Magic Lantern

Magic Lantern

[Richard B. Johnson]

Are there currently any kernel hooks to support Magic Lantern?
Basically, a "tee" to capture all network packets and pass them
on to a filtering task without affecting normal network activity.
It's like `tcpdump`, but allows packets to be inserted into the
output queue as well without affecting normal network activity.

Yes, I know a module could be written, but I wonder if the
capability already exists.


Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Magic Lantern

[David S. Miller]

   From: "Richard B. Johnson" <root@chaos.analogic.com>
   Date: Wed, 28 Nov 2001 08:36:33 -0500 (EST)
   
   Yes, I know a module could be written, but I wonder if the
   capability already exists.

I'm pretty sure netfilter (at least at one point) allows
exactly what you describe.  Packet filters can be written
in userspace.

Re: Magic Lantern

[Lars Brinkhoff]

"Richard B. Johnson" <root@chaos.analogic.com> writes:
> Are there currently any kernel hooks to support Magic Lantern?
> Basically, a "tee" to capture all network packets and pass them
> on to a filtering task without affecting normal network activity.
> It's like `tcpdump`, but allows packets to be inserted into the
> output queue as well without affecting normal network activity.

The af_packet module can read and write raw ethernet frames.

-- 
Lars Brinkhoff          http://lars.nocrew.org/     Linux, GCC, PDP-10
Brinkhoff Consulting    http://www.brinkhoff.se/    programming

Re: Magic Lantern

[Richard B. Johnson]

On 28 Nov 2001, Lars Brinkhoff wrote:

> "Richard B. Johnson" <root@chaos.analogic.com> writes:
> > Are there currently any kernel hooks to support Magic Lantern?
> > Basically, a "tee" to capture all network packets and pass them
> > on to a filtering task without affecting normal network activity.
> > It's like `tcpdump`, but allows packets to be inserted into the
> > output queue as well without affecting normal network activity.
> 
> The af_packet module can read and write raw ethernet frames.

Okay, thanks.


Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Magic Lantern

[Eric Weigle]

> > "Richard B. Johnson" <root@chaos.analogic.com> writes:
> > > Are there currently any kernel hooks to support Magic Lantern?
> > > Basically, a "tee" to capture all network packets and pass them
> > > on to a filtering task without affecting normal network activity.
> > > It's like `tcpdump`, but allows packets to be inserted into the
> > > output queue as well without affecting normal network activity.
> > 
> > The af_packet module can read and write raw ethernet frames.
The af_packet module may also be fairly inefficient. If you need performance
over, say, a gigabit link, you may have trouble. I last used it one of the
earlier 2.4 series (2.4.8 I think) with the Acenic Tigon II gigE copper
cards to implement a network flooder; At that time a simple unoptimized loop
sending raw ethernet packets maxed out at at around 80Mbps, while the same loop
sending UDP packets maxed out at around 400. This may have been fixed by now,
I don't know... Just a warning.

-Eric

-- 
--------------------------------------------
 Eric H. Weigle   CCS-1, RADIANT team
 ehw@lanl.gov     Los Alamos National Lab
 (505) 665-4937   http://home.lanl.gov/ehw/
--------------------------------------------

Re: Magic Lantern

[Richard B. Johnson]

On Wed, 28 Nov 2001, Eric Weigle wrote:

> > > "Richard B. Johnson" <root@chaos.analogic.com> writes:
> > > > Are there currently any kernel hooks to support Magic Lantern?
> > > > Basically, a "tee" to capture all network packets and pass them
> > > > on to a filtering task without affecting normal network activity.
> > > > It's like `tcpdump`, but allows packets to be inserted into the
> > > > output queue as well without affecting normal network activity.
> > > 
> > > The af_packet module can read and write raw ethernet frames.
> The af_packet module may also be fairly inefficient. If you need performance
> over, say, a gigabit link, you may have trouble. I last used it one of the
> earlier 2.4 series (2.4.8 I think) with the Acenic Tigon II gigE copper
> cards to implement a network flooder; At that time a simple unoptimized loop
> sending raw ethernet packets maxed out at at around 80Mbps, while the same loop
> sending UDP packets maxed out at around 400. This may have been fixed by now,
> I don't know... Just a warning.
> 
> -Eric

Okay. I don't think that performance will be a problem in the near
future. As you no doubt know, the DOJ is "requiring" that these
taps be inserted into Operating Systems so that they can access
computers, of course always in direct correspondence with a
wiretap order (if you believe that, I've got a bridge to sell).

Information is that part of M$ agreement with DOJ was to insert
these taps into their OS. In due course, we will have to counter
this by emulation, i.e., always return a nice new, never touched
distribution disk when queried for a directory <grin>, but
presently, if there are "hooks" for "future enhancements", the
DOJ can't refuse to allow the sale or distribution of an OS
as is now proposed.

Once the DOJ actually reads the Constitution, this problem may
go away altogether, but presently the knee-jerk reaction from 9/11
is to violate everybody's computers!

Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Magic Lantern

[Lars Brinkhoff]

Eric Weigle <ehw@lanl.gov> writes:
> > > "Richard B. Johnson" <root@chaos.analogic.com> writes:
> > > > Basically, a "tee" to capture all network packets and pass them
> > > > on to a filtering task without affecting normal network activity.
> > > The af_packet module can read and write raw ethernet frames.
> The af_packet module may also be fairly inefficient. If you need
> performance over, say, a gigabit link, you may have trouble.

Are you (or anyone else) aware of any alternative?

-- 
Lars Brinkhoff          http://lars.nocrew.org/     Linux, GCC, PDP-10
Brinkhoff Consulting    http://www.brinkhoff.se/    programming

Re: Magic Lantern

[Eric Weigle]

On Wed, Nov 28, 2001 at 07:54:39PM +0100, Lars Brinkhoff wrote:
> Eric Weigle <ehw@lanl.gov> writes:
> > > > "Richard B. Johnson" <root@chaos.analogic.com> writes:
> > > > > Basically, a "tee" to capture all network packets and pass them
> > > > > on to a filtering task without affecting normal network activity.
> > > > The af_packet module can read and write raw ethernet frames.
> > The af_packet module may also be fairly inefficient. If you need
> > performance over, say, a gigabit link, you may have trouble.
> 
> Are you (or anyone else) aware of any alternative?
I'm sure it's just something silly that's hurt the performance of the
af_packet module (perhaps already fixed, perhaps in my methodology :|)

For the purposes of the work I was doing here (totally unrelated to this
Magic Lantern BS, which I didn't even know what it was until after I posted
the first response in this thread), I just needed to saturate a gigE link for
testing. To do this I just used three boxes flooding UDP packets and that
worked. As far as traffic collection goes (which is what I was testing),
we went with another approach-- an optical tap to snarf off a copy of all
the data on a link, and then a custom kernel I hacked up to do the work
in the kernel itself (avoiding the kernel--user space copy and the stack
entirely). This is not for the faint of heart.


-Eric

-- 
--------------------------------------------
 Eric H. Weigle   CCS-1, RADIANT team
 ehw@lanl.gov     Los Alamos National Lab
 (505) 665-4937   http://home.lanl.gov/ehw/
--------------------------------------------