tcpdump mailing list archives
Re: Need to drop packets using tcpdump
From: Ander Juaristi <ajuaristi () gmx es>
Date: Sun, 7 Feb 2016 19:01:53 +0100
Have a look at Netmap [1]. It follows a slightly different approach. Also, the video embedded right at the home page is a great resource to learn what it is and how it differs from other frameworks, such as libpcap and netfilter. [1] http://info.iet.unipi.it/~luigi/netmap/ Regards, - AJ On 02/05/2016 11:47 PM, Rahmadi Trimananda wrote:
Thank you! I am actually looking at the ingress hook of Nftables too right now. Thanks for clarifying my understanding about tcpdump.On Feb 5, 2016 12:21 PM, "Guy Harris" <guy () alum mit edu> wrote:On Feb 4, 2016, at 5:48 PM, Rahmadi Trimananda <rtrimana () uci edu> wrote:I am a beginner user of tcpdump. What I want to do is to write my own version of tcpdump (or just extend it) to drop/reject network packets. AFAIK, tcpdump and libpcap can only sniff packets.You are correct. The operating system mechanisms that tcpdump (andeverything else that uses libpcap/WinPcap) use for sniffing packets are designed to passively sniff network traffic; they do not offer any mechanism for inserting themselves into the networking stack so that all packets must pass through the mechanism and can be dropped by the mechanism.Is there any available tool to do this? I am aware of netfilter's iptables and ebtables, but they only work ifthepackets reach INPUT, FORWARD, or OUTPUT stage in the routing process.WhatI need to do is sniff the packet directly (like what tcpdump does), and drop it right awayUnfortunately, as per the above, the "sniff the packet directly" part oftcpdump cannot be used, as the underlying mechanisms it uses passively tap traffic, with no way to drop that traffic.You *might* be able to...if it matches my specified pattern, e.g. source, destination, portnumber, etc....reuse the "print the packet's contents" part, albeit with the actualprinting removed, and code to do the pattern matching replacing it.What you will have to do is to find, *for the particular operatingsystem on which you will be doing this* (from "netfilter", I'm guessing it's Linux), a mechanism that allows user-mode code (or kernel-mode code, if you plan on stuffing this into the kernel) to examine all incoming packets just before they're handed to the networking stack as received packets and, based on the packet contents, pass them on to the networking stack or drop them.If, as I suspect, this is going to be done on Linux, would the netfilteringress hook:http://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks work for your purposes? It requires a 4.2 kernel or later, and mayrequire that a configuration option be turned on.That page also refers to tc: http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html http://lartc.org/manpages/tc.txt https://en.wikipedia.org/wiki/Tc_(Linux)_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Regards, - AJ _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Need to drop packets using tcpdump Rahmadi Trimananda (Feb 04)
- Re: Need to drop packets using tcpdump Guy Harris (Feb 05)
- Message not available
- Re: Need to drop packets using tcpdump Rahmadi Trimananda (Feb 05)
- Re: Need to drop packets using tcpdump Ander Juaristi (Feb 07)
- Message not available
- Re: Need to drop packets using tcpdump Guy Harris (Feb 05)