Hi,
We have to implement a kernel module for capturing of packets and
dumping onto disk as a part of our BE project.
We have decided to use PF_RING(a kernel module to capture packets) for
the same due to the number of advantages.
We have to now write a kernel module that will interact with pf_ring
module to get data and dump it onto disk.
To do this we figured out two approaches :
1. pf_ring has provided userland code to communicate with kernel
module which in turn used "socket" system calls and specified protocol
family as PF_RING(socket(PF_RING, SOCK_RAW, htons(ETH_P_ALL));) and
subsequently used other functions like setsockopt to get packets.
So one approach can be to use kernel counterparts of socket and
setsockopt and reuse the userland code in our kernel module(this will
save us from writing code to built some specific data structures and
handleing exceptional conditions).
2. second approach can be to identify functions which capture packets
in PF_RING kernel module and invoke them from our
kernel moduel.
Can anyone please comment on these approachs or tell us about other
options available, we have to essentially use services provided by
pf_ring module via a kernel module?
and what things should we follow to accomplish these approaches ?
PF_RING specific questions(if any one is aware of pf_ring please answer this):
We went through the userland code of pf_ring and got to know that
using pf_ring involves
1.setting up socket connection
2.binding the address
3.setting socket options
4.enabling socket ring
5.use packet_recv function to get packets
6.finally display packets and close the socket connection.
is this procedure which we figured out right?
we also found that the data we receive has two parts
1.pfring_pkthdr
2.sk_buff struct
is this correct?
we know this is not the right place to ask questions about pf_ring and
we are extremely sorry for this ,but we posted the
same questions on ntop mailing list and there was no response.
thanking,
Raviraj Joshi
PICT,Pune.
On Wed, Oct 19, 2011 at 6:07 PM, Benjamin Poirier
<benjamin.poirier@xxxxxxxxx> wrote:
> On 11/10/19 12:24, raviraj joshi wrote:
>> Hi,
>>
>> We are making a kernel level packet capture module as a part of our BE project .
>> We are finding it difficult to understand kenel networking code.
>> We studied structures and functions like sk_buff, netif_rx(),dev_alloc_skb.
>>
>> However we were not able to trace the actual path a simple packet follows.
>
> You might find
> http://vger.kernel.org/netconf2011_slides/jesse_brandeburg_netconf2011.pdf
> interesting. It contains call chains of UDP processing at all levels in
> the stack (driver, below ip stack, above ip stack) for tx and rx.
>
> -Ben
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
