I have written a application, which uses libpcap to capture packets. But the application can only capture a few packets, the traffic is about several kbps. But the captured traffic will be over 10Mbps if tcpdump is opened. When tcpdump is closed, the captured traffic dropped to several kbps again.
Anyone know why? Thank you very much.
If you're calling pcap_open_live(), you're probably passing 0 as the ''promisc'' argument. If you're calling pcap_create() and pcap_activate(), you're probably not calling pcap_set_promisc() between those calls (or are passing pcap_set_promisc() a ''promisc'' argument of 0).
I.e., you're probably not turning promiscuous mode on, so your machine is only capturing traffic to and from your machine, not other traffic on the network. Tcpdump, by default, turns promiscuous mode on, so, while it's running, the adapter on which you're capturing, which is probably the same adapter as the one on which tcpdump is capturing, is in promiscuous mode, and you'll see other traffic on your network.
Related
My passive network monitoring application needs packets to be captured from network interface (at higher packet rates). The packet capture module should be able to call a monitoring function upon capture of each packet (and also write the packet in to pcap file).
I thought of using DPDK as the packet capture module in my monitoring application (as we use pcap_loop and pfring_loop in libpcap and pfring respectively), but I am not sure whether this is one of the use cases of DPDK, or, is DPDK meant to be used like this?.
So my questions are..
Can I use DPDK to fulfill my requirements?, If yes how to start?.
OS: Linux.
Karnal version: 4.
DPDK version: Latest stable.
Capture on physical device.
The capturing application has root privileges and will be used by the network administrator (as part of passive asset discovery).
I want to use DPDK because it supports capture at line rate upto 10 Gbps
Thank you.
Based on the updates and clarification in comment the request is Can one replace an existing application which PF_RING API calls with DPDK API which is written in C?. Simple answer to it is yes it can be done.
Here is how one should start
identify the Platform (preferably Linux/BSD, windows 21.02 is still work in progress)
identify the processor list of supported CPU
Identify a NIC to use from LIST of DPDK NIC
Set up the Linux environment with Linux Enviroment
Explore basic example/skeleton for basicfwd usage
get the start of ethernet header for packet using DPDK API rte_pktmbuf_mtod. There are many samples in DPDK/examples folder which does the same.
Invoke the packet processing function logic between rx_burst and tx_burst of example/skeleton.
Newer versions of libpcap can themselves use DPDK, at least on Linux. The libpcap on your system might, or might not, be configured to use it. (There are also versions of libpcap modified to use PF_RING.)
Can TCPDump and TCPReplay be used to record(tcpdump) network traffic coming in to a application server/webserver/queue application etc., and then replayed using the dump on TCPReplay?
Let's say I setup a apache server and use TCPDump to capture the entire network traffic and dump it to a file. Now I run apache in a different machine and want to replay the traffic to this new apache server using the file. How can I achieve this?
I especially want to understand how TCPReplay would work in such a scenario. i.e. how would syn/ack responses work for TCP. How would a new a connection etc. be initiated?
Fred is right. Also, this question is answered in the Tcpreplay FAQ: http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver
No, you cannot use Tcpreplay to replay traffic to a server. TCP sessions have random sequence numbers, and are fully stateful. Replaying previously recorded TCP traffic will be ignored by a server.
How does a Server know to close a Web Socket connection in HTML5 on below scenarios and other cases.
Browser closed abruptly
Browser Refresh(A new Socket connection creation or still it will use existing Connection)
System abrupt power off
In case the client quits without being able to notify the server, the basic characteristics of the TCP implementation define the behavior.
As long as your application (and host system itself) do not attempt to send any data over this broken connection, the host will not realize that something is wrong. Hence, the connection could stay 'open' for a long while and allocate resources, from the server's point of view.
However, in the moment data is attempted to be sent to the remote end, the remote end will not acknowledge the retrieval and TCP retransmission comes into play. It involves a certain number of repetitions and used timeouts. The exact parameters depend on the implementation (operating system in use). When the retransmission finally fails, the TCP connection is closed and resources are freed on the server side. So you can
rely on the fact that at some point your application might want to write to the missing remote end and while doing so trigger the detection of the dead connection or
detect missing remote ends yourself by using something like pings on the application level or
use something like pings on the operating system level, via TCP keepalive techniques.
The easiest part of your question is the browser refresh part. IE,FF and Chrome will close the opened connection and open a new one. I guess, that any other browser will do the same.
Point 1 and 3 i can only guess: If the client can still close the tcp connection cleanly, the server will immediately recognize that the connection has been closed. If you are using tomcat, the onClose method of the MessageInbound instance will be called.
If the client could not close the tcp connection cleanly, the server will wait for some kind of timeout. The server will definitely timeout fast when it tries to write something to the socket. You could implement a heartbeat mechanism to do this. Websockets seem to have the option of an automatic heartbeat but not all browsers and servers seem to support it.
If a user closes a browser tab with an opened web socket, the server will not know this one has been closed right away. However, as Jan-Philip says, if you attempt to write the operation will fail and using the error given you know the current state for the connection.
For example, when using the ws lib for nodejs, if you try to send data to a closed websocket an exception will be thrown, saying something like [Error: not opened]. Their you know the connection no longer exists and you can do any cleanup needed.
My app is using a TUN say tun0. In the design, my app will receive an UDP which includes an full IP layer, then I will take the IP layer out and then use 'file write' to put them into my own tun0 device, supposedly in design, I should can read the packet out again from tun0.
Now the situation is I can see through tcpdump the package is wrote into the tunnel, but I couldn't read them back.
Something wrong with tunnel setting or route setting?
Thanks in advance
Yang
Your second tun0 is not a FIFO queue. You may have a problem in your design of how and why your are using the second tun0 device. Clarify why you are using it and which process should be reading. The proper approach should flow from that clarification.
If you want to read the data you send into you have some options.
Connect tun0 to an TCP or UDP echo service when you open it. This will then send you back the packets you stuff into it.
Open a listener for the second tun0 to connect to. Then connect to it and send the packets out that connection. Read your data from the listener side.
Open a pipe with two file descriptors. Write to one descriptor and read from the other. Pipes are often used for IPC (Inter-Process Communication) when forking children.
Create a socket and read data from it. Open the other end of the socket for writing. Sockets are often used to allow other processes to communicate with a process. This works well when the calling processes may have a different lifetime than the listening process.
Create a buffer or queue in memory to store the data.
A process is connecting to a certain ip or domain, but I do not know what it is. The process can't connect to the server. How do I find and change it?
TCPView and netstat work best for connections already established, which isn't the original poster's position.
A better tool for this task is a packet sniffer, which can observe the connection attempt. I recommend Wireshark, which is available for all major platforms.
Details:
Install, then start Wireshark
Press Ctrl-K to start capturing
Select the network interface that you expect the program to use
Type "tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn" in the Capture Filter box (no quotes)
Start the capture, go make your program try to connect, and then stop the capture.
If you do the last step fast enough on a machine without a lot of other network activity, you will have only one captured packet. Otherwise, you'll have to dig through a list to find the one you want. This packet will show the TCP port the program is trying to use.
Type netstat at the cmd prompt to see what ports are being used by active processes. Aside from that, you can't change the port being used by the proc to connect (unless you built the app obviously)
TCPView is a nice little utility that will show you all the open connections and endpoints on the local machine.
If the program is connecting using a DNS name (e.g., example.com), you can use the hosts file (c:\windows\system32\drivers\etc\hosts) to make that name map to a different IP address.
If you mean redirect the connection programmatically, that is a lot more complicated. You're not writing malware, are you?