tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: capturing the netlink socket on Linux

From: Guy Harris <guy () alum mit edu>
Date: Thu, 23 Oct 2014 12:02:38 -0700

On Oct 23, 2014, at 11:29 AM, Michael Richardson <mcr () sandelman ca> wrote:


On the other hand, we have:
/*
* Link-layer header type for the netlink protocol (nlmon devices).
*/
#define LINKTYPE_NETLINK              253

which suggests that I can capture all netlink messages (which is what I want
to do) into a pcap file.  I'm unclear if our tcpdump forces printer might
know how to decode those netlink messages (not in an IP/TCP enclosure); I
suspect not?


The Wireshark dissector for those messages indicates that they begin with a LINKTYPE_LINUX_SLL-type header of the form:

        2 unused bytes;

        2 bytes of big-endian "hardware address type";

        10 unused bytes;

        2 bytes of big-endian netlink family values (NETLINK_ values from <linux/netlink.h>;

followed by a sequence of netlink messages, each of which has:

        a Netlink message header, as per section 2.3.2 "Netlink Message Header" of RFC 3549 (the Wireshark dissector 
assumes the fields are little-endian - but are they really *host*-endian?);

        Netlink message data (presumably as per RFC 3549 and, for types not described there, the Linux kernel).

I'll leave it to someone more clueful than me to indicate whether Netlink messages resemble those of what 
print-forces.c prints or not.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: