Any suggestions for getting a pcap of traffic over netlink?

Any suggestions for getting a pcap of traffic over netlink?

[Sam Roberts]

Obviously, there is no net device to pcap - I'm wondering if anybody
knows of ways to watch netlink traffic? I don't know netlink well, I'm
wondering if its possible to do a PF_NETLINK socket that promiscuously
receives all netlink traffic on all sockets?

I can build wireshark dissectors once I've got pcaps, but I'm not too
sure how to get the captures, other than hacking libnfnetlink to dump
all sendmsg/recvmsg payload into a pcap file with a custom link type,
but I'm hoping I'm not the first person to want to do this.

I want to troubleshoot interactions, like when my userspace code
blocks indefinitely waiting for a response from the kernel, but the
sample code I'm looking at doesn't, and I want to understand what I'm
doing differently.

Cheers,
Sam

Re: Any suggestions for getting a pcap of traffic over netlink?

[Pablo Neira Ayuso]

On 22/03/11 00:15, Sam Roberts wrote:
> Obviously, there is no net device to pcap - I'm wondering if anybody
> knows of ways to watch netlink traffic? I don't know netlink well, I'm
> wondering if its possible to do a PF_NETLINK socket that promiscuously
> receives all netlink traffic on all sockets?

This, or any similar feature, does not exist yet.

We can add some NETLINK_CONTROL family that would allows us to sniff all
netlink traffic.