Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

Reading pf_ring plugin sk_buff value

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


robert.yamamoto at nsn

Jul 18, 2011, 5:39 PM

Post #1 of 2 (320 views)
Permalink
Reading pf_ring plugin sk_buff value
Hi,

I am modifying the dummy plugin to look for ICMP ttl expiry messages. I
am taking the sk_buff *skb pointer and getting the icmphdr from that and
then testing the type field. I don't see the type field ever set to 11,
though I do see it with tcpdump.

static int dummy_plugin_filter(struct pf_ring_socket *the_ring,
sw_filtering_rule_element *rule,
struct pfring_pkthdr *hdr,
struct sk_buff *skb, int displ,
struct parse_buffer **parse_memory)
{
.
.

if (hdr->extended_hdr.parsed_pkt.l3_proto == 1) //ICMP
{
struct icmphdr *hdr = icmp_hdr(skb);
if (hdr->type == ICMP_TIME_EXCEEDED)
{
//handle TTL
}
}
.
.
.

I can run tcpdump and see the TTL messages on the interface. The plugin
sees that it is a icmp message but the type value is not the same as
seen with tcpdump. tcpdump shows the type field as 11 while the plugin
shows it as 0.

Here is the userland code:

filtering_rule rule;
memset(&rule, 0, sizeof(rule));

// The dummy plugin will dropp all but ICMP packets
rule.rule_id = ruleId;
rule.core_fields.proto = 0;
rule.rule_action = forward_packet_and_stop_rule_evaluation;
rule.plugin_action.plugin_id = DUMMY_PLUGIN_ID; // DUMMY plugin
rule.extended_fields.filter_plugin_id = DUMMY_PLUGIN_ID; // Enable
packet parsing/filtering
filter = (struct
dummy_filter*)rule.extended_fields.filter_plugin_data;
filter->protocol = 1; // ICMP


tcpdump output (type field = 11):

19:23:54.642144 IP 10.204.67.254 > 10.204.7.254: [|icmp]
0x0000: 4510 001c 0619 0000 4001 1325 0acc 43fe E.......@..%..C
<mailto:E.......@..%..C> .
0x0010: 0acc 07fe 0b00 f4ff 0000 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
19:23:54.653577 IP 10.204.67.254 > 10.204.7.254: [|icmp]
0x0000: 4510 001c 061a 0000 4001 1324 0acc 43fe E.......@..$..C
<mailto:E.......@..$..C> .
0x0010: 0acc 07fe 0b00 f4ff 0000 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............


Thanks, Robert


deri at ntop

Jul 19, 2011, 12:23 AM

Post #2 of 2 (303 views)
Permalink
Re: Reading pf_ring plugin sk_buff value [In reply to]
Robert
Please fill a bug on bugzilla.ntop.org so we can track this issue. Please attach a pcap file we can use to reproduce the bu

Thanks Luca

Sent from my iPad

On 19/lug/2011, at 03:39, "Yamamoto Robert-P20848" <robert.yamamoto [at] nsn> wrote:

> Hi,
>
> I am modifying the dummy plugin to look for ICMP ttl expiry messages. I am taking the sk_buff *skb pointer and getting the icmphdr from that and then testing the type field. I don't see the type field ever set to 11, though I do see it with tcpdump.
>
> static int dummy_plugin_filter(struct pf_ring_socket *the_ring,
> sw_filtering_rule_element *rule,
> struct pfring_pkthdr *hdr,
> struct sk_buff *skb, int displ,
> struct parse_buffer **parse_memory)
> {
> .
> .
>
> if (hdr->extended_hdr.parsed_pkt.l3_proto == 1) //ICMP
> {
> struct icmphdr *hdr = icmp_hdr(skb);
> if (hdr->type == ICMP_TIME_EXCEEDED)
> {
> //handle TTL
> }
> }
> .
> .
> .
>
> I can run tcpdump and see the TTL messages on the interface. The plugin sees that it is a icmp message but the type value is not the same as seen with tcpdump. tcpdump shows the type field as 11 while the plugin shows it as 0.
>
> Here is the userland code:
>
> filtering_rule rule;
> memset(&rule, 0, sizeof(rule));
>
> // The dummy plugin will dropp all but ICMP packets
> rule.rule_id = ruleId;
> rule.core_fields.proto = 0;
> rule.rule_action = forward_packet_and_stop_rule_evaluation;
> rule.plugin_action.plugin_id = DUMMY_PLUGIN_ID; // DUMMY plugin
> rule.extended_fields.filter_plugin_id = DUMMY_PLUGIN_ID; // Enable packet parsing/filtering
> filter = (struct dummy_filter*)rule.extended_fields.filter_plugin_data;
> filter->protocol = 1; // ICMP
>
>
> tcpdump output (type field = 11):
>
> 19:23:54.642144 IP 10.204.67.254 > 10.204.7.254: [|icmp]
> 0x0000: 4510 001c 0619 0000 4001 1325 0acc 43fe E.......@..%..C.
> 0x0010: 0acc 07fe 0b00 f4ff 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 19:23:54.653577 IP 10.204.67.254 > 10.204.7.254: [|icmp]
> 0x0000: 4510 001c 061a 0000 4001 1324 0acc 43fe E.......@..$..C.
> 0x0010: 0acc 07fe 0b00 f4ff 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
>
> Thanks, Robert
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.