detailed description of linux socket filter and sniffing problem

detailed description of linux socket filter and sniffing problem

Post by Mal hacke » Sat, 07 Jul 2001 15:10:07



well, a detailed description of the thing which i wanted to ask you is:

1) when i start sniffing i attach a bpf code to the socket by means of
setsockopt system call. (as given in the filter.txt file in the docs of
lsf)

2) then i do some reads on the socket and now i want to change the
filtering criteria and so the bpfcode which was attached to the socket
also needs to be changed.

3) for that i need to again call the setsockopt to attach the new
bpfcode.

4) but the necessity is that as soon as i find the need to change the
criteria, i need to grab all the packets after that till the time i
have not attached the new code (altough this will be few of
milliseconds).

5) so i remove the filter expression by means of setsockopt
SO_DETACH_FILTER and then regenrate the bpfcode for the nw expression.

6) now i do a attach operation on the socket by means of setsockopt and
so attach the new filter.

7) now here comes my real question. All the packets which were buffered
by the kernel after the detach operation and then the attach operation
(as in point 6), will they be filtered on the basis of the new filter
expression and then passed to the user process or will they be passed
as it is (i.e. without filtering) and only those packets which were
received after the second attach operation will be filtered on the
basis of the new expression ?

(sorry if i am unclear this time also..i will mail u the program next
if i am unclear this time too.)
thanks
mal

=====

Image by FlamingText.com

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

detailed description of linux socket filter and sniffing problem

Post by Alan Co » Sat, 07 Jul 2001 20:30:10


Quote:> 5) so i remove the filter expression by means of setsockopt
> SO_DETACH_FILTER and then regenrate the bpfcode for the nw expression.

> 6) now i do a attach operation on the socket by means of setsockopt and
> so attach the new filter.

You can just issue a new SO_ATTACH_FILTER and it will swap them over rather
than having an 'all packets' time. You will have some buffered frames matching
the old filter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

detailed description of linux socket filter and sniffing problem

Post by Mal hacke » Sat, 07 Jul 2001 21:00:11



Quote:> > 5) so i remove the filter expression by means of setsockopt
> > SO_DETACH_FILTER and then regenrate the bpfcode for the nw
> expression.

> > 6) now i do a attach operation on the socket by means of setsockopt
> and
> > so attach the new filter.

> You can just issue a new SO_ATTACH_FILTER and it will swap them over
> rather
> than having an 'all packets' time. You will have some buffered frames
> matching
> the old filter

Hello Alan,

But the reason why i am not doing this right now is that as soon as i
determine that i need to change the bpfcode, i would possibly require
that at that very instant i don't miss the next 2-3 packets
corresponding to the new criteria which are of prime importance. Then
if i take my time in compiling and then attaching the new code in the
manner u have suggested, the kernel might drop those important packets
as during this time the bpfcode is still the old one. So, at that very
instant i detach the bpfcode. This helps me in the way that this is the
fastest way in which i can grab the next 2-3 packets. But this would
possibly provide an inlet for the invalid or not required packets also
to be buffered in the kernel. So, if i have a way that the buffered
packets should be now filtered on the basis of the new bpfcode  which i
have attached to the socket, then things will be fine.

Thus this is the reason why i am trying to  find the solution for the
case as i have explained it in the previous mail.

If there is some way out for this problem, then please suggest me the
same, as i am in urgent need of a solution for this problem of mine.

PS: Alan, It's a great pleasure to have your mail in my inbox. I have
read your name so much in the kernel code, that seeing your mail seems
like dream come true.

=====

Image by FlamingText.com

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

1. regarding linux socket filter and sniffing

Hello friends,
I am right now writing a small sniffer using lsf (linux socket filter).
The question of  mine is this that if a bpfcode is attached to the
filter and then detached and reattached. The bettwen these the two
attach operations will the packest which were recvd by the kernel on
this socket will be filtered the new attached expression or not. Here
the packets I am referring to are the ones which will be buffered on
the socket between the two attach operations.
TIA
mal

=====

Image by FlamingText.com

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. SYSTEM ADMIN

3. Detail description of my 800x600 mode problem.

4. gcc -lpq can't find parts of libpq on RedHat5.2

5. problems with TERM109 (detailed description)

6. 2 ip segments on one physical segment

7. Detailed description of network trafic

8. How to catch packets?

9. looking for lp.c source or detailed description

10. detailed description/instructions for using `format`

11. Help - looking for detail description on signal_pending(current)

12. Q: Detailed description of lp and lpr

13. Detailed description of (free)OpenServer packages