tcpdump mailing list archives
capturing the netlink socket on Linux
From: Michael Richardson <mcr () sandelman ca>
Date: Thu, 23 Oct 2014 14:29:31 -0400
Please correct my understanding. The libpcap/pcap-netfilter-linux.c file is about capturing NFLOG packets from the netlink socket, i.e. ones that came from netfilter's --log target. On the other hand, we have: /* * Link-layer header type for the netlink protocol (nlmon devices). */ #define LINKTYPE_NETLINK 253 which suggests that I can capture all netlink messages (which is what I want to do) into a pcap file. I'm unclear if our tcpdump forces printer might know how to decode those netlink messages (not in an IP/TCP enclosure); I suspect not? Ultimately, I want to capture netlink traffic on a machine that has upwards of 7000 interfaces (with 1000s coming/going as PPP links go up/down under testing), and determine why another daemon is crashing. http://lwn.net/Articles/556183/ seems to agree. Maybe that code isn't upstream yet, certainly not in stock debian yet. The discussion at: http://www.spinics.net/lists/netdev/msg243327.html + modprobe nlmon + ip link add type nlmon + ip link set nlmon0 up + tcpdump -i nlmon0 .... + ip link set nlmon0 down + ip link del dev nlmon0 + rmmod nlmon suggests that it all just works... I will report when I know what kernel I need to make this work, and I guess we should have a web page on doing this, and what is going on. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr () sandelman ca http://www.sandelman.ca/ | ruby on rails [ _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- capturing the netlink socket on Linux Michael Richardson (Oct 23)
- Re: capturing the netlink socket on Linux Guy Harris (Oct 23)