tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need to drop packets using tcpdump

From: Ander Juaristi <ajuaristi () gmx es>
Date: Sun, 7 Feb 2016 19:01:53 +0100
Have a look at Netmap [1]. It follows a slightly different approach. Also, the video embedded right at the home page is 
a great resource to learn what it is and how it differs from other frameworks, such as libpcap and netfilter.

[1] http://info.iet.unipi.it/~luigi/netmap/

Regards,
- AJ

On 02/05/2016 11:47 PM, Rahmadi Trimananda wrote:

Thank you! I am actually looking at the ingress hook of Nftables too right
now. Thanks for clarifying my understanding about tcpdump.


On Feb 5, 2016 12:21 PM, "Guy Harris" <guy () alum mit edu> wrote:


On Feb 4, 2016, at 5:48 PM, Rahmadi Trimananda <rtrimana () uci edu> wrote:


I am a beginner user of tcpdump. What I want to do is to write my own
version of tcpdump (or just extend it) to drop/reject network packets.
AFAIK, tcpdump and libpcap can only sniff packets.


You are correct.  The operating system mechanisms that tcpdump (and

everything else that uses libpcap/WinPcap) use for sniffing packets are
designed to passively sniff network traffic; they do not offer any
mechanism for inserting themselves into the networking stack so that all
packets must pass through the mechanism and can be dropped by the mechanism.



Is there any available tool to do this?

I am aware of netfilter's iptables and ebtables, but they only work if

the

packets reach INPUT, FORWARD, or OUTPUT stage in the routing process.

What

I need to do is sniff the packet directly (like what tcpdump does), and
drop it right away


Unfortunately, as per the above, the "sniff the packet directly" part of

tcpdump cannot be used, as the underlying mechanisms it uses passively tap
traffic, with no way to drop that traffic.


You *might* be able to...


if it matches my specified pattern, e.g. source, destination, port

number, etc.


...reuse the "print the packet's contents" part, albeit with the actual

printing removed, and code to do the pattern matching replacing it.


What you will have to do is to find, *for the particular operating

system on which you will be doing this* (from "netfilter", I'm guessing
it's Linux), a mechanism that allows user-mode code (or kernel-mode code,
if you plan on stuffing this into the kernel) to examine all incoming
packets just before they're handed to the networking stack as received
packets and, based on the packet contents, pass them on to the networking
stack or drop them.


If, as I suspect, this is going to be done on Linux, would the netfilter

ingress hook:


         http://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

work for your purposes? It requires a 4.2 kernel or later, and may

require that a configuration option be turned on.


That page also refers to tc:

         http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html

         http://lartc.org/manpages/tc.txt

         https://en.wikipedia.org/wiki/Tc_(Linux)

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers



Regards,
- AJ
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: