mersenneforum.org
Page 1 of 3 1 23
Show 97 post(s) from this thread on one page

mersenneforum.org (https://www.mersenneforum.org/index.php)
-   Linux (https://www.mersenneforum.org/forumdisplay.php?f=39)
-   -   New ethernet sniffer program (https://www.mersenneforum.org/showthread.php?t=23651)

SELROC 2018-09-13 14:26
New ethernet sniffer program
 
I wrote a prototype packet sniffer for ethernet. It runs on Debian 9 as-is.
The program has a packet counter. Warning! it displays packet data in clear ascii.


[URL]https://github.com/valeriob01/etherframe[/URL]


To compile the program just issue [CODE]make[/CODE] There is an included program called [B]listeth[/B] that lists all network interfaces in the system. Compile it with [CODE]make listeth[/CODE] and run [CODE]./listeth[/CODE]You will get a list of network interface names. You can then pass the interface name to etherframe with [CODE]./etherframe <interface name>[/CODE]Without arguments the program defaults to eth0

chalsall 2018-09-13 17:13
[QUOTE=SELROC;496004]I wrote a prototype packet sniffer for ethernet.[/QUOTE]

How is this any better than tcpdump?

Can the output be fed into Wireshark?

SELROC 2018-09-13 17:26
[QUOTE=chalsall;496011]How is this any better than tcpdump?

Can the output be fed into Wireshark?[/QUOTE]




I am not going to compete with tcpdump. I wrote this for exercise.


The output is a simple printf() so it should go to the standard output.

chalsall 2018-09-13 19:04
[QUOTE=SELROC;496014]I am not going to compete with tcpdump. I wrote this for exercise.[/QUOTE]

That's fair. And drilling down on your code, I find it quite clean.

SELROC 2018-09-14 06:29
[QUOTE=chalsall;496022]That's fair. And drilling down on your code, I find it quite clean.[/QUOTE]


Thanks. Today I added the possibility to select the promiscuous mode enable/disable.


[CODE]./etherframe <interface name> <promiscuous mode>[/CODE]


where promiscuous mode = 0=disabled, 1=enabled


the arguments are both optional.

chalsall 2018-09-14 19:33
[QUOTE=SELROC;496050]the arguments are both optional.[/QUOTE]

If I may, just drilling down on the premise of your code (being able to detect noise on a link), I'm not sure that your code can accomplish this.

When I try to do this kind of thing from one end, I do flood pinging (ICMP). If I have control of both ends of the connection I use UDP packets. But this only tells me packet loss, it doesn't give me any data with regards to noise nor attenuation, etc. Usually I get this kind of thing via SNMP messages from the devices (but, obviously, only if I have control of them).

Not trying to discourage you, but I'd be very interested if you have figured out a way to collect such data using only "sniffing the wire" at Layer 2.

SELROC 2018-09-15 02:48
[QUOTE=chalsall;496090]If I may, just drilling down on the premise of your code (being able to detect noise on a link), I'm not sure that your code can accomplish this.

When I try to do this kind of thing from one end, I do flood pinging (ICMP). If I have control of both ends of the connection I use UDP packets. But this only tells me packet loss, it doesn't give me any data with regards to noise nor attenuation, etc. Usually I get this kind of thing via SNMP messages from the devices (but, obviously, only if I have control of them).

Not trying to discourage you, but I'd be very interested if you have figured out a way to collect such data using only "sniffing the wire" at Layer 2.[/QUOTE]


A true test would need a specific lab setup which I don't have. The current program reads packets and if there are incomplete packets, it increments some counter (COP and ROP).


I am aware of the thing.

chalsall 2018-09-15 22:06
[QUOTE=SELROC;496113]I am aware of the thing.[/QUOTE]

Please define "thing", in this context.

Edit: Not trying to be an *, but the word "thing" can mean many different things in and out of context. Some use it to cover the fact they can't communicate well. I believe you can, so please clarify.

SELROC 2018-09-16 04:19
[QUOTE=chalsall;496153]Please define "thing", in this context.

Edit: Not trying to be an *, but the word "thing" can mean many different things in and out of context. Some use it to cover the fact they can't communicate well. I believe you can, so please clarify.[/QUOTE]


The thing comes from outer space :-)


More seriously, the thing is "what you said".

SELROC 2018-09-17 08:09
[QUOTE=SELROC;496113]A true test would need a specific lab setup which I don't have. The current program reads packets and if there are incomplete packets, it increments some counter (COP and ROP).[/QUOTE]


I studied the problem a bit more. The specific problem is that bad frames are dropped in driver and do not make it to layer 2. This method would require modifying the network driver to make it ignore bad frames and pass them to upper layers.


So I will have to adopt another method, probably based on some data acquisition device.

SELROC 2018-09-17 17:08
[QUOTE=SELROC;496227]I studied the problem a bit more. The specific problem is that bad frames are dropped in driver and do not make it to layer 2. This method would require modifying the network driver to make it ignore bad frames and pass them to upper layers.[/QUOTE]


Even worse, the crc checking is sometimes off-loaded to hardware (NIC), in this case the only possible thing to do is modify the NIC bios.


All times are UTC. The time now is 08:33.
Page 1 of 3 1 23
Show 97 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.