2

I would like to retrieve the Ethernet Frame bits for all the Ethernet frames on the wire no matter if they are destined (MAC level) for my machine or not.

The logic for that has to be at the kernel level.

So in order to achieve this do I need to build a separate kernel module or Ethernet driver or Ethernet network interface

Note: I have just started learning Linux kernel module development for my project. I'm sorry if it is not the appropriate place to post this question.

pnuts
  • 58,317
  • 11
  • 87
  • 139
Utkal Sinha
  • 1,021
  • 1
  • 6
  • 24
  • The logic for that is *already* implemented at the kernel level. To put it to use, have a look at libpcap, and interface promiscuous mode about the "no matter if they are destined (MAC level) for my machine or not". libpcap with promiscuous mode does everything you need, from userland. – jbm Nov 03 '15 at 17:54
  • libpcap captures the frame by copying the packet and not by intercepting the packets. I want to be able to receive all the frames on the wire as well as sending or re-injecting the modified frame into the NIC card. – Utkal Sinha Nov 08 '15 at 11:14

3 Answers3

3

For receiving frames destined to all hosts you must set your network interface in promiscuous mode.

For getting frames you can use different alternatives:

  1. pcap API (library libpcap)
  2. packet sockets: http://man7.org/linux/man-pages/man7/packet.7.html
  3. Look at ebtables (I've never used it so I'm not sure in this point): http://linux.die.net/man/8/ebtables
  4. Here netfilter is proposed: How to capture network frames in a kernel module

If you still want to hack the kernel you don't need to create a new Ethernet device driver, just write a kernel module that registers to receive frames received from the Ethernet device driver. Look at kernel file http://lxr.free-electrons.com/source/net/core/dev.c , you can begin with function:

int netif_rx(struct sk_buff *skb)

This is the one receiving frames from the device driver.

Community
  • 1
  • 1
rodolk
  • 5,606
  • 3
  • 28
  • 34
  • 2
    libpcap copies the packets but it does not intercept the packets. On the other hand, I want to directly receive the raw frame as well as I should be able to re-insert the modified frame to the NIC card. I think it is not possible with pcap API's. – Utkal Sinha Nov 08 '15 at 11:04
  • 2
    @UtkalSinha, you are right. If you want to intercept it, libpcap is not what you need. The kernel, at the level I mentioned, will send the frame to every function regitered to receive it. If you want noboy else but your piece of software to receive it you will need: 1-Modify the device drive 2-Modify netif_rx, 3-Check if it is possible for a registered function to return a value that means DO NOT CONTINUE or "ALREADY CONSUMED" 4-Check netfilter or ebtables. But why do you want to re-insert it in the NIC card (in this case you need the device driver)? To modify it and send it back? – rodolk Nov 09 '15 at 00:10
  • 1
    Yes. I mean if there is any ongoing transmission then I should be able to retrieve the Ethernet frame -> modify the Ethernet headers -> Forward the frame if I want else discard it. So do I need to build an Ethernet device driver for it or a simple kernel module would suffice ? – Utkal Sinha Nov 09 '15 at 08:32
  • 1
    There is a problem there. If there is a transmission between 2 different nodes, and your node is just listening the same frame, you cannot interfere, the same frame was already received by the destination node at Ethernet level (is this what your are trying to do?). Also if there is a switch, you will not receive that frame. Unless you are developing the software for the switch or the medium is 802.11. – rodolk Nov 09 '15 at 12:11
  • 2
    Before sending the Ethernet frame, the sender will broadcast the ARP and if I am in that broadcast domain then I can get the frames by replying to the ARP requests. – Utkal Sinha Nov 09 '15 at 12:18
  • OK, that's good. That doesn't work always. You need to consider your node will respond but the other one will also respond. You also have to send gratuitous ARP. – rodolk Nov 09 '15 at 13:23
  • Yes, I'm aware of that. But the other component of the project will take care of that. And that situation would never arise. Now, I am into development but I am new to Linux so facing difficulties. If you can help that would be great. – Utkal Sinha Nov 09 '15 at 13:31
  • @UtkalSinha, for what you have to do, packet sockets (point 2 in my response) is a good solution. With packet sockets you will read those messages, you don't care if they are passed somewhere else, usually if they are not destined to your node, the IP layer (are you using IP?) will discard the frame or the kernel will do it if no other function registered to read it. Then to write the frame again and send it through the NIC you can still use packet sockets and you can write the Ethernet fields (including source and dest MAC address). – rodolk Nov 09 '15 at 14:50
2

There are very good tools available for capturing and retrieving a Ethernet frames. This tools are tcpdump and wireshark. Tcpdump is command line utility where as wireshark is GUI based utility. You can use them whichever is comfortable to you. For more information on this tool please see following links:

http://www.tcpdump.org/tcpdump_man.html

https://www.wireshark.org/docs/wsug_html_chunked/

Vipul Pandya
  • 21
  • 2
0

It depends on the version of linux kernel and also on the processor that is being used.

In general, you may need to do some changes at the level of your network driver's interrupt handler. Normally, as soon as the packet is received, the driver will be interrupted with the corresponding receive interrupt. Once the receive interrupt is determined, the packet shall not be completely processed in the interrupt handler itself. Instead, the handler will trigger a bottom half that shall do the further processing of the packet and this is where you might need to determine the packet type and handle it according to your requirement. Also, note that some NICs would have directly DMA'd the data into sk_buff from where it will be sent to the stack. In such case, sk_buff can be fetched for your use once it is got from DMA (sk_buff holds info of packet like data, header).

Netfilter is one of the good options to try. It is a packet filtering framework (set of hooks) with callback functions getting invoked when the respective hook is traversed by the packet. This in-turn can enable you to classify / process packets as per your requirement.

Also, note that some processors have hardware based packet processing / accelerator modules that can be configured to filter packet type / protocol of interest by just configuring the respective input ports. Some hardware modules can also extract the payload's meta data and place it in a buffer as per certain configured extraction/parsing rules without any kind of intervention from user.

These are few high level views on retrieval & processing of Ethernet frames and note that it is closely knitted with your system architecture/design/driver.

Karthik Balaguru
  • 7,424
  • 7
  • 48
  • 65