Passing the PCAP file descriptor to another process

[Sebastien Raveau <sebastien.raveau () epita fr>]

Greetings everybody :)


I'm currently trying to pass the file descriptor of a live capture to another 
process, so that I can have a very small (as in "auditable") privileged 
process able to call pcap_open_live() on the one hand, and a big/fat/ugly/gui 
process on the other hand running all the packet-analysis logic unprivileged 
but able to start/stop captures by asking the privileged process...

The FD passing works very well, but once I have the FD on the other process' 
side, it's quite tricky to get Libpcap working:

*       first I have to include the pcap-int.h file in order to be able to mess
        with Libpcap's internals, starting with pcap_t::fd, and as you (may not)
        know this file never gets installed in /usr/include :)

*       then there's not much I can do with it: running unprivileged, my only
        options are to call pcap_open_dead() or pcap_open_offline(), but
        assuming I don't have a collection of savefiles corresponding to all
        the possible linktypes the user would want to capture on,
        pcap_open_offline() won't do. Now, since I can get the linktype
        from the privileged process (with the FD) for the device asked by
        the user, I can call pcap_open_dead() and then try to replace
        the .fd and .selectable_fd fields in the structure it returns, but still
        pcap_loop() won't work...

*       I managed to get pcap_loop() working eventually, but for that I
        basically had to reproduce all the pcap_open_live() code without
        the ioctl's, in order to get a second pcap_t structure (on the
        unprivileged process' side) coherent with a live capture...

*       I meant the pcap_open_live() code from the pcap-linux.c file,
        so what I achieved is totally architecture dependant...

*       and just when I/you thought things couldn't get any worse:
        the end of the pcap_t structure contains a bunch of function
        pointers that are initialized with addresses of static functions
        inside Libpcap... And since the mapping of Libpcap in memory
        is likely to vary from one process to the other, I can't just copy
        these values from the privileged process to the other one, and
        I can't reassign them myself properly either :(

So, in order for PCAP-file-descriptor-passing-between-processes to be usable 
(as in "deployed software") it appears that the only way would be to add 
support for it directly in Libpcap, and I was hoping we could discuss "how 
exactly" on this mailing list before I start implementing it :)


Thank you for your time.

-- 
Sébastien Raveau
computer and network security student
head of the hawKeye network monitor project
http://hawkeye.sourceforge.net/

Attachment: _bin
Description: