my application to have some invalid read/write, corrupting something pcap_next() is going to use and so I thought it crashed inside pcap_next(). Sorry for the false alarm. On Thursday, October 23, 2014 2:14 AM, Guy Harris wrote: On Oct 18, 2014, at 4:12 AM, Hei Chan wrote: > Hi, > The first 3 packets are corrupted according to wireshark. What is the exact message Wireshark reports? Can you send us the pcap file or make it available for downloading? > As soon as I read the first packet with pcap_next(), my application gets a > coredump. Is it crashing in pcap_next(), or is it crashing in your application's code? Could we see your application's code? If it's crashing in pcap_next(), what is the stack trace from the crash? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
