Research Unit VIII: Network Architectures Computer Science - PowerPoint PPT Presentation

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München SEP Packet Capturing Using the Linux Netfilter Framework Ivan Pronchev pronchev@in.tum.de

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Today's Agenda Goals of the Project Motivation Revision Design Enhancements tcpdump vs kernel sniffer Interesting and Future Questions

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Goals of the Project Approaching Linux netfilter framework Developing kernel sniffer Comparing with an existing packet capturing tool

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Motivation Finding ways to improve capturing rates Userspace vs Kernelspace

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Revision Linux Netfilter Framework Main Data Structures Receive Livelock Processing Multiple Frames During an Interrupt(NAPI) NAPI/non-NAPI Frame Reception Packet Path through the IP Kernel Stack Netfilter Hooks in Details Kernel Sniffer

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München NAPI/non-NAPI Frame Reception TCP/IP ARP Ipv6 Protokoll Protokoll Protokoll ip_rcv arp_rcv ... ipv6_rcv packet_rcv packet_type->func packet_type->func netif_receive_skb netif_receive_skb process_backlog Non-NAPI NAPI dev->poll eth0 net_rx_action netif_rx_schedule __netif_rx_schedule netif_rx_schedule netif_rx interrupt handler interrupt handler Non-NAPI device driver NAPI device driver

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München IPv4 Kernel Stack L4 Protocols Transport/L4 protocols Receive Routine ip_push_pending_frames ip_queue_xmit raw_send_hdrinc NF_IP_LOCAL_OUT ip_local_deliver_finish ip_forward_finish ip_output NF_IP_FORWARDING NF_IP_LOCAL_IN ip_finish_output ip_local_deliver ip_forward NF_IP_POST_ROUTING ip_rcv_finish NF_IP_PRE_ROUTING ip_finish_output2 hard_start_xmit ip_rcv Device Driver

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How to capture packets ? How file operations work in kernelspace ? How to capture packets and write them into a file ?

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How to capture packets ? NF_IP_PRE_ROUTING NF_IP_POST_ROUTING ROUTE NF_IP_FORWARD ROUTE NF_IP_LOCAL_IN NF_IP_LOCAL_OUT

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How file operations work in kernelspace ? Userspace applications open close read write ... System call interface VFS Ext2 Ext3 DOS ...

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How file operations work in kernelspace ? Storage device Superblock include/linux/fs.h Inode Inode Dentry Dentry Process A File Process B File include/linux/dcache.h

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How to capture packets and write them into a file ? NF_IP_PRE_ROUTING ROUTE NF_IP_FORWARD NF_IP_POST_ROUTING NF_HOOK nf_hook_slow ROUTE nf_iterate nf_hooks[pf][pre_routing] NF_IP_LOCAL_IN nf_hook_ops.hook NF_IP_LOCAL_OUT Writing packets into a file Not possible: context switch disabled in nf_hook_slow while writing invokes scheduling if necessary!

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design How to capture packets and write them into a file ? NF_IP_PRE_ROUTING NF_IP_POST_ROUTING ROUTE NF_IP_FORWARD hook_func hook_func ROUTE NF_IP_LOCAL_IN NF_IP_LOCAL_OUT kernel thread skbuff_queue log.pcap pcap header How to store the packets until further procession ? pcap packet header packet pcap packet header packet ....

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design VFS filp_open VFS file->f_op->write dev0 IPv4 Stack dev_set_promiscuity dev1 NF_IP_POST_ROUTING devn net_enable_timestamp hook_func nf_register_hook NF_IP_PRE_ROUTING hook_func kernel_thread sk_buff_head log.pcap sk_buff pcap header sk_buff pcap packet header kernel_thread packet threaded_write pcap packet header packet VFS .... file->f_op->write

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München ip_rcv int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev) { 1. When the interface is in promiscuous mode drop all the crap that it receives, do not try to analyze it. if (skb->pkt_type == PACKET_OTHERHOST) goto drop; ... ... 2.Call the prerouting netfilter hook. return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish); 3.By error discard the sk_buff structure. inhdr_error: ... ... drop: kfree_skb(skb); out: ... ... }

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Design VFS filp_open VFS file->f_op->write dev0 IPv4 Stack dev_set_promiscuity dev1 NF_IP_POST_ROUTING devn net_enable_timestamp hook_func nf_register_hook ptype_all NF_IP_PRE_ROUTING dev_add_pack hook_func ksniff_rcv kernel_thread sk_buff_head log.pcap sk_buff pcap header sk_buff pcap packet header kernel_thread packet threaded_write pcap packet header packet VFS VFS .... file->f_op->write file->f_op->writev

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Enhancements Communication through the procfs -start,stop,restart Interaction with the sniffer - queue_size - device_name - logfile - snaplen Statistics -Errors -Received packets -Captured packets Logging packets from a certain network device

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München tcpdump vs kernel sniffer Test machine: Athlon XP 1800, RAM:256 maximal disk's write speed ~ 34 MB/s TEST 1 : kernel sniffer, snaplen=1500 TEST 1: tcpdump, snaplen=1500 Packets:2000000 (1496byte,0frags) Packets:2000000 (1496byte,0frags) 70808pps 847Mb/sec (847432454bps) errors: 0 70800pps 847Mb/sec (847344015bps) errors: 0 Captured packets:603874 589831 packets captured Received packets:655560 661719 packets received by filter

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München tcpdump vs kernel sniffer TEST 2: kernel sniffer, snaplen=96 TEST 2: tcpdump, snaplen=96 Packets:2000000 (1496byte,0frags) Packets:2000000 (1496byte,0frags) 70808pps 847Mb/sec (847431164bps) errors: 0 70799pps 847Mb/sec (847331807bps) errors: 0 642799 packets captured Captured packets:647783 645014 packets received by filter Received packets:647783 TEST 3: kernel sniffer, snaplen=1500 TEST 3: tcpdump, snaplen=1500 Packets:10.000.000 (1496byte,0frags) Packets:10.000.000 (1496byte,0frags) 47088pps 563Mb/sec (563557308bps) errors: 0 47274pps 565Mb/sec (565784851bps) errors: 0 3643704 packets captured Captured packets:3791329 9930613 packets received by filter Received packets:9844006

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Interesting and Future Questions Queue vs Ring-buffer Direct IO vs non-Direct IO file operations Finding ways to improve capturing rates

Research Unit VIII: Network Architectures Computer Science Department, Technische Universität München Thanks for the attention

Research Unit VIII: Network Architectures Computer Science - PowerPoint PPT Presentation

Research Unit VIII: Network Architectures Computer Science Department, Technische Universitt Mnchen SEP Packet Capturing Using the Linux Netfilter Framework Ivan Pronchev pronchev@in.tum.de Research Unit VIII: Network Architectures

Research funding support services at LMU Munich: ERC StG Dr. Tilmann Massey Unit VIII.3 Team

CompSci 356: Computer Network Architectures Lecture 2: Network Architectures Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 2: Network Architectures Xiaowei Yang

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Network Kernel Architectures and Implementation (01204423) Single-Node Architectures Chaiporn

Component Model for Linux-based Network Systems Guided Research Dominik Scholz March 16, 2016

Guide to Networking Essentials Fifth Edition Chapter 7 Network Architectures Objectives

Routing with BGP Dr. Nils Kammenhuber Chair for Network Architectures and Services Institut fr

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

Mechanism for Network-on-Chip Architectures University of Cyprus The Multicore Computer

Neurobiology Research Unit Copenhagen University Hospital, Rigshospitalet 5-HTT Brain Network

iLab P2P Networks Dirk Haage Chair for Network Architectures and Services Department of

CompSci 356: Computer Network Architectures Lecture 3: Network Architecture Examples and Lab 1

Pantheon: the Training Ground for Internet Congestion-Control Research Chun-Te Sung July 13,

Network on Chip Architectures Network on Chip Architectures Maurizio Palesi and Shashi Kumar

Survey of Concepts for QoS Improvements via SDN Atanas Mirchev Chair for Network Architectures

CS 356: Computer Network Architectures Lecture 22: Internet Quality of Service [PD] Chapter 6.5

CIS 371 Computer Organization and Design Unit 14: Instruction Set Architectures CIS 371: Comp.

Architectures Enabled by Intra-Unit Fast Forwarding Jihee Seo and Dae Hyun Kim School of

Networked System Architectures Session 28 INST 346 Technologies, Infrastructure and Architecture

Network Interface Architectures (See other document for figures) Networks are becoming the

Key Technologies and Architectures h l d A h for Next Generation Mobile Networks Krishan K.

GN3plus JRA 1 Network architectures for Horizon 2020 Tony Breach, NORDUnet A/S 2nd TERENA

SECT. VIII-1 2017 CHANGES SECT. VIII-1 2017 CHANGES MAJOR CHANGES TABLE U-3 Year- of