Questions about Linux kernel network programming

Questions about Linux kernel network programming

[Thiago Lacerda]

Hi everyone, I'm a Computer Science student from Brazil.

Hope that you can help me with my undergraduate conclusion project.

I have to capture packets at kernel level. More specifically, I have
to write a kernel module (for kernel 2.6) that access all the packets
that are coming through my network interface, then perform some
operations on that packets and then decide if they can go to user land
or not.

Please note that I can't do it as a firewall, because I can't
interfere on the  applications that  work with network. My kernel
module will get communicated with traffic classifier, that will be
executing at user land and will inspect the packets that the module
passed to it.

Can you help me on how can I develop it?

Thanks in advance

Best regards


-- 
Thiago de Barros Lacerda
Computer Science Undergraduate Student - CIn/UFPE - 2004.2
Researcher/Software Developer - GPRT - Networking and
Telecommunications Research Group

Re: Questions about Linux kernel network programming

[Tobias Koeck]

Of course you can code a netfilter target extension module. Changing
the main kernel network code directly is not necessairy.

Check out the pdf for writing such modules under

http://jengelh.medozas.de/

Check out the
Greetings
t.

On Thu, Aug 28, 2008 at 4:48 PM, Thiago Lacerda <thiagotbl@gmail.com> wrote:
> Hi everyone, I'm a Computer Science student from Brazil.
>
> Hope that you can help me with my undergraduate conclusion project.
>
> I have to capture packets at kernel level. More specifically, I have
> to write a kernel module (for kernel 2.6) that access all the packets
> that are coming through my network interface, then perform some
> operations on that packets and then decide if they can go to user land
> or not.
>
> Please note that I can't do it as a firewall, because I can't
> interfere on the  applications that  work with network. My kernel
> module will get communicated with traffic classifier, that will be
> executing at user land and will inspect the packets that the module
> passed to it.
>
> Can you help me on how can I develop it?
>
> Thanks in advance
>
> Best regards
>
>
> --
> Thiago de Barros Lacerda
> Computer Science Undergraduate Student - CIn/UFPE - 2004.2
> Researcher/Software Developer - GPRT - Networking and
> Telecommunications Research Group
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Questions about Linux kernel network programming

[Thiago Lacerda]

Thanks for your replay Tobias.

But, doing it as a netfilter module I'm going to interfere in all the
traffic of my PC.
I don't want to do it that way. I want to capture the packets at
kernel and then decide if they will be analyzed by my DPI tool at user
land. My module would act like a filter for my classifier, cause I
want to don't spend time with unncessary copies of packets to user
space memory (like libpcap does, it copies every packets).

I'm doing like this:

* registered a protocol handler with dev_add_pack
* in the function in packet_type struct I'm doing some operations with
the packet, but I'm not passing it to user land yet

Is that a good way of doing such task?
Does occur any copy of packets during this operation (the copy I know
is that one from the NIC to kernel memory, does any other occur?)?

BTW, anyone knows the right way of get a tcp port number in human readable form?
I'm doing like this:

struct tcphdr* tcp = tcp_hdr(my_sk_buff)

unsigned short src_port = ntohs(tcp->source)

And it isn't working, the numbers that I get are not right.

reagards

On Thu, Aug 28, 2008 at 12:03 PM, Tobias Koeck <tobias.koeck@gmail.com> wrote:
> Of course you can code a netfilter target extension module. Changing
> the main kernel network code directly is not necessairy.
>
> Check out the pdf for writing such modules under
>
> http://jengelh.medozas.de/
>
> Check out the
> Greetings
> t.
>
> On Thu, Aug 28, 2008 at 4:48 PM, Thiago Lacerda <thiagotbl@gmail.com> wrote:
>> Hi everyone, I'm a Computer Science student from Brazil.
>>
>> Hope that you can help me with my undergraduate conclusion project.
>>
>> I have to capture packets at kernel level. More specifically, I have
>> to write a kernel module (for kernel 2.6) that access all the packets
>> that are coming through my network interface, then perform some
>> operations on that packets and then decide if they can go to user land
>> or not.
>>
>> Please note that I can't do it as a firewall, because I can't
>> interfere on the  applications that  work with network. My kernel
>> module will get communicated with traffic classifier, that will be
>> executing at user land and will inspect the packets that the module
>> passed to it.
>>
>> Can you help me on how can I develop it?
>>
>> Thanks in advance
>>
>> Best regards
>>
>>
>> --
>> Thiago de Barros Lacerda
>> Computer Science Undergraduate Student - CIn/UFPE - 2004.2
>> Researcher/Software Developer - GPRT - Networking and
>> Telecommunications Research Group
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>



-- 
Thiago de Barros Lacerda
Computer Science Undergraduate Student - CIn/UFPE - 2004.2
Researcher/Software Developer - GPRT - Networking and
Telecommunications Research Group

Re: Questions about Linux kernel network programming

[Ben Hutchings]

Thiago Lacerda wrote:
> Thanks for your replay Tobias.
> 
> But, doing it as a netfilter module I'm going to interfere in all the
> traffic of my PC.
> I don't want to do it that way. I want to capture the packets at
> kernel and then decide if they will be analyzed by my DPI tool at user
> land. My module would act like a filter for my classifier, cause I
> want to don't spend time with unncessary copies of packets to user
> space memory (like libpcap does, it copies every packets).

netfilter modules don't just accept or deny packets.  For example there is
a LOG module which logs some brief information about any packets it
receives.

> I'm doing like this:
> 
> * registered a protocol handler with dev_add_pack
> * in the function in packet_type struct I'm doing some operations with
> the packet, but I'm not passing it to user land yet
> 
> Is that a good way of doing such task?
> Does occur any copy of packets during this operation (the copy I know
> is that one from the NIC to kernel memory, does any other occur?)?

Depends on the driver.

> BTW, anyone knows the right way of get a tcp port number in human readable form?
> I'm doing like this:
> 
> struct tcphdr* tcp = tcp_hdr(my_sk_buff)
> 
> unsigned short src_port = ntohs(tcp->source)
> 
> And it isn't working, the numbers that I get are not right.

Until the packet has gone through the network protocol handler (IP), the
transport header pointer will not be set correctly and tcp_hdr() will return
a pointer to the start of the packet.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.

Re: Questions about Linux kernel network programming

[James King]

On Thu, Aug 28, 2008 at 10:02 AM, Ben Hutchings
<bhutchings@solarflare.com> wrote:
> Thiago Lacerda wrote:
>> BTW, anyone knows the right way of get a tcp port number in human readable form?
>> I'm doing like this:
>>
>> struct tcphdr* tcp = tcp_hdr(my_sk_buff)
>>
>> unsigned short src_port = ntohs(tcp->source)
>>
>> And it isn't working, the numbers that I get are not right.
>
> Until the packet has gone through the network protocol handler (IP), the
> transport header pointer will not be set correctly and tcp_hdr() will return
> a pointer to the start of the packet.

Thanks for the explanation Ben, I was having the same problem with a
toy netfilter module hooked in prerouting a while ago and never
bothered to find out why.  Thiago, here's how I got it working:

struct tcphdr *th = NULL, _tcph;
struct iphdr *iph = ip_hdr(skb);
if (iph && iph->protocol == IPPROTO_TCP)
th = (struct tcphdr *)(skb->data + (iph->ihl * 4));

Alternatively, I think this will work too:
th = skb_header_pointer(skb, (iph->ihl * 4), sizeof(_tcph), &_tcph);


HTH

Re: Questions about Linux kernel network programming

[Ben Hutchings]

James King wrote:
> On Thu, Aug 28, 2008 at 10:02 AM, Ben Hutchings
> <bhutchings@solarflare.com> wrote:
> > Thiago Lacerda wrote:
> >> BTW, anyone knows the right way of get a tcp port number in human readable form?
> >> I'm doing like this:
> >>
> >> struct tcphdr* tcp = tcp_hdr(my_sk_buff)
> >>
> >> unsigned short src_port = ntohs(tcp->source)
> >>
> >> And it isn't working, the numbers that I get are not right.
> >
> > Until the packet has gone through the network protocol handler (IP), the
> > transport header pointer will not be set correctly and tcp_hdr() will return
> > a pointer to the start of the packet.
> 
> Thanks for the explanation Ben, I was having the same problem with a
> toy netfilter module hooked in prerouting a while ago and never
> bothered to find out why.  Thiago, here's how I got it working:
> 
> struct tcphdr *th = NULL, _tcph;
> struct iphdr *iph = ip_hdr(skb);
> if (iph && iph->protocol == IPPROTO_TCP)
> th = (struct tcphdr *)(skb->data + (iph->ihl * 4));
> 
> Alternatively, I think this will work too:
> th = skb_header_pointer(skb, (iph->ihl * 4), sizeof(_tcph), &_tcph);

What makes you think ihl is valid?

Please read <http://www.cpni.gov.uk/Docs/InternetProtocol.pdf> before
trying to parse untrusted packets.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.