Re: build a raw packet

[Aaron Turner <synfinatic () gmail com>]

On Wed, Dec 15, 2010 at 10:23 AM, Gabe Black <Gabe.Black () jdsu com> wrote:
> Hi,
>
> I've been working on getting line-rate performance for an application that custom routes potentially small ethernet 
> packets.  Almost all methods that I have tried start dropping packets at smaller ethernet frames.  The method that 
> seems to be most promising is using PACKET_MMAP (for both transmit and receive) which I believe libpcap can use as 
> well.
>
> However, PACKET_MMAP gives you the raw packet.  I've looked at libpcap's inject function which seems to also deal 
> with raw packets, but I am unable to find an api that will help build the raw packet (in my case a udp packet).  What 
> is the best way to build a raw packet to make use of of pcap's inject (or in my case PACKET_MMAP)?
>
> I do know the destination IP address (and port) that I want to send the packets.  What I do not know is the next hop 
> mac address to fill in the ethernet header; that seems to be the challenging part.  From what I understand, I would 
> need to send an arp to find the next-hop address, but there doesn't seem to be a good way to do that programmatically.
>
> Is there an easier way to construct a valid raw packet?  I mean the socket layer seems to do that for you (not sure 
> if it does it in the kernel or in user land).  Is there a way to make use of those facilities operating on your 
> buffer?
>
> Another alternative to get this info that I thought of would be to use normal sockets to send a dummy udp packet to 
> the destination and "capture" the packet to find out what it all used in the packet headers... however, I'm not sure 
> if this is the best option as I would like to capture the packet before it is sent (but after the packet is built and 
> all the address resolution has occurred) to retrieve the header info without actually sending the packet.
>
> Anyone have any suggestions?  I've done lots of googling on building a raw packet, but I can't find anything that 
> deals with the ethernet frame part (i.e. next hop mac address).
>
> Again, I don't use the higher level socket api as it can't keep up with line-rate small ethernet packets.

Look at libdnet and libnet.  I'll state right here and now that libnet
doesn't seem to be properly maintained anymore and I've had issues
compiling against the library headers in the past.  It's easy to fix,
but annoying.  If you're distributing source code and expecting people
to link against libnet, it's probably just easier to ship libnet too,
especially since there are two common versions out in the wild with
different and incompatible API's.

Many people, myself included just allocate a buffer and fill out the
packet headers manually.  Depending on how complicated the packet is,
it's pretty easy to a pain in the arse.  If you don't have a copy of
TCP/IP Illustrated Volume 1 yet, go get it.


-- 
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.