Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Dec 2015 09:37:20 -0600
From:      Juan Herrera <mybsdmailing@gmail.com>
To:        Daniel Janzon <janzon@gmail.com>
Cc:        Julian Elischer <julian@freebsd.org>, freebsd-hackers@freebsd.org
Subject:   Re: BPF Berkeley Packet Filter Question
Message-ID:  <CAAN2wCCvES=PTVt8S9Yy0mJzbbJDm8L1zvqovGQNz1hU91pOig@mail.gmail.com>
In-Reply-To: <CAAGHsvCNUGn10xYwg-hu-H__5=AQceWQ-5-dsyunF1=2h633_Q@mail.gmail.com>
References:  <CAAN2wCD7vXDzShb35J6Ok20iU2Z4WpUYU%2BaLf9xOKuG1yDRA=Q@mail.gmail.com> <56839C88.3090708@freebsd.org> <CAAGHsvCNUGn10xYwg-hu-H__5=AQceWQ-5-dsyunF1=2h633_Q@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello Julian, Daniel

I am using raw ethernet, and testing with ARP

Brief Explanation of what I want to do

I am sending ARP requests packets(encapsulated with my metadata at the
end), so it is Raw Ethernet like this "ARP Req bytes + Metadata bytes", I
already did a test to filter with BPF jumbo ethernet packets and I can
filter if I want against the last byte in the packet, but to do this I need
to place in my program code the C filter code (generated with tcpdump),
exacly the byte position I want to use for filtering, so the issue with
this is that when I receive another ethernet frame that it is not an ARP
Req, the byte position to filter will not be the right one(because it
moves) to use because the packet is bigger or smaller so my metadata has
shift left or shift right depending on the case, so I want BPF to read the
total packet length to return it in a variable, and then I use this
variable to calculate the right byte to use for filtering, depending on the
packet length.

I need to match with a specific metadata field base on length, but dont
know how to use BPF to read packet's length.


Thanks!

2015-12-30 6:11 GMT-06:00 Daniel Janzon <janzon@gmail.com>:

> Hello Julian,
>
> I'm not sure I follow what you want to do but maybe I can help you get in
> the right direction.
>
> You can define a BPF program with macros, like
>
> struct bpf_insn instructions[] = {
>     ...
>     BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, proto, 0, 1),
>     BPF_STMT(BPF_RET + BPF_K, (uint16_t)-1),
>     BPF_STMT(BPF_RET + BPF_K, 0)
> };
>
> struct bpf_program bpf_program = { 4, (struct bpf_insn*)&instructions };
> ioctl(fd, BIOCSETF, (struct bpf_program*)&bpf_program);
>
> etc, google for a complete example.
>
> Then you can use the -d option of tcpdump to get some help to find the
> right instructions, for instance
>
> tcpdump -i em0 -d host 10.10.10.1 and greater 150  # capture packets
> greater than 150
>
> You will probably have to modify the output a bit to get what you want so
> you will have to learn a bit how it works. See the section Filter machine
> in the bpf manual (man 4 bpf).
>
> Hope that helps.
>
> All the best,
> Daniel Janzon
>
>
> On Wed, Dec 30, 2015 at 9:58 AM Julian Elischer <julian@freebsd.org>
> wrote:
>
>> On 30/12/2015 12:46 PM, Juan Herrera wrote:
>> > Hello BSD folks,
>> >
>> > I am developing a networking application in C and I have a question
>> > regarding BPF (Berkeley Packet Filters), I will give you an idea of the
>> app
>> > first,  I need to send a packet from machine A to machine B (any kind of
>> > packet) so for this I wrote a packet generator application which will
>> send
>> > a packet to machine B, but before sending the packet I need to append
>> some
>> > metadata values at the end of the packet, already done, so in machine B
>> I
>> > have a raw socket listener app ready to receive incoming packets from
>> > machine A, however I want to implement filtering with BPF on machine B,
>> but
>> > as my metadata was appended at the end of the packet (have to be at the
>> > end), I need to read the packet length with(using) Berkeley Packet
>> Filter
>> > to match a specific field to filter one of the bytes at the end of my
>> > packet (metadata appended), in other words I need to know the incoming
>> > packet length to filtered against one of the metadatas fields and be
>> able
>> > to drop the packet before reaching user space applications(drop it in
>> > kernel space).
>> >
>> > So my question is, Can I use BPF to read the packet length ?
>> to continue on my previous mail.
>>
>> you can also use netgraph to do this in several ways as well.
>> But I'd need more information to be able to explain what to do.
>>
>> >
>> > TIA!
>> > _______________________________________________
>> > freebsd-hackers@freebsd.org mailing list
>> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> > To unsubscribe, send any mail to "
>> freebsd-hackers-unsubscribe@freebsd.org"
>> >
>>
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org
>> "
>>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAN2wCCvES=PTVt8S9Yy0mJzbbJDm8L1zvqovGQNz1hU91pOig>