On Thu, Dec 21, 2000, guy keren wrote about "Re: Linux Socket Filter":
>
> On Wed, 20 Dec 2000, Nadav Har'El wrote:
>
> question - what types of packets exactly do you need to capture? is
> this using a complex filter, or a simple one?
I'm trying to do something along the lines of "faking" a TCP session on
one port: i.e., sending out faked packets (that's the straightforward part)
and then receiving all the TCP segments destined for my port and handling
them myself (without the kernel touching these packets and doing its normal
processing on them).
So it should be a very simple filter, something like giving "dst port 1234"
to pcap_compile() and letting it generate a BPF virtual-machine code for me.
This is not going to be some sort of industrial-strength my-own-TCP-stack,
so I don't really need _all_ the program to run in-kernel: just the filtering
part which will hopefully pass to the user-level software only a small
fraction of the total traffic on the machine.
> also, you want the original packets to keep on traveling to their
> destinatin, or be captured by your software only, and not rich their
> original destination directly?
I want only my program to get these packets (otherwise the kernel will ruin
the TCP session I'm trying to make by sending back RST packets). I was
thinking of doing this using Linux's firewalling code.
By the way, I already started experimenting with these ideas, using LSF
and ipchains, and it seems it is beginning to work quite nicely. Unfortunately,
I couldn't get Redhat's LSF-patched libpcap (it's the standard libpcap they
put in their system) to work (I don't know why - I even checked a libpcap
program somebody else wrote, and it doesn't work!), so I had to use LSF
ioctls directly, which was actually not that terrible ;)
--
Nadav Har'El | Thursday, Dec 21 2000, 24 Kislev 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |A man is incomplete until he is married.
http://nadav.harel.org.il |After that, he is finished.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
