fugate at unm
Dec 29, 2011, 4:25 PM
Post #1 of 1
PF_RING packet forwarding with tun/tap devices
How can I get data through PF_RING using hash filtering to a virtual interface (tun/tap devices) without having to open this interface and read these packets in a userspace app? Using a normal interface I can sniff to my heart's content in promisc mode without doing anything with these packets in userspace. Since the packets weren't even destined for my machine, upon reading, I would just ignore the data, but would have incurred the cost of coping each packet for no reason.
Basically I am using pfring to forward hash-filtered rawpacket data to multiple virtual devices. I am managing the filter state dynamically for each output device, which are each being listened to by multiple independent IDS (each configured differently).
The problem that I am running into is that the current tun/tap kernel module requires that a userspace application have the interface open for the interface to be "RUNNING" (otherwise any packets that would be seen on the interface are ignored by the kernel). This seems to differ from normal interfaces which are "RUNNING" as long as a cable is plugged in (irrespective of whether other userspace applications have the device open). This was a relatively recent kernel change in 2.6.36. (see: http://kerneltrap.com/mailarchive/linux-netdev/2010/7/27/6281958/thread).
I've tried this in three different ways:
1. If I create a virtual interface and attempt to sniff packets using PF_RING enabled tcpdump or Snort using the PF_RING DAQ. I don't ever see packets on the virtual device with a sniffer.
2. If I create the interface and then open it with a userspace application I see data using a sniffing program, but if I don't read the data, then eventually I stop receiving packet data as nothing is getting dequeued (I think).
3. If I create the interface and then open it and read packet data (in the userspace application) I can see the packets with a sniffer and things continue. But I am reading data in the userspace app that I just drop on the floor. I'd like a pf_ring sniffer aware app to be able to received these packets directly without additional reads and copies by a secondary and entirely superfluous userspace application.
#tap0 -- tap virtual device
ifconfig tap0 up
#eth1 -- sniffing in promisc mode, using preflect to test simple packet reflection
./preflect -i eth1 -o tap0
tcpdump -i tap0
I get data in cases 2 or 3, but not 1.
Any help/direction would be greatly appreciated.
Ntop-misc mailing list
Ntop-misc [at] listgateway