Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   netsniff-ng    ( 8 )

зверь, обнюхивающий пакеты (the packet sniffing beast)

Ошибки (баги) (Bugs)

When replaying pcap files, the timing information from the pcap packet header is currently ignored.

Also, when replaying pcap files, demultiplexing traffic among multiple networking interfaces does not work. Currently, it is only sent via the interface that is given by the --out parameter.

When performing traffic capture on the Ethernet interface, the pcap file is created and packets are received but without a 802.1Q header. When one uses tshark, all headers are visible, but netsniff-ng removes 802.1Q headers. Is that normal behavior?

Yes and no. The way VLAN headers are handled in PF_PACKET sockets by the kernel is somewhat 'problematic' [1]. The problem in the Linux kernel is that some drivers already handle VLANs, others do not. Those who handle it can have different implementations, such as hardware acceleration and so on. So in some cases the VLAN tag is even stripped before entering the protocol stack, in some cases probably not. The bottom line is that a "hack" was introduced in PF_PACKET so that a VLAN ID is visible in some helper data structure that is accessible from the RX_RING.

Then it gets really messy in the user space to artificially put the VLAN header back into the right place. Not to mention the resulting performance implications on all of libpcap(3) tools since parts of the packet need to be copied for reassembly via memmove(3).

A user reported the following, just to demonstrate this mess: some tests were made with two machines, and it seems that results depend on the driver ...

AR8131: ethtool -k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header ethtool -K eth0 rxvlan off - wireshark gets a QinQ header even though no one sent QinQ - netsniff-ng gets the vlan header

RTL8111/8168B: ethtool -k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header ethtool -K eth0 rxvlan off - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header

Even if we agreed on doing the same workaround as libpcap, we still will not be able to see QinQ, for instance, due to the fact that only one VLAN tag is stored in the kernel helper data structure. We think that there should be a good consensus on the kernel space side about what gets transferred to userland first.

Update (28.11.2012): the Linux kernel and also bpfc(8) has built- in support for hardware accelerated VLAN filtering, even though tags might not be visible in the payload itself as reported here. However, the filtering for VLANs works reliable if your NIC supports it. See bpfc(8) for an example.

[1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html [3] http://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html