Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 May 1998 11:06:13 -0700 (PDT)
From:      "L.C." <lc001@yahoo.com>
To:        hackers@FreeBSD.ORG
Subject:   Re: Questions about Packet Filter
Message-ID:  <19980521180613.19279.rocketmail@send1d.yahoomail.com>

next in thread | raw e-mail | index | archive | help
Many thanks to all the knowledgeable people for the valuable
information. I will read the book you mentioned, try the methods you
suggested and do more research on these.

Ever developed the drivers about two years ago to intercept the
packages in the link layer(NDIS in Windows...) and just finished a
project to intercept the data stream in the socket level(LSP in
WinSock2)I need to port all these Windows codes to possible UNIX
platforms. I've done some UNIX programming in both kernel and
application levels before but never played BPF or DLPI rationales. I
do have further questions:

1. Are the ipfilter tools using divert() function that Mike and Dan
mentioned available in somewhere? I may have two UNIX projects for two
different groups in my company. One is just monitoring and another one
is to intercept the packages. I think BPF and DLPI may satisfy my
first need but not the second one.

2. So, there is no any way, tool, or utility can intercept the data
flowing in the socket level(like LSP in WinSock2)? Any plan about this?

Thanks,
Carl




---Bill Paul <wpaul@skynet.ctr.columbia.edu> wrote:
>
> Of all the gin joints in all the towns in all the world, C L had to
walk 
> into mine and say:
> 
> > Very appreciated if anybody can answer the questions:
> > 
> > 1. Does BPF support the monitoring of out going packages? how? I
know
> > it can monitor the receiving packages and directly write a new
package
> > into the specified network interface. How about the packages written
> > by other network or transport protocols?
> 
> BPF monitors everything passing through the ethernet interface,
regardless
> of the protocol. This is done by 'tapping' the receive and transmit 
> routines. Packets received by the hardware are copied and sent to any
> processes that have established themselves as BPF listeners. Packets
> sent to the driver transmit routine are also copied before being sent
> out over the wire.
> 
> It is also possible to use BPF to send raw frames as well as receive
> (this is how rarpd works).
> 
> > 2. Solaris seems having a similar soft-driver called "Network
> > Interface Tap". Anybody use that before? Can it monitoring both
> > incoming and outgoing packages?
> 
> You're confusing two things. SunOS 4.1.x has NIT (Network Interface
Tap)
> which can only monitor inbound frames: you can't see the hosts's own
> transmissions. Solaris 2.x uses DLPI (Data Link Provider Interface)
> which is a System V approach to what BPF does. You can monitor both
> inbound and outbound frames with DLPI.
>  
> > 3. Any similar programming interface in the socket level? 
> 
> Using raw sockets, you can intercept some traffic, but with
limitations:
> 
> - protocols that the kernel understands (like IP) are processed
internally
>   by the kernel and not passed to user processes
> - protocols not directly handled by the kernel can be recevied in raw
>   sockets
> - you can use a raw socket to send a complete IP datagram, but not
>   receive them since the kernel handles IP itself
> - you can't receive a complete ethernet frame with a raw socket: by
the
>   time the packet gets to the socket layer, the ethernet header has
been
>   removed
> 
> > 4. How about in HP-UX, Linux, and AIX?
> 
> For HP-UX 9.x you have to purchase the DLPI support package from HP
> as it is not included with the OS. HP isn't supporting HP-UX 9
anymore,
> so this may be tough to do.
> 
> HP-UX 10.x includes BPF support as part of the OS, so you don't need
> to buy anything extra. (I have tcpdump for my HP-UX 10.20 machines.)
> I think the same is true of HP-UX 11.
> 
> Linux uses SOCK_SEQPACKET sockets to accomplish what BPF does, if I
> remember correctly.
> 
> AIX actually supports both DLPI and BPF, however the BPF kernel module
> is not loaded by default. I recomment using BPF, but to get it to work
> you need to run the tcpdump command supplied with AIX
(/usr/sbin/tcpdump)
> first; it will load the BPF module for you, and you can then use the
> BPF support afterwards. (You don't need to keep tcpdump running: just
> run it long enough for it to load the kernel module, then kill it.)
> (If you're really clever and know how to load the BPF module yourself,
> then you can do it manually.)
> 
> You forgot IRIX. SGI IRIX uses something called 'snoop' sockets. Being
> based on System V it may also support DLPI.
> 
> The libpcap library (ftp.ee.lbl.gov:/libpcap.tar.Z) works on all these
> platforms and provides a common interface that will make your life
much
> easier than if you tried to use all these system-dependent interfaces
> yourself. Libpcap is also included with FreeBSD. _UNIX Network
Programming
> 2nd Edition, Vol 1_ by Stevens also includes a section that describes
> libpcap and gives examples on how to use it.
> 
> -Bill
> 
> -- 
>
=============================================================================
> -Bill Paul            (212) 854-6020 | System Manager, Master of
Unix-Fu
> Work:         wpaul@ctr.columbia.edu | Center for Telecommunications
Research
> Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York
City
>
=============================================================================
>  "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space
Madness"
>
=============================================================================
> 
 
==

**_____________

Have a nice day
_______________**
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980521180613.19279.rocketmail>