raw PF_PACKET protocol selection

raw PF_PACKET protocol selection

[Joakim Tjernlund]

Hi List

I trying to open my own raw PF_PACKET socket to receive 
pkgs sent to this socket. I can only make ETH_P_ALL protocol
work, but then I receive all pkgs and I want pkgs with a specific
protocol type. I have tried lots of ETH_P types and none of them work.
Naturally I make sure the sender is using the same protocol as my test
program below. I guess I must be doing something wrong???


Here is the test program:

#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/in.h>
#include <linux/if_ether.h>

int main(int argc, char **argv) {
  int sock, n;
  char buffer[2048];
  unsigned char *iphead, *ethhead;

  if ( (sock=socket(PF_PACKET, SOCK_RAW,
                    htons(ETH_P_IP)))<0) { // ETH_P_IP is just an example
    perror("socket");
    exit(1);
  }

  while (1) {
    printf("----------\n");
    n = recvfrom(sock,buffer,2048,0,NULL,NULL);
    printf("%d bytes read\n",n);

    /* Check to see if the packet contains at least
     * complete Ethernet (14), IP (20) and TCP/UDP
     * (8) headers.
     */
    if (n<42) {
      perror("recvfrom():");
      printf("Incomplete packet (errno is %d)\n",
             errno);
      close(sock);
      exit(0);
    }

    ethhead = buffer;
    printf("Source MAC address: "
           "%02x:%02x:%02x:%02x:%02x:%02x\n",
           ethhead[0],ethhead[1],ethhead[2],
           ethhead[3],ethhead[4],ethhead[5]);
    printf("Destination MAC address: "
           "%02x:%02x:%02x:%02x:%02x:%02x\n",
           ethhead[6],ethhead[7],ethhead[8],
           ethhead[9],ethhead[10],ethhead[11]);

    iphead = buffer+14; /* Skip Ethernet header */
    if (*iphead==0x45) { /* Double check for IPv4
                          * and no options present */
      printf("Source host %d.%d.%d.%d\n",
             iphead[12],iphead[13],
             iphead[14],iphead[15]);
      printf("Dest host %d.%d.%d.%d\n",
             iphead[16],iphead[17],
             iphead[18],iphead[19]);
      printf("Source,Dest ports %d,%d\n",
             (iphead[20]<<8)+iphead[21],
             (iphead[22]<<8)+iphead[23]);
      printf("Layer-4 protocol %d\n",iphead[9]);
    } else {
       int i;
       iphead = buffer+12;
       for(i=0; i<n-12; i++)
	  printf(" pkt:%x, %c\n",
	      iphead[i],iphead[i]);
    }
  }

}

Re: raw PF_PACKET protocol selection

[Herbert Xu]

Joakim Tjernlund <joakim.tjernlund@transmode.se> wrote:
> 
> I trying to open my own raw PF_PACKET socket to receive 
> pkgs sent to this socket. I can only make ETH_P_ALL protocol
> work, but then I receive all pkgs and I want pkgs with a specific
> protocol type. I have tried lots of ETH_P types and none of them work.
> Naturally I make sure the sender is using the same protocol as my test
> program below. I guess I must be doing something wrong???

Your program works fine here.  You did run it as root, right?
Did you try stracing it?

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

RE: raw PF_PACKET protocol selection

[Joakim Tjernlund]

 

> -----Original Message-----
> From: Herbert Xu [mailto:herbert@gondor.apana.org.au] 
> Sent: den 9 oktober 2007 05:17
> To: joakim.tjernlund@transmode.se
> Cc: netdev@vger.kernel.org
> Subject: Re: raw PF_PACKET protocol selection
> 
> Joakim Tjernlund <joakim.tjernlund@transmode.se> wrote:
> > 
> > I trying to open my own raw PF_PACKET socket to receive 
> > pkgs sent to this socket. I can only make ETH_P_ALL protocol
> > work, but then I receive all pkgs and I want pkgs with a specific
> > protocol type. I have tried lots of ETH_P types and none of 
> them work.
> > Naturally I make sure the sender is using the same protocol 
> as my test
> > program below. I guess I must be doing something wrong???
> 
> Your program works fine here.  You did run it as root, right?

Yes and ETH_P_ALL is the only protocol that prints anything
I am on 2.6.22

> Did you try stracing it?

Just did and now it works, it didn't yesterday :(
But if I change protocol to ETH_P_MOBITEX, I don't get any
pkgs(I did change protocol on sending side too)

> 
> Cheers,
> -- 
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> 
> 
> 

Re: raw PF_PACKET protocol selection

[Evgeniy Polyakov]

On Tue, Oct 09, 2007 at 08:08:22AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > Your program works fine here.  You did run it as root, right?
> 
> Yes and ETH_P_ALL is the only protocol that prints anything
> I am on 2.6.22

ETH_P_ARP works too.

> > Did you try stracing it?
> 
> Just did and now it works, it didn't yesterday :(
> But if I change protocol to ETH_P_MOBITEX, I don't get any
> pkgs(I did change protocol on sending side too)

Did you change eth_type_trans() to catch your proto?


-- 
	Evgeniy Polyakov

Re: raw PF_PACKET protocol selection

[Joakim Tjernlund]

On Tue, 2007-10-09 at 11:13 +0400, Evgeniy Polyakov wrote:
> On Tue, Oct 09, 2007 at 08:08:22AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > > Your program works fine here.  You did run it as root, right?
> > 
> > Yes and ETH_P_ALL is the only protocol that prints anything
> > I am on 2.6.22
> 
> ETH_P_ARP works too.
> 
> > > Did you try stracing it?
> > 
> > Just did and now it works, it didn't yesterday :(
> > But if I change protocol to ETH_P_MOBITEX, I don't get any
> > pkgs(I did change protocol on sending side too)
> 
> Did you change eth_type_trans() to catch your proto?
> 

Just fond out something:
if I redirect my prog like so:
./sniff > log
and press Ctrl-C after a packet has been sent to it, 
it does NOT work. I don't get ANY output in my "log" file, not
even the printf("---------\n") appears.
But if I run whithout redirect it works(at least with ETH_P_BPQ)
Anyone else see this too?

  Jocke

Re: raw PF_PACKET protocol selection

[Evgeniy Polyakov]

On Tue, Oct 09, 2007 at 09:27:38AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > Did you change eth_type_trans() to catch your proto?
> > 
> 
> Just fond out something:
> if I redirect my prog like so:
> ./sniff > log
> and press Ctrl-C after a packet has been sent to it, 
> it does NOT work. I don't get ANY output in my "log" file, not
> even the printf("---------\n") appears.
> But if I run whithout redirect it works(at least with ETH_P_BPQ)
> Anyone else see this too?

I only tested with IP and ARP packets - I can not say when packet was
actually received and written to log, but it does start filling up, but
maybe not immediately - it can be output buffering in shell though.

-- 
	Evgeniy Polyakov

Re: raw PF_PACKET protocol selection

[Joakim Tjernlund]

On Tue, 2007-10-09 at 11:34 +0400, Evgeniy Polyakov wrote:
> On Tue, Oct 09, 2007 at 09:27:38AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > > Did you change eth_type_trans() to catch your proto?
> > > 
> > 
> > Just fond out something:
> > if I redirect my prog like so:
> > ./sniff > log
> > and press Ctrl-C after a packet has been sent to it, 
> > it does NOT work. I don't get ANY output in my "log" file, not
> > even the printf("---------\n") appears.
> > But if I run whithout redirect it works(at least with ETH_P_BPQ)
> > Anyone else see this too?
> 
> I only tested with IP and ARP packets - I can not say when packet was
> actually received and written to log, but it does start filling up, but
> maybe not immediately - it can be output buffering in shell though.

Did you receive many packets? Seems like when I receive just 1 or 2 pkgs
I get the empty log. If I strace ./sniff > log I see that recvfrom gets
pkgs, but there are no trace of writes. I guess this
is a bash(3.2_p17) or glibc(2.5.-r4) bug?

Re: raw PF_PACKET protocol selection

[Evgeniy Polyakov]

On Tue, Oct 09, 2007 at 09:51:25AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> On Tue, 2007-10-09 at 11:34 +0400, Evgeniy Polyakov wrote:
> > On Tue, Oct 09, 2007 at 09:27:38AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > > > Did you change eth_type_trans() to catch your proto?
> > > > 
> > > 
> > > Just fond out something:
> > > if I redirect my prog like so:
> > > ./sniff > log
> > > and press Ctrl-C after a packet has been sent to it, 
> > > it does NOT work. I don't get ANY output in my "log" file, not
> > > even the printf("---------\n") appears.
> > > But if I run whithout redirect it works(at least with ETH_P_BPQ)
> > > Anyone else see this too?
> > 
> > I only tested with IP and ARP packets - I can not say when packet was
> > actually received and written to log, but it does start filling up, but
> > maybe not immediately - it can be output buffering in shell though.
> 
> Did you receive many packets? Seems like when I receive just 1 or 2 pkgs
> I get the empty log. If I strace ./sniff > log I see that recvfrom gets
> pkgs, but there are no trace of writes. I guess this
> is a bash(3.2_p17) or glibc(2.5.-r4) bug?

I received 1396 bytes of logs before terminated, which is 27 ARP packets, 
so there is quite big number of packet there. 
Your application works correctly (although you swapped source and
destination ethernet fields) - buffered writing is not a bug,
if you do not like it, use write(2), mmap(2) or turn buffering off as
Herbert suggested. To get packets with your own ethernet protocol number
you have to change eth_type_trans() function in kernel, which parses
ethernet header and returns protocol number, under some conditions it
will just return your number automatically, but you should check it.

-- 
	Evgeniy Polyakov

Re: raw PF_PACKET protocol selection

[Joakim Tjernlund]

On Tue, 2007-10-09 at 12:17 +0400, Evgeniy Polyakov wrote:
> On Tue, Oct 09, 2007 at 09:51:25AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > On Tue, 2007-10-09 at 11:34 +0400, Evgeniy Polyakov wrote:
> > > On Tue, Oct 09, 2007 at 09:27:38AM +0200, Joakim Tjernlund (joakim.tjernlund@transmode.se) wrote:
> > > > > Did you change eth_type_trans() to catch your proto?
> > > > > 
> > > > 
> > > > Just fond out something:
> > > > if I redirect my prog like so:
> > > > ./sniff > log
> > > > and press Ctrl-C after a packet has been sent to it, 
> > > > it does NOT work. I don't get ANY output in my "log" file, not
> > > > even the printf("---------\n") appears.
> > > > But if I run whithout redirect it works(at least with ETH_P_BPQ)
> > > > Anyone else see this too?
> > > 
> > > I only tested with IP and ARP packets - I can not say when packet was
> > > actually received and written to log, but it does start filling up, but
> > > maybe not immediately - it can be output buffering in shell though.
> > 
> > Did you receive many packets? Seems like when I receive just 1 or 2 pkgs
> > I get the empty log. If I strace ./sniff > log I see that recvfrom gets
> > pkgs, but there are no trace of writes. I guess this
> > is a bash(3.2_p17) or glibc(2.5.-r4) bug?
> 
> I received 1396 bytes of logs before terminated, which is 27 ARP packets, 
> so there is quite big number of packet there. 
> Your application works correctly (although you swapped source and
> destination ethernet fields) - buffered writing is not a bug,
> if you do not like it, use write(2), mmap(2) or turn buffering off as
> Herbert suggested. To get packets with your own ethernet protocol number
> you have to change eth_type_trans() function in kernel, which parses
> ethernet header and returns protocol number, under some conditions it
> will just return your number automatically, but you should check it.

I thought that flushing was done automatically when SIGINT happened
but I was apperently wrong. Sorry for the noise and thanks for your
help. I have added setvbuf calls to make it unbuffered.

 Jocke

Re: raw PF_PACKET protocol selection

[Herbert Xu]

On Tue, Oct 09, 2007 at 09:27:38AM +0200, Joakim Tjernlund wrote:
>
> Just fond out something:
> if I redirect my prog like so:
> ./sniff > log
> and press Ctrl-C after a packet has been sent to it, 
> it does NOT work. I don't get ANY output in my "log" file, not
> even the printf("---------\n") appears.
> But if I run whithout redirect it works(at least with ETH_P_BPQ)
> Anyone else see this too?

Um, this is what we call buffering.

You either need to turn buffering off with setbuf(3) or you
should install a SIGINT handler to flush the output before
exiting.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt