tcpdump mailing list archives
Re: capturing the netlink socket on Linux
From: Guy Harris <guy () alum mit edu>
Date: Thu, 23 Oct 2014 12:02:38 -0700
On Oct 23, 2014, at 11:29 AM, Michael Richardson <mcr () sandelman ca> wrote:
On the other hand, we have: /* * Link-layer header type for the netlink protocol (nlmon devices). */ #define LINKTYPE_NETLINK 253 which suggests that I can capture all netlink messages (which is what I want to do) into a pcap file. I'm unclear if our tcpdump forces printer might know how to decode those netlink messages (not in an IP/TCP enclosure); I suspect not?
The Wireshark dissector for those messages indicates that they begin with a LINKTYPE_LINUX_SLL-type header of the form: 2 unused bytes; 2 bytes of big-endian "hardware address type"; 10 unused bytes; 2 bytes of big-endian netlink family values (NETLINK_ values from <linux/netlink.h>; followed by a sequence of netlink messages, each of which has: a Netlink message header, as per section 2.3.2 "Netlink Message Header" of RFC 3549 (the Wireshark dissector assumes the fields are little-endian - but are they really *host*-endian?); Netlink message data (presumably as per RFC 3549 and, for types not described there, the Linux kernel). I'll leave it to someone more clueful than me to indicate whether Netlink messages resemble those of what print-forces.c prints or not. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- capturing the netlink socket on Linux Michael Richardson (Oct 23)
- Re: capturing the netlink socket on Linux Guy Harris (Oct 23)