tcpdump mailing list archives
Re: Need to drop packets using tcpdump
From: Guy Harris <guy () alum mit edu>
Date: Fri, 5 Feb 2016 12:20:13 -0800
On Feb 4, 2016, at 5:48 PM, Rahmadi Trimananda <rtrimana () uci edu> wrote:
I am a beginner user of tcpdump. What I want to do is to write my own version of tcpdump (or just extend it) to drop/reject network packets. AFAIK, tcpdump and libpcap can only sniff packets.
You are correct. The operating system mechanisms that tcpdump (and everything else that uses libpcap/WinPcap) use for sniffing packets are designed to passively sniff network traffic; they do not offer any mechanism for inserting themselves into the networking stack so that all packets must pass through the mechanism and can be dropped by the mechanism.
Is there any available tool to do this? I am aware of netfilter's iptables and ebtables, but they only work if the packets reach INPUT, FORWARD, or OUTPUT stage in the routing process. What I need to do is sniff the packet directly (like what tcpdump does), and drop it right away
Unfortunately, as per the above, the "sniff the packet directly" part of tcpdump cannot be used, as the underlying mechanisms it uses passively tap traffic, with no way to drop that traffic. You *might* be able to...
if it matches my specified pattern, e.g. source, destination, port number, etc.
...reuse the "print the packet's contents" part, albeit with the actual printing removed, and code to do the pattern
matching replacing it.
What you will have to do is to find, *for the particular operating system on which you will be doing this* (from
"netfilter", I'm guessing it's Linux), a mechanism that allows user-mode code (or kernel-mode code, if you plan on
stuffing this into the kernel) to examine all incoming packets just before they're handed to the networking stack as
received packets and, based on the packet contents, pass them on to the networking stack or drop them.
If, as I suspect, this is going to be done on Linux, would the netfilter ingress hook:
http://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
work for your purposes? It requires a 4.2 kernel or later, and may require that a configuration option be turned on.
That page also refers to tc:
http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html
http://lartc.org/manpages/tc.txt
https://en.wikipedia.org/wiki/Tc_(Linux)
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Need to drop packets using tcpdump Rahmadi Trimananda (Feb 04)
- Re: Need to drop packets using tcpdump Guy Harris (Feb 05)
- Message not available
- Re: Need to drop packets using tcpdump Rahmadi Trimananda (Feb 05)
- Re: Need to drop packets using tcpdump Ander Juaristi (Feb 07)
- Message not available
- Re: Need to drop packets using tcpdump Guy Harris (Feb 05)