tcpdump mailing list archives
Passing the PCAP file descriptor to another process
From: Sebastien Raveau <sebastien.raveau () epita fr>
Date: Sun, 22 Oct 2006 20:17:40 +0200
Greetings everybody :) I'm currently trying to pass the file descriptor of a live capture to another process, so that I can have a very small (as in "auditable") privileged process able to call pcap_open_live() on the one hand, and a big/fat/ugly/gui process on the other hand running all the packet-analysis logic unprivileged but able to start/stop captures by asking the privileged process... The FD passing works very well, but once I have the FD on the other process' side, it's quite tricky to get Libpcap working: * first I have to include the pcap-int.h file in order to be able to mess with Libpcap's internals, starting with pcap_t::fd, and as you (may not) know this file never gets installed in /usr/include :) * then there's not much I can do with it: running unprivileged, my only options are to call pcap_open_dead() or pcap_open_offline(), but assuming I don't have a collection of savefiles corresponding to all the possible linktypes the user would want to capture on, pcap_open_offline() won't do. Now, since I can get the linktype from the privileged process (with the FD) for the device asked by the user, I can call pcap_open_dead() and then try to replace the .fd and .selectable_fd fields in the structure it returns, but still pcap_loop() won't work... * I managed to get pcap_loop() working eventually, but for that I basically had to reproduce all the pcap_open_live() code without the ioctl's, in order to get a second pcap_t structure (on the unprivileged process' side) coherent with a live capture... * I meant the pcap_open_live() code from the pcap-linux.c file, so what I achieved is totally architecture dependant... * and just when I/you thought things couldn't get any worse: the end of the pcap_t structure contains a bunch of function pointers that are initialized with addresses of static functions inside Libpcap... And since the mapping of Libpcap in memory is likely to vary from one process to the other, I can't just copy these values from the privileged process to the other one, and I can't reassign them myself properly either :( So, in order for PCAP-file-descriptor-passing-between-processes to be usable (as in "deployed software") it appears that the only way would be to add support for it directly in Libpcap, and I was hoping we could discuss "how exactly" on this mailing list before I start implementing it :) Thank you for your time. -- Sébastien Raveau computer and network security student head of the hawKeye network monitor project http://hawkeye.sourceforge.net/
Attachment:
_bin
Description:
Current thread:
- Passing the PCAP file descriptor to another process Sebastien Raveau (Oct 22)
- Re: Passing the PCAP file descriptor to another Guy Harris (Oct 23)
- Re: Passing the PCAP file descriptor to another Sebastien Raveau (Oct 24)
- libpcap + netlink socket madhuresh (Oct 23)
- Re: Passing the PCAP file descriptor to another Guy Harris (Oct 23)