capturing the netlink socket on Linux

[Michael Richardson <mcr () sandelman ca>]

Please correct my understanding.

The libpcap/pcap-netfilter-linux.c file is about capturing NFLOG
packets from the netlink socket, i.e. ones that came from netfilter's
--log target.

On the other hand, we have:
/*
 * Link-layer header type for the netlink protocol (nlmon devices).
 */
#define LINKTYPE_NETLINK                253

which suggests that I can capture all netlink messages (which is what I want
to do) into a pcap file.  I'm unclear if our tcpdump forces printer might
know how to decode those netlink messages (not in an IP/TCP enclosure); I
suspect not?

Ultimately, I want to capture netlink traffic on a machine that has upwards
of 7000 interfaces (with 1000s coming/going as PPP links go up/down under
testing), and determine why another daemon is crashing.

http://lwn.net/Articles/556183/  seems to agree.
Maybe that code isn't upstream yet, certainly not in stock debian yet.

The discussion at:
http://www.spinics.net/lists/netdev/msg243327.html

+           modprobe nlmon
+           ip link add type nlmon
+           ip link set nlmon0 up
+           tcpdump -i nlmon0 ....
+           ip link set nlmon0 down
+           ip link del dev nlmon0
+           rmmod nlmon

suggests that it all just works...  I will report when I know what kernel
I need to make this work, and I guess we should have a web page on doing
this, and what is going on.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [




_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers