On Wed, 2003-06-04 at 23:25, Suvidh Mathur wrote: > > > >I wish to capture *all* packets flowing through a Linux system in order > >to act upon it (delay, drop, inject additional packets). > > > >For incoming packets, I need to simply record some > >accounting/control/state information from the packets and then send them > >on their way up the stack. > > Since you just need to record some info from each packet, using network tap > should suffice. If I remember correctly, ARP also uses tap, but for > ETH_P_ARP. I am not quite sure what you mean by this. Are you alluding to the the registration of the arp_packet_type with the arp_rcv() function? > > > >For outgoing packets, I need to queue them and then based on the control > >information that I have gathered, drop them, or release them or inject > >other packets into the outgoing queues. > > > >Currently, I see the following choices: > > > >1. Hack Netfilter to capture these packets and QUEUE them? Then process > >them in userspace and reinject them if necessary. > > Possible only for IPv4. QUEUEing not yet there for IPv6 Good point. But IPv6 is not a concern currently. > > > >Q. What are the latencies experienced in transferring packets to > >userspace? > > Huge. Transferring every packet to user space (even if you use mmmap) would > _slow_ the system down. Slightly better if you can filter the packets and > copy only the required ones to user space. Do you have any numbers for the latencies? Any links? I can't filter, I need'em all. > > > >2. Create a custom 'slice' to capture packets: > >- For incoming packets this might in net_bh() or maybe a new bottom half > >that is scheduled instead of net_bh from netif_rx(). This new BH will > >then call net_bh after it is done with its processing. > > Feasible, but I'd prefer the network tap way. > > >- For outgoing packets this could be one of the ip_*_output() routines > >in ip_output.c that would pass the packet to my code which would then > >pass them to ip_finish_output (or something similar) when the packet > >needs to be sent out. > > > >Does anybody have any comments on this? I am concerned about the > >latencies involved in moving all packets to userspace using netfilter. > > > >Q. Is it possible to queue packets inside the kernel some place using > >netfilter? > > Yes. If you use NF_STOLEN, instead of NF_QUEUE, the stack will give the > packet to your netfilter handler and forget about it. In your handler, you > can queue / process anything. For reinjecting, call the function passed > to your handler alongwith the packet. Then that should take care of the kernel-to-userspace latencies, right? I could have a module which deals with the processing of these STOLEN packets. > > > >Q. Whats the best way to capture ARP packets? > > For outgoing you cannot use netfilter coz arp directly calls > dev_queue_xmit. Again, dev_queue_xmit_nit can do it for you. Again, do you mean a user-space tap using libraries such as libpcap? > HTH, > Suvidh That helped a lot....Thanks. Regards, Amit -- ---------------------------------------------------------------------- Amit Kucheria akucheria@<NOSPAM>metricsystems.com Metric Systems Corp. 2320 Cousteau Court, Suite 201, Vista, CA 92083 ---------------------------------------------------------------------- - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
