bpf packet capture and SOCK_STREAM socket redirects...

Alireza Torabi alireza.torabi at gmail.com
Fri Mar 21 18:25:04 PDT 2008 

On Fri, Mar 21, 2008 at 6:16 PM, Julian Elischer <julian at elischer.org> wrote:
 >
 > Alireza Torabi wrote:
 >  > On Fri, Mar 21, 2008 at 6:35 AM, Peter Jeremy
 >  > <peterjeremy at optushome.com.au> wrote:
 >  >> On Thu, Mar 20, 2008 at 11:27:53AM +0000, Alireza Torabi wrote:
 >  >>  >Imagine this:
 >  >>  >
 >  >>  >           | (1)
 >  >>  >        packets
 >  >>  >           |                 | (4)
 >  >>  >        [nic1]             [nic2]
 >  >>  >          bpf             SOCK_STREAM
 >  >>  >           |  (2)            |
 >   >>  >  ---------------------------------------
 >  >>  >              [FreeBSD] (3)
 >  >>  >
 >  >>  >1) all user traffic are being monitored
 >  >>  >2) bpf on [nic] is capturing these packets
 >  >>  >3) after processing we know a connection is about to be
established from A to B
 >  >>  >
 >  >>  >NOW:
 >  >>  >4) I want to deliver this packet to the socket on [nic2]
 >  >>  >and as this is a tcp socket it'll take care of it from there
 >  >>  >(my code here for this sockets sends and arbitary data to A making it
 >  >>  >think it came from B)
 >  >>
 >  >>  Have a look at divert(4).  I suspect it comes closest to what you want.
 >  >>
 >  >>  --
 >  >>  Peter Jeremy
 >  >>  Please excuse any delays as the result of my ISP's inability
to implement
 >  >>  an MTA that is either RFC2821-compliant or matches their
claimed behaviour.
 >  >>
 >  >
 >  > Yes. It sounds promising. I was reading natd and planning to read ipfw
 >  > source interestingly!
 >
 >  also I think you may want the 'fwd' call in ipfw...
 >
 I won't be using ipfw(8) at all as this is monitoring a copy of all
 the packets flowing through a core switch on a span/rmon 'ed switch
 port.


 >  I don't quite understand your question..
 >  (despite the picture)
 >  where ia A and where is B?
 >
 As I say I can only they a copy of these hosts' traffic over an
 rmon/span 'ed (Cisco terms) switch port.

 >  and why 2 nics?
 [nic1] is connected to above switch port and and is bpf ing all the
 the packets (promisc) and [nic2] has it's own ip address and connected
 to a normal switch port, hence can send and receive data. ie talk to A
 or B


 >
 >  User traffic where?
 >     on a switch?
 >     coming in and out of this machine?
 bpf is reading all the incoming packets coming to [nic1] off.



 >
 >  you need to define a little more of the picture..
 >
 >  Julian
 btw, are you the Julian netgraph(8)?



 >
 >
 >  > Thanks
 >  >
 >  > Alireza
 >
 >
 > > _______________________________________________
 >  > freebsd-net at freebsd.org mailing list
 >  > http://lists.freebsd.org/mailman/listinfo/freebsd-net
 >  > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
 >
 >

More information about the freebsd-net mailing list