Re: pcap_register

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/26/2010 05:59 AM, majek04 wrote:
> I haven't been following the whole discussion, so excuse me if
> I answer the wrong questions.

No worries.  However, I guess I still don't fully grasp the NSE pcap API wrt
filters :)

Thanks for replying.

>  - next thing is that pcap descriptors aren't selectable - so having
>    few hundred of them in nsock loop will really be inefficient.

Hmm.. but you can get selectable pcap descriptors, as done in tcpip.cc.  It
doesn't work for every OS of course, but it's something to consider.

> Consider code in nmap core, for example SYN scan. We open one
> file descriptor to catch all the SYN packets. If we have less than 20
> hosts, we hardcode their ip-addresses in the BPF, if more, than
> we catch every possible SYN packet and do the dispatching ourselves.

Sure.

> That's exactly how the Pcap infrastructure is done in NSE.
> We open one pcap descriptor for a script type, with one BPF.
> This BPF should be generic enough to catch everything for
> all the scripts of this kind.

This makes some sense from an implementation perspective, but not at all from
a script writer's point of view.  So unlike the SYN processing example, I
guess NSE never keeps separate descriptors for individual scripts?  The issue
bringing this subthread about occurred with just two hosts.

However when I run with --script-trace, it says the pcap descriptor is
successfully opened and it prints the filter the script uses.  Even when I run
with multiple hosts, it says multiple pcaps were created with the individual
filters printed.  When does this change to the single descriptor with a
generic filter?

> So I want one pcap descriptor for the .nse script file.
> Hopefully, I assume that we won't have few hundreds of scripts
> that use pcap.
>
> Than, after BPF is hooked into the machinery, we actually
> do the pcap_register() which tells: "oh, btw. this particular
> script is interested only in packets that match this signature".

So basically this is what I'm seeing, but contrarily currently understanding:

1) In a script, I open a pcap descriptor with a filter, supposedly to filter
my script's results.
2) When running a script against multiple hosts, --script-trace tells me
multiple pcap fds are opened with separate filters, just like the script tells
it to use
3) But really there are fewer descriptors with generic filters, and
pcap_register() is primarily used for narrowing down received packets

My whole thing is that if #3 overrides #1 and #2, then what's the point of a
script passing a filter at all?

> Does that answer your questions?

It started to, but hopefully my new questions narrow down my concern.  I know
I can read the code for some answers, but I think explanations from you would
be far more helpful.

> Cheers!
>   Marek Majkowski

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLiE/oAAoJEEQxgFs5kUfuv5AP+wdu0ht+MkL2hy6XufG2j5fJ
T7p+/6O1mgx8rROXtq10aNtO06a9ylu1im1Yv1iuuGhuhpKLkecddBAE+Pd3xbAO
aobQe3fyfUvw6aXWUo8HmwB+/xsiN1y5hSWlRtXRsM0l61hge+WfnXyLd3eYHJ+V
PvBs1e/0U/GLc7FLU5DC7yuovxS/9VES8fWbb+Dgd9gulN576vnsukHdPhWCskKP
/NxBTUBTcsdE65Dx2u3gZfw9gURexv6+PehTn0IH2rDqqQ1Z0NrVW3sE4STLN7jQ
c1txOEk6VQ6WdZbwpADytM4Mn8hIBXIS6zsVoXlw8K7SCvkkZKneCD6dlGYjm4Pv
WSwmGtIRLQpXF8KD7gURtzps77U/Mdb20MJncfzfB/91o0wWlbT1zDxy+gkUJ3Ys
zmX7imWrS257tUi+zgmEGUMgetcf+c9cuHz8IG274JS4tJnizmpin1V9ORSmyj4e
xc1iK6vL3WCXWLl5iZRjeWDM8/dlqZSNYbeMA6Ia9MY5LtNDU7y+SdRF7fHJW0Oj
lZ4vNJ63Pqs6iEpcL8mrCorjJ5AtFfQCOvI0Z+UiG9HQNbinaGZ1ZysIj7x2lPul
x2YAbNGEKOgRAaeMLSWrXS0RmNKQupENpsNY63uBZKRHLt2Gkow2gytBPVU34fe2
nFurhY8C62Ji8TfEbbiU
=LWN6
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/