Date: Thu, 21 May 1998 11:06:13 -0700 (PDT) From: "L.C." <lc001@yahoo.com> To: hackers@FreeBSD.ORG Subject: Re: Questions about Packet Filter Message-ID: <19980521180613.19279.rocketmail@send1d.yahoomail.com>
next in thread | raw e-mail | index | archive | help
Many thanks to all the knowledgeable people for the valuable information. I will read the book you mentioned, try the methods you suggested and do more research on these. Ever developed the drivers about two years ago to intercept the packages in the link layer(NDIS in Windows...) and just finished a project to intercept the data stream in the socket level(LSP in WinSock2)I need to port all these Windows codes to possible UNIX platforms. I've done some UNIX programming in both kernel and application levels before but never played BPF or DLPI rationales. I do have further questions: 1. Are the ipfilter tools using divert() function that Mike and Dan mentioned available in somewhere? I may have two UNIX projects for two different groups in my company. One is just monitoring and another one is to intercept the packages. I think BPF and DLPI may satisfy my first need but not the second one. 2. So, there is no any way, tool, or utility can intercept the data flowing in the socket level(like LSP in WinSock2)? Any plan about this? Thanks, Carl ---Bill Paul <wpaul@skynet.ctr.columbia.edu> wrote: > > Of all the gin joints in all the towns in all the world, C L had to walk > into mine and say: > > > Very appreciated if anybody can answer the questions: > > > > 1. Does BPF support the monitoring of out going packages? how? I know > > it can monitor the receiving packages and directly write a new package > > into the specified network interface. How about the packages written > > by other network or transport protocols? > > BPF monitors everything passing through the ethernet interface, regardless > of the protocol. This is done by 'tapping' the receive and transmit > routines. Packets received by the hardware are copied and sent to any > processes that have established themselves as BPF listeners. Packets > sent to the driver transmit routine are also copied before being sent > out over the wire. > > It is also possible to use BPF to send raw frames as well as receive > (this is how rarpd works). > > > 2. Solaris seems having a similar soft-driver called "Network > > Interface Tap". Anybody use that before? Can it monitoring both > > incoming and outgoing packages? > > You're confusing two things. SunOS 4.1.x has NIT (Network Interface Tap) > which can only monitor inbound frames: you can't see the hosts's own > transmissions. Solaris 2.x uses DLPI (Data Link Provider Interface) > which is a System V approach to what BPF does. You can monitor both > inbound and outbound frames with DLPI. > > > 3. Any similar programming interface in the socket level? > > Using raw sockets, you can intercept some traffic, but with limitations: > > - protocols that the kernel understands (like IP) are processed internally > by the kernel and not passed to user processes > - protocols not directly handled by the kernel can be recevied in raw > sockets > - you can use a raw socket to send a complete IP datagram, but not > receive them since the kernel handles IP itself > - you can't receive a complete ethernet frame with a raw socket: by the > time the packet gets to the socket layer, the ethernet header has been > removed > > > 4. How about in HP-UX, Linux, and AIX? > > For HP-UX 9.x you have to purchase the DLPI support package from HP > as it is not included with the OS. HP isn't supporting HP-UX 9 anymore, > so this may be tough to do. > > HP-UX 10.x includes BPF support as part of the OS, so you don't need > to buy anything extra. (I have tcpdump for my HP-UX 10.20 machines.) > I think the same is true of HP-UX 11. > > Linux uses SOCK_SEQPACKET sockets to accomplish what BPF does, if I > remember correctly. > > AIX actually supports both DLPI and BPF, however the BPF kernel module > is not loaded by default. I recomment using BPF, but to get it to work > you need to run the tcpdump command supplied with AIX (/usr/sbin/tcpdump) > first; it will load the BPF module for you, and you can then use the > BPF support afterwards. (You don't need to keep tcpdump running: just > run it long enough for it to load the kernel module, then kill it.) > (If you're really clever and know how to load the BPF module yourself, > then you can do it manually.) > > You forgot IRIX. SGI IRIX uses something called 'snoop' sockets. Being > based on System V it may also support DLPI. > > The libpcap library (ftp.ee.lbl.gov:/libpcap.tar.Z) works on all these > platforms and provides a common interface that will make your life much > easier than if you tried to use all these system-dependent interfaces > yourself. Libpcap is also included with FreeBSD. _UNIX Network Programming > 2nd Edition, Vol 1_ by Stevens also includes a section that describes > libpcap and gives examples on how to use it. > > -Bill > > -- > ============================================================================= > -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu > Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research > Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City > ============================================================================= > "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness" > ============================================================================= > == **_____________ Have a nice day _______________** _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980521180613.19279.rocketmail>