Have a look at Netmap [1]. It follows a slightly different approach. Also, the
video embedded right at the home page is a great resource to learn what it is
and how it differs from other frameworks, such as libpcap and netfilter.
[1] http://info.iet.unipi.it/~luigi/netmap/
Regards,
- AJ
On 02/05/2016 11:47 PM, Rahmadi Trimananda wrote:
Thank you! I am actually looking at the ingress hook of Nftables too right
now. Thanks for clarifying my understanding about tcpdump.
On Feb 5, 2016 12:21 PM, "Guy Harris" wrote:
On Feb 4, 2016, at 5:48 PM, Rahmadi Trimananda wrote:
I am a beginner user of tcpdump. What I want to do is to write my own
version of tcpdump (or just extend it) to drop/reject network packets.
AFAIK, tcpdump and libpcap can only sniff packets.
You are correct. The operating system mechanisms that tcpdump (and
everything else that uses libpcap/WinPcap) use for sniffing packets are
designed to passively sniff network traffic; they do not offer any
mechanism for inserting themselves into the networking stack so that all
packets must pass through the mechanism and can be dropped by the mechanism.
Is there any available tool to do this?
I am aware of netfilter's iptables and ebtables, but they only work if
the
packets reach INPUT, FORWARD, or OUTPUT stage in the routing process.
What
I need to do is sniff the packet directly (like what tcpdump does), and
drop it right away
Unfortunately, as per the above, the "sniff the packet directly" part of
tcpdump cannot be used, as the underlying mechanisms it uses passively tap
traffic, with no way to drop that traffic.
You *might* be able to...
if it matches my specified pattern, e.g. source, destination, port
number, etc.
...reuse the "print the packet's contents" part, albeit with the actual
printing removed, and code to do the pattern matching replacing it.
What you will have to do is to find, *for the particular operating
system on which you will be doing this* (from "netfilter", I'm guessing
it's Linux), a mechanism that allows user-mode code (or kernel-mode code,
if you plan on stuffing this into the kernel) to examine all incoming
packets just before they're handed to the networking stack as received
packets and, based on the packet contents, pass them on to the networking
stack or drop them.
If, as I suspect, this is going to be done on Linux, would the netfilter
ingress hook:
http://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
work for your purposes? It requires a 4.2 kernel or later, and may
require that a configuration option be turned on.
That page also refers to tc:
http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html
http://lartc.org/manpages/tc.txt
https://en.wikipedia.org/wiki/Tc_(Linux)
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Regards,
- AJ
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
