Nmap Development mailing list archives
Re: pcap_register
From: Kris Katterjohn <katterjohn () gmail com>
Date: Fri, 26 Feb 2010 16:49:13 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/26/2010 05:59 AM, majek04 wrote:
I haven't been following the whole discussion, so excuse me if I answer the wrong questions.
No worries. However, I guess I still don't fully grasp the NSE pcap API wrt filters :) Thanks for replying.
- next thing is that pcap descriptors aren't selectable - so having few hundred of them in nsock loop will really be inefficient.
Hmm.. but you can get selectable pcap descriptors, as done in tcpip.cc. It doesn't work for every OS of course, but it's something to consider.
Consider code in nmap core, for example SYN scan. We open one file descriptor to catch all the SYN packets. If we have less than 20 hosts, we hardcode their ip-addresses in the BPF, if more, than we catch every possible SYN packet and do the dispatching ourselves.
Sure.
That's exactly how the Pcap infrastructure is done in NSE. We open one pcap descriptor for a script type, with one BPF. This BPF should be generic enough to catch everything for all the scripts of this kind.
This makes some sense from an implementation perspective, but not at all from a script writer's point of view. So unlike the SYN processing example, I guess NSE never keeps separate descriptors for individual scripts? The issue bringing this subthread about occurred with just two hosts. However when I run with --script-trace, it says the pcap descriptor is successfully opened and it prints the filter the script uses. Even when I run with multiple hosts, it says multiple pcaps were created with the individual filters printed. When does this change to the single descriptor with a generic filter?
So I want one pcap descriptor for the .nse script file. Hopefully, I assume that we won't have few hundreds of scripts that use pcap. Than, after BPF is hooked into the machinery, we actually do the pcap_register() which tells: "oh, btw. this particular script is interested only in packets that match this signature".
So basically this is what I'm seeing, but contrarily currently understanding: 1) In a script, I open a pcap descriptor with a filter, supposedly to filter my script's results. 2) When running a script against multiple hosts, --script-trace tells me multiple pcap fds are opened with separate filters, just like the script tells it to use 3) But really there are fewer descriptors with generic filters, and pcap_register() is primarily used for narrowing down received packets My whole thing is that if #3 overrides #1 and #2, then what's the point of a script passing a filter at all?
Does that answer your questions?
It started to, but hopefully my new questions narrow down my concern. I know I can read the code for some answers, but I think explanations from you would be far more helpful.
Cheers! Marek Majkowski
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLiE/oAAoJEEQxgFs5kUfuv5AP+wdu0ht+MkL2hy6XufG2j5fJ T7p+/6O1mgx8rROXtq10aNtO06a9ylu1im1Yv1iuuGhuhpKLkecddBAE+Pd3xbAO aobQe3fyfUvw6aXWUo8HmwB+/xsiN1y5hSWlRtXRsM0l61hge+WfnXyLd3eYHJ+V PvBs1e/0U/GLc7FLU5DC7yuovxS/9VES8fWbb+Dgd9gulN576vnsukHdPhWCskKP /NxBTUBTcsdE65Dx2u3gZfw9gURexv6+PehTn0IH2rDqqQ1Z0NrVW3sE4STLN7jQ c1txOEk6VQ6WdZbwpADytM4Mn8hIBXIS6zsVoXlw8K7SCvkkZKneCD6dlGYjm4Pv WSwmGtIRLQpXF8KD7gURtzps77U/Mdb20MJncfzfB/91o0wWlbT1zDxy+gkUJ3Ys zmX7imWrS257tUi+zgmEGUMgetcf+c9cuHz8IG274JS4tJnizmpin1V9ORSmyj4e xc1iK6vL3WCXWLl5iZRjeWDM8/dlqZSNYbeMA6Ia9MY5LtNDU7y+SdRF7fHJW0Oj lZ4vNJ63Pqs6iEpcL8mrCorjJ5AtFfQCOvI0Z+UiG9HQNbinaGZ1ZysIj7x2lPul x2YAbNGEKOgRAaeMLSWrXS0RmNKQupENpsNY63uBZKRHLt2Gkow2gytBPVU34fe2 nFurhY8C62Ji8TfEbbiU =LWN6 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...), (continued)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 25)
- pcap_register David Fifield (Feb 25)
- Re: pcap_register majek04 (Feb 26)
- Re: pcap_register Kris Katterjohn (Feb 26)
- Re: Raw IP NSE Functionality kx (Feb 25)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 26)