From: jamal <hadi@cyberus.ca>
To: Adam Katz <adamkatz0@gmail.com>
Cc: netdev@vger.kernel.org
Subject: Re: libpcap and tc filters
Date: Tue, 05 Jul 2011 10:41:08 -0400 [thread overview]
Message-ID: <1309876868.1765.53.camel@mojatatu> (raw)
In-Reply-To: <CAA0qwj74cvZmkkmA8zBFuXeHdidMco2=de7Li9rDN5Wcp=-G7w@mail.gmail.com>
On Tue, 2011-07-05 at 17:21 +0300, Adam Katz wrote:
> Yes. I understand the difference between ETH_P_ALL and ETH_P_IP...
>
> Jamal, I've now tested both solutions - changing the rule to "protocol
> all" and patching tcpreplay to use ETH_P_IP and both produced the
> exact same problem as before...
Sorry - dont have much time to chase further, but it works for me.
---
hadi@mojatatu10:~$ sudo tc qdisc del dev eth0 root handle 1:
RTNETLINK answers: Invalid argument
hadi@mojatatu10:~$ sudo tc qdisc add dev eth0 root handle 1: prio
priomap 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
hadi@mojatatu10:~$ sudo tc qdisc add dev eth0 parent 1:1 handle 10:
pfifo
hadi@mojatatu10:~$ sudo tc qdisc add dev eth0 parent 1:2 handle 20:
pfifo
hadi@mojatatu10:~$ sudo tc qdisc add dev eth0 parent 1:3 handle 30:
pfifo
hadi@mojatatu10:~$ sudo tc filter add dev eth0 protocol all parent 1:
prio 1 u32 match ip dport 22 0xffff flowid 1:1 action ok
hadi@mojatatu10:~$ sudo tc -s filter ls dev eth0
filter parent 1: protocol all pref 1 u32
filter parent 1: protocol all pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:1
match 00000016/0000ffff at 20
action order 1: gact action pass
random type none pass val 0
index 1 ref 1 bind 1 installed 15 sec used 15 sec
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Note - the "OK" action is just a place holder to count packets.
Now replay Adam's pcap file:
hadi@mojatatu10:~/Downloads$ sudo tcpreplay
--intf1=eth0 ./port22example.pcap
sending out eth0
processing file: ./port22example.pcap
Actual: 50 packets (11594 bytes) sent in 3.66 seconds
Rated: 3167.8 bps, 0.02 Mbps, 13.66 pps
Statistics for network device: eth0
Attempted packets: 50
Successful packets: 50
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
I dont have any ssh running on this maching. So
lets check to see if anything was captured by the filter.
-----
hadi@mojatatu10:~$ sudo tc -s filter ls dev eth0
filter parent 1: protocol all pref 1 u32
filter parent 1: protocol all pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol all pref 1 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:1
match 00000016/0000ffff at 20
action order 1: gact action pass
random type none pass val 0
index 1 ref 1 bind 1 installed 76 sec used 1 sec
Action statistics:
Sent 7763 bytes 26 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
------
cheers,
jamal
>
> On Tue, Jul 5, 2011 at 4:56 PM, jamal <hadi@cyberus.ca> wrote:
> > On Tue, 2011-07-05 at 16:07 +0300, Adam Katz wrote:
> >
> >> second, I just took at the libpcap source code and it seems it's using
> >> the same ETH_P_ALL option when binding to an interface. So based on
> >> what you're saying, the same solution of patching libpcap and
> >> replacing ETH_P_ALL with ETH_P_IP should also make these rules work
> >> with traffic sent using pure libpcap or any libpcap - based
> >> application.
> >
> > ETH_P_ALL makes sense if you are unsure it is going to be IP. So i would
> > change/optimize apps only for IP if they are intended to deal with IP
> > only (same for ARP etc).
> > In your case, it seems it is tcp only - which runs on top of IP. So
> > it makes sense to do it for that specific use case etc.
> >
> > cheers,
> > jamal
> >
> >
> >
next prev parent reply other threads:[~2011-07-05 14:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-04 7:38 libpcap and tc filters Adam Katz
2011-07-04 10:20 ` Eric Dumazet
2011-07-04 11:11 ` jamal
2011-07-04 12:01 ` Adam Katz
2011-07-04 12:37 ` Adam Katz
2011-07-04 13:05 ` jamal
2011-07-04 13:24 ` Adam Katz
2011-07-04 14:06 ` jamal
2011-07-04 14:16 ` Adam Katz
2011-07-05 10:56 ` jamal
2011-07-05 12:47 ` jamal
2011-07-05 13:07 ` Adam Katz
2011-07-05 13:56 ` jamal
2011-07-05 14:21 ` Adam Katz
2011-07-05 14:41 ` jamal [this message]
2011-07-05 15:16 ` Adam Katz
2011-07-05 16:14 ` Eric Dumazet
2011-07-05 16:54 ` Adam Katz
2011-07-05 19:19 ` jamal
2011-07-05 20:07 ` Adam Katz
[not found] <CAA0qwj5Ktxi=v3XDAdTpKS_pWa+HjFL5XcN2qsK5m57JJ5G2Bg@mail.gmail.com>
2011-07-03 12:49 ` Adam Katz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1309876868.1765.53.camel@mojatatu \
--to=hadi@cyberus.ca \
--cc=adamkatz0@gmail.com \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.