Ethereal-dev: Re: [ethereal-dev] Need some advice and help getting started with real time pac
Hi,
I suspect that NetFilter is too low level for what Nathan wants.
Interestingly, and not related to NetFilter, but the NAT module for the
2.0.xx kernels seems to operate before the raw/packet sockets, because all
my captures show the NAT'd addresses, not the raw, on-the-wire addresses.
Good to see that NetFilter does things the right way :-)
Thanks for the pointer to the paper.
At 12:08 PM 4/1/00 -0500, Craig Rodrigues wrote:
>On Sat, Apr 01, 2000 at 01:08:11AM -0600, Nathan Good wrote:
>> Linux box (Caldera 2.3 Open Linux)
>>
>> What I want to do:
>> look at all UDP packets coming across wire in real time ( To be run all the
>> time)
>> If packet data contains such and such, capture this data to a C struct or
>> something, and pass it to my client program for processing.
>
>Caldera 2.3 is based on Linux kernel 2.2, so you have a few
>options available to you.
>
>- You could try to use pcap, (man 3 pcap). pcap is a good way to go
> if you want your code to remain portable across different platforms.
> In my opinion, the Linux support in libpcap (at http://www.tcpdump.org)
> is currently in a state of flux, so relying on pcap may not be the way
to go.
>
>- Since you are using Linux 2.2, you could try to use raw sockets of type
> PF_PACKET. There is a program called iptraf
> (http://cebu.mozcom.com/riker/iptraf/) which uses PF_PACKET quite
extensively,
> so you could grab the source for that and see what they are doing.
> You could also read the man page for PF_PACKET (man 4 packet, man 7
packet).
> iptraf works fairly well, so I think this is a good way to go.
>
>- For your own personal knowledge, you may wish to read about Netfilter,
> which is the new grand architecture for doing packet capture in
> the Linux 2.3/2.4 series of kernels. I wrote a paper for it
> at: http://www.gis.net/~craigr/netfilter_paper.pdf, and you can see
> the Netfilter home page at: http://netfilter.kernelnotes.org
>
>Also, in your application, you did not mention if you want to block
>certain UDP packets from traversing the protocol stack, based on
>the contents of the packet. This can affect how you do things, since this
>is a firewall type of activity. Raw sockets allow you to look at
>things before they enter the protocol stack, but they don't let you
>block things from entering the protocol stack.
>--
>Craig Rodrigues
>http://www.gis.net/~craigr
>rodrigc@xxxxxxxxxxxx
>
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
Author: First Australian 2-day, intensive, hands-on Samba course