Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 May 1998 09:45:50 -0400 (EDT)
From:      Bill Paul <wpaul@skynet.ctr.columbia.edu>
To:        lc001@yahoo.com (C L)
Cc:        hackers@FreeBSD.ORG
Subject:   Re: Questions about Packet Filter
Message-ID:  <199805211345.JAA19634@skynet.ctr.columbia.edu>
In-Reply-To: <19980520191129.18098.rocketmail@send1b.yahoomail.com> from "C L" at May 20, 98 12:11:29 pm

next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, C L had to walk 
into mine and say:

> Very appreciated if anybody can answer the questions:
> 
> 1. Does BPF support the monitoring of out going packages? how? I know
> it can monitor the receiving packages and directly write a new package
> into the specified network interface. How about the packages written
> by other network or transport protocols?

BPF monitors everything passing through the ethernet interface, regardless
of the protocol. This is done by 'tapping' the receive and transmit 
routines. Packets received by the hardware are copied and sent to any
processes that have established themselves as BPF listeners. Packets
sent to the driver transmit routine are also copied before being sent
out over the wire.

It is also possible to use BPF to send raw frames as well as receive
(this is how rarpd works).

> 2. Solaris seems having a similar soft-driver called "Network
> Interface Tap". Anybody use that before? Can it monitoring both
> incoming and outgoing packages?

You're confusing two things. SunOS 4.1.x has NIT (Network Interface Tap)
which can only monitor inbound frames: you can't see the hosts's own
transmissions. Solaris 2.x uses DLPI (Data Link Provider Interface)
which is a System V approach to what BPF does. You can monitor both
inbound and outbound frames with DLPI.
 
> 3. Any similar programming interface in the socket level? 

Using raw sockets, you can intercept some traffic, but with limitations:

- protocols that the kernel understands (like IP) are processed internally
  by the kernel and not passed to user processes
- protocols not directly handled by the kernel can be recevied in raw
  sockets
- you can use a raw socket to send a complete IP datagram, but not
  receive them since the kernel handles IP itself
- you can't receive a complete ethernet frame with a raw socket: by the
  time the packet gets to the socket layer, the ethernet header has been
  removed

> 4. How about in HP-UX, Linux, and AIX?

For HP-UX 9.x you have to purchase the DLPI support package from HP
as it is not included with the OS. HP isn't supporting HP-UX 9 anymore,
so this may be tough to do.

HP-UX 10.x includes BPF support as part of the OS, so you don't need
to buy anything extra. (I have tcpdump for my HP-UX 10.20 machines.)
I think the same is true of HP-UX 11.

Linux uses SOCK_SEQPACKET sockets to accomplish what BPF does, if I
remember correctly.

AIX actually supports both DLPI and BPF, however the BPF kernel module
is not loaded by default. I recomment using BPF, but to get it to work
you need to run the tcpdump command supplied with AIX (/usr/sbin/tcpdump)
first; it will load the BPF module for you, and you can then use the
BPF support afterwards. (You don't need to keep tcpdump running: just
run it long enough for it to load the kernel module, then kill it.)
(If you're really clever and know how to load the BPF module yourself,
then you can do it manually.)

You forgot IRIX. SGI IRIX uses something called 'snoop' sockets. Being
based on System V it may also support DLPI.

The libpcap library (ftp.ee.lbl.gov:/libpcap.tar.Z) works on all these
platforms and provides a common interface that will make your life much
easier than if you tried to use all these system-dependent interfaces
yourself. Libpcap is also included with FreeBSD. _UNIX Network Programming
2nd Edition, Vol 1_ by Stevens also includes a section that describes
libpcap and gives examples on how to use it.

-Bill

-- 
=============================================================================
-Bill Paul            (212) 854-6020 | System Manager, Master of Unix-Fu
Work:         wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
 "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness"
=============================================================================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805211345.JAA19634>