captura de pacotes no kernelspace

IntroductionNetwork stack

Packet ingress flowMethods to capture packets

University of Sao Paulo - USP

Network packet capture in Linux kernelspaceAn overview of the network stack in the Linux kernel

Beraldo Leal

[email protected]

http://www.ime.usp.br/~beraldo/

Institute of Mathematics and Statistics - IMEUniversity of Sao Paulo - USP

25th October 2011

Beraldo Leal 25th October 2011 Network packet capture in Linux kernelspace 1 / 25

[email protected]





Outline

Introduction

Network stack

Packet ingress flow

Methods to capture packets





Introduction

• Sniffers;

• Improvements in packet reception;

• Linux kernel network subsystem;





Sniffers

• tcpdump, wireshark, snort, etc;

• Using the well-known library libpcap;

• Not suitable for > 10 Gbps;

• Packet loss;





Improvements in packet reception

• Commodity hardware for packet capture;• 3COM• Intel• endace, ...

• Many Interruptions

• NEW API or NAPI (interruption coalescence)

• zero-copy• Direct Memory Access - DMA• mmap()





Linux kernel network subsystem

• Kernel number of files: 36.680 1 2

• net/ number of files: 1.293 ( 3.5% )

• drivers/net/ number of files: 1.935 ( 5.27% )

• Kernel SLOC: 9.723.525

• net/ SLOC: 480.928 ( 5% )

• drivers/net/ SLOC: 1.155.317 ( 12% )

1kernel 3.0.0

2source: wc, find, cat, etc..





Network stack

L5: Application

http, ftp, ssh, telnet, ... (message)

L4: Transport

tcp, udp, ... (segment)

L3: Network

ipv4, ipv6, ... (datagram/packet)

L1/2: Link / host-to-network

ethernet, token ring, ... (frame)





Important data structs:

• net device

• include/linux/netdevice.h

• sk buff

• include/linux/skbuff.h






• net device (include/linux/netdevice.h)• unsigned int mtu• unsigned int flags• unsigned char dev addr[MAX ADDR LEN]• int promiscuity






• sk buff (include/linux/skbuff.h)• struct sk buff *next;• struct sk buff *prev;• ktime t tstamp;• struct net device *dev;• unsigned int len;• unsigned int data len;• u16 mac len;• u8 pkt type;• be16 protocol;• sk buff data t transport header; (old h)• sk buff data t network header; (old nh)• sk buff data t mac header; (old mac)





Important sk buff routines

• alloc skb();

• dev alloc skb();

• kfree skb();

• dev kfree skb();

• skb clone();

• skb network header(skb);

• skb transport header(skb);

• skb mac header(skb);





Packet ingress flow

• When working in interrupt driven model, the nic registers aninterrupt handler;

• This interrupt handler will be called when a frame is received;

• Typically in the handler, we allocate sk buff by callingdev alloc skb();

• Copies data from nic’s buffer to this struct just created;

• nic call generic reception routine netif rx();

• netif rx() put frame in per cpu queue;

• if queue is full, drop!

• net rx action() decision based on skb->protocol;

• This function basically dequeues the frame and delivery a copyfor every protocol handler;

• ptype all and ptype base queues





Packet ingress flow

• ip v4 rcv() will receive the ip datagram (if is a ipv4 packet);

• ip checksum, check ip headers, ....

• ip rcv finish() makes route decision (ip forward() orip local delivery())

• ip local delivery() defrag fragmented packets, and callip local deliver finish()

• ip local deliver finish() find protocol handler again;

• tcp v4 rcv(), udp rcv(), or other L4 protocol handler

• ...


ip_rcv()

(net/ipv4/ip_input.c)

verify skb, IP headers

and IP checksum

<...>

netif_rx()

(net/core/dev.c)

net_rx_action()

(net/core/dev.c)

decision based on

skb->protocol field

input_queue

[cpu]

NF_IP_FORWARDip_local_deliver_finish()


find protocol handler or

send icmp_dst_unreach

ip_local_deliver()


defrag fragmented

packets

NF_IP_PRE_ROUTING

NF_IP_LOCAL_IN

ip_forward()

(net/ipv4/ip_forward.c)

handle route alert;

send redirect if

necessary;

decrease TTL;

verify if frag is

possible (mtu)

ip_error()

(net/ipv4/route.c)

routing error, send

icmp pkt

Network Drivers

(drivers/net/*)

<continue>

Layer 3

Network

Layer 1/2

Physical/Link

arp_rcv()

(handle arp requests

and replies)

packet_rcv()

<tcpdump_process>

<dhcpd process>

<...>

ip_rcv_finish()


find route and handle

IP options

NF_IP_FORWARDip_local_deliver_finish()


find protocol handler or

send icmp_dst_unreach

ip_local_deliver()


defrag fragmented

packets

NF_IP_PRE_ROUTING

NF_IP_LOCAL_IN

ip_forward()

(net/ipv4/ip_forward.c)

handle route alert;

send redirect if

necessary;

decrease TTL;

verify if frag is

possible (mtu)

ip_error()

(net/ipv4/route.c)

routing error, send

icmp pkt

<continue>

Layer 3

Network

<...>

tcp_v4_do_rcv()

(net/ipv4/tcp_ipv4.c)

check for socket state

generate ICMP

error

Socket Layer

(net/core/sock.c)

Layer 4

Transport

Application

userspace

kernelspace

ip_rcv_finish()


find route and handle

IP options

tcp_v4_rcv()


check for tcp headers

udp_rcv()

(net/ipv4/udp.c)

check for udp headers

__tcp_v4_lookup()


check for socket in

LISTEN, with dst_port




Methods to capture packets

• protocol handler• register a function to handler packets with dev add pack()

• netfilter hooks

• userspace tools;• socket AF PACKET, libpcap, ...





1 struct packet type my proto;23 int my packet rcv(struct sk buff ∗skb, struct net device ∗dev,4 struct packet type ∗pt, struct net device ∗orig dev) {56 printk(KERN ERR ”+ 1!\n”);78 kfree skb(skb);9 return 0;

10 }1112 static int hello init(void) {13 printk(”<1> Hello world!\n”);1415 my proto.type = htons(ETH P ALL);16 my proto.dev = NULL;17 my proto.func = my packet rcv;1819 dev add pack(&my proto);20 return 0;21 }2223 static void hello exit(void) {24 dev remove pack(&my proto);25 printk(”<1> Bye, cruel world\n”);26 }27 module init(hello init);28 module exit(hello exit);





1 int my packet rcv(struct sk buff ∗skb, struct net device ∗dev, struct packet type ∗pt, struct net device∗orig dev)

2 {3 switch (skb−>pkt type) {4 case PACKET HOST:5 printk(”PACKET HOST − ”);6 break;7 case PACKET BROADCAST:8 printk(”PACKET BROADCAST − ”);9 break;

10 case PACKET MULTICAST:11 printk(”PACKET MULTICAST − ”);12 break;13 case PACKET OTHERHOST:14 printk(”PACKET OTHERHOST − ”);15 break;16 case PACKET OUTGOING:17 printk(”PACKET OUTGOING − ”);18 break;19 case PACKET LOOPBACK:20 printk(”PACKET LOOPBACK − ”);21 break;22 case PACKET FASTROUTE:23 printk(”PACKET FASTROUTE − ”);24 break;25 }26 printk(”%s 0x%.4X 0x%.4X \n”, skb−>dev−>name, ntohs(skb−>protocol), ip hdr(skb)−>protocol)2728 kfree skb(skb);29 return 0;30 }





Netfilter hooks

• iptables = userspace;

• netfilter = kernelspace;

• Netfilter is merely a series of hooks in various points in aprotocol stack;

• packet filtering, network address [and port] translation(NA[P]T) and other packet mangling;

• www.netfilter.org


www.netfilter.org




References

• br.kernelnewbies.org/node/150 has many links


br.kernelnewbies.org/node/150




Thankyou! Question?





Network packet capture in Linux kernelspaceAn overview of the network stack in the Linux kernel

Beraldo Leal

[email protected]


Institute of Mathematics and Statistics - IMEUniversity of Sao Paulo - USP

25th October 2011


[email protected]


captura de pacotes no kernelspace

Technology