Date: Thu, 21 May 1998 09:45:50 -0400 (EDT) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: lc001@yahoo.com (C L) Cc: hackers@FreeBSD.ORG Subject: Re: Questions about Packet Filter Message-ID: <199805211345.JAA19634@skynet.ctr.columbia.edu> In-Reply-To: <19980520191129.18098.rocketmail@send1b.yahoomail.com> from "C L" at May 20, 98 12:11:29 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, C L had to walk into mine and say: > Very appreciated if anybody can answer the questions: > > 1. Does BPF support the monitoring of out going packages? how? I know > it can monitor the receiving packages and directly write a new package > into the specified network interface. How about the packages written > by other network or transport protocols? BPF monitors everything passing through the ethernet interface, regardless of the protocol. This is done by 'tapping' the receive and transmit routines. Packets received by the hardware are copied and sent to any processes that have established themselves as BPF listeners. Packets sent to the driver transmit routine are also copied before being sent out over the wire. It is also possible to use BPF to send raw frames as well as receive (this is how rarpd works). > 2. Solaris seems having a similar soft-driver called "Network > Interface Tap". Anybody use that before? Can it monitoring both > incoming and outgoing packages? You're confusing two things. SunOS 4.1.x has NIT (Network Interface Tap) which can only monitor inbound frames: you can't see the hosts's own transmissions. Solaris 2.x uses DLPI (Data Link Provider Interface) which is a System V approach to what BPF does. You can monitor both inbound and outbound frames with DLPI. > 3. Any similar programming interface in the socket level? Using raw sockets, you can intercept some traffic, but with limitations: - protocols that the kernel understands (like IP) are processed internally by the kernel and not passed to user processes - protocols not directly handled by the kernel can be recevied in raw sockets - you can use a raw socket to send a complete IP datagram, but not receive them since the kernel handles IP itself - you can't receive a complete ethernet frame with a raw socket: by the time the packet gets to the socket layer, the ethernet header has been removed > 4. How about in HP-UX, Linux, and AIX? For HP-UX 9.x you have to purchase the DLPI support package from HP as it is not included with the OS. HP isn't supporting HP-UX 9 anymore, so this may be tough to do. HP-UX 10.x includes BPF support as part of the OS, so you don't need to buy anything extra. (I have tcpdump for my HP-UX 10.20 machines.) I think the same is true of HP-UX 11. Linux uses SOCK_SEQPACKET sockets to accomplish what BPF does, if I remember correctly. AIX actually supports both DLPI and BPF, however the BPF kernel module is not loaded by default. I recomment using BPF, but to get it to work you need to run the tcpdump command supplied with AIX (/usr/sbin/tcpdump) first; it will load the BPF module for you, and you can then use the BPF support afterwards. (You don't need to keep tcpdump running: just run it long enough for it to load the kernel module, then kill it.) (If you're really clever and know how to load the BPF module yourself, then you can do it manually.) You forgot IRIX. SGI IRIX uses something called 'snoop' sockets. Being based on System V it may also support DLPI. The libpcap library (ftp.ee.lbl.gov:/libpcap.tar.Z) works on all these platforms and provides a common interface that will make your life much easier than if you tried to use all these system-dependent interfaces yourself. Libpcap is also included with FreeBSD. _UNIX Network Programming 2nd Edition, Vol 1_ by Stevens also includes a section that describes libpcap and gives examples on how to use it. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness" ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805211345.JAA19634>