On 8/7/19 4:30 AM, Ido Schimmel wrote: > Example usage with patched dropwatch [1] can be found here [2]. Example > dissection of drop monitor netlink events with patched wireshark [3] can > be found here [4]. I will submit both changes upstream after the kernel > changes are accepted. Another change worth making is adding a dropmon > pseudo interface to libpcap, similar to the nflog interface [5]. This > will allow users to specifically listen on dropmon traffic instead of > capturing all netlink packets via the nlmon netdev.
Nice work, Ido. On top of your dropwatch changes I added the ability to print the payload as hex. e.g., Issue Ctrl-C to stop monitoring drop at: nf_hook_slow+0x59/0x98 (0xffffffff814ec532) input port ifindex: 1 timestamp: Thu Aug 8 15:04:02 2019 360015026 nsec length: 64 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ........ ......E. 00 3c e7 50 40 00 40 06 55 69 7f 00 00 01 7f 00 .<.P@.@. Ui...... 00 01 80 2c 30 39 74 b9 c7 4d 00 00 00 00 a0 02 ...,09t. .M...... ff d7 fe 30 00 00 02 04 ff d7 04 02 08 0a 53 79 ...0.... ......Sy original length: 74 Seems like the skb protocol is also needed to properly parse the payload - ie., to know it is an ethernet header, followed by ip and tcp.
