Parsing ULOG message received on netlink socket

Parsing ULOG message received on netlink socket

[Retesh Chadha]

Hi All
I am trying to ULOG certain packets based on a iptable rule.

When the ulog daemon receives data on the netlink socket, it is raw
data, which I dont know how to parse, apart from structure nlmsghdr,
that is its header.

My requirement is to parse the received buffer on netlink socket so as
to get the source IP address of the IP packet. Are there any routines
or macros to do so? I think struct sk_buff is the buffer received on
netlink socket, but not sure.

Please let me know if someone is aware of the same, or some pointers
where I can get this info.

Thanks in advance
With Regards
Retesh Chadha

Re: Parsing ULOG message received on netlink socket

[Patrick McHardy]

Retesh Chadha wrote:
> Hi All
> I am trying to ULOG certain packets based on a iptable rule.
> 
> When the ulog daemon receives data on the netlink socket, it is raw
> data, which I dont know how to parse, apart from structure nlmsghdr,
> that is its header.
> 
> My requirement is to parse the received buffer on netlink socket so as
> to get the source IP address of the IP packet. Are there any routines
> or macros to do so? I think struct sk_buff is the buffer received on
> netlink socket, but not sure.
> 
> Please let me know if someone is aware of the same, or some pointers
> where I can get this info.

Check out ulogd or nfnetlink_log and libnfnetlink.

Re: Parsing ULOG message received on netlink socket

[Maik Hentsche]

Zitat von Patrick McHardy <kaber@trash.net>:

> Check out ulogd or nfnetlink_log and libnfnetlink.

ulogd seems to be abandoned, so specter
(http://joker.linuxstuff.pl/specter/) might be the better advice. Both
specter and ulogd already have plugins for parsing the raw data. Having
written an output plugin (to log into prelude) for both I feel this is
easier for specter because of the better defined structure of the
passed values. If Retesh ever feels, his (or her? can't tell from the
name, sorry) work should become open source, the chance to get a new
plugin into specter seems to be far better then getting one into ulogd
since the author of the former does answer mails and the author of the
later does not.

Just my 2 ¢.

so long
Maik

Re: Parsing ULOG message received on netlink socket

[Retesh Chadha]

Hi
I am able to parse the ULOG message (raw buffer) by skipping the
netlink header and a few more bytes(fixed size around - 160 bytes) to
get the IP header. This works for me for UDP, ICMP and TCP.

Rgds
Retesh

On 9/29/06, Maik Hentsche <netfilter@mm-double.de> wrote:
> Zitat von Patrick McHardy <kaber@trash.net>:
>
> > Check out ulogd or nfnetlink_log and libnfnetlink.
>
> ulogd seems to be abandoned, so specter
> (http://joker.linuxstuff.pl/specter/) might be the better advice. Both
> specter and ulogd already have plugins for parsing the raw data. Having
> written an output plugin (to log into prelude) for both I feel this is
> easier for specter because of the better defined structure of the
> passed values. If Retesh ever feels, his (or her? can't tell from the
> name, sorry) work should become open source, the chance to get a new
> plugin into specter seems to be far better then getting one into ulogd
> since the author of the former does answer mails and the author of the
> later does not.
>
> Just my 2 ¢.
>
> so long
> Maik
>
>