Author : Thamer Al-Harbash
Page : << Previous 3 Next >>
exceeds a certain limit (resources are finite), the packets
are dropped and are not placed in the buffer.
Packet filters allow a process to dictate which packets it's
interested in. The usual way is to have a set of opcodes for
routines to perform on the packet, reading values off it, and
deciding whether or not it's wanted. These opcodes usually
perform very simple operations, allowing powerful filters to
be constructed.
BPF filters and then buffers; this is optimal since the
buffer only contains packets that are interesting to the
process. It's hoped that the filter cuts down the amount of
packets buffered to stop overflowing the buffer, which leads
to packet loss.
NIT, unfortunately, does not do this; it applies the filter
after buffering, when the user process starts to read from
the buffered data.
According to route <route@infonexus.com> Linux' SOCK_PACKET
does not do any buffering and has no kernel filtering.
Your mileage may vary with other packet capturing facilities.
1.5) How do I limit packet loss when sniffing a network?
If you're experiencing a lot of packet loss, you may want to
limit the scope of the packets read by using filters. This
will only work if the filtering is done before any buffering.
If this still doesn't work because your packet capturing
facility is broken like NIT, you'll have to read the packets
faster in a user process and send them to another process --
basically attempt to do additional buffering in user space.
Another way of improving performance, is by using a larger
buffer. On Irix using SNOOP, the man page recommends using
SO_RCVBUF. On BSD with BPF one can use the BIOCSBLEN ioctl
call to increase the buffer size. On Solaris bufmod and pfmod
can be used for altering buffer size and filters
respectively.
Remember, the longer your process is busy and not attending the incoming packets, the quicker they'll be dropped by the kernel.
1.6) What is packet capturing usually used for?
(Question suggested by Michael T. Stolarchuk <mts@rare.net>
along with some suggestions for the answer.)
Network diagnostics such as the verification of a
network's setup, examples are tools like arp, that report
the ARP messages sent from hosts.
Reconstruction of end to end sessions. tcpshow attempts
to do this, but more sophisticated examples are the array
of security tools which try to keep tabs on network
connections.
Monitoring network load. Probably one of the most
practical uses, a lot of commercial products usually use
specialized hardware to accomplish this.
1.7) Will I have to replace any packets captured off the
network?
No, the packet capturing facilities mentioned make copies of
the packets, and do not remove them from the system's TCP/IP
stack. If you wish to prevent packets from reaching the
TCP/IP stack you need to use a firewall, (which should be
able to do packet filtering). Don't confuse the packet
filtering done by packet capturing facilities with those done
by firewalls. They serve different purposes.
1.8) Is there a portable API to send raw packets into a
network?
Yes, route <route@infonexus.com> maintains Libnet, a library
that provides an API for low level packet writing and
handling. It serves as a good compliment for libpcap, if you
wish to read and write packets. The project's webpage can be
found at:
http://www.packetfactory.net/libnet/
1.9) Are there any high level language APIs (Not C) for raw
IP access?
A PERL module that gives access to raw sockets is available
at:
http://quake.skif.net/RawIP/
A Python library "py-libpap" can be found at:
ftp://ftp.python.org/pub/python/contrib/Network/
2) RAW socket questions:
2.1) What is a RAW socket?
The BSD socket API allows one to open a raw socket and bypass
layers in the TCP/IP stack. Be warned that if an OS doesn't
support correct BSD semantics (correct is used loosely here),
you're going to have a hard time making it work. Below, an
attempt is made to address some of the bugs or surprises
you're in store for. On almost all sane systems only root
(superuser) can open a raw socket.
2.2) How do I use a raw socket?
2.2.1) How do I send a TCP/IP packet through a raw
socket?
Page : << Previous 3 Next >>