0

I would like to write a piece of code capable of monitoring network events on a computer. I would like to be able to know the number of packet contained in the TX buffer at any time. Since my computer will play the role of a routeur ( WiFi acces point to be precise ) it won't generate packet by itself. So I can get the information I need just my counting the number of packet received and send by my computer.

So, I'm looking for an API capable of tracing those kind of network events. I'm aware of kernel tracepoints but I would like to find something easier, tracepoints looks not easy to work with and I would have to know the exact kernel function called when a packet is send or received ... Isn't there a kind of signal like API capable of this ?

Thanks for your help :)

EDIT : I found the libpcap library, with it i'm easily able to count packets arriving on an interface. But is there a way to count outgoing packets on another interface ?

Thierry Arrabal
  • 11
  • 2
  • How about this, read the output of "ifconfig " using system() and then parse the required data? – Ravi Feb 26 '16 at 08:24
  • Thanks for the idea but I don't think ifconfig is fast enough. I've just tested to dump the output of ifconfig with a simple script. And It's not able to follow the information, the returned value doesn't change at each packet send or received – Thierry Arrabal Feb 26 '16 at 09:07
  • how about "netstat -s" then? – Ravi Feb 26 '16 at 09:08
  • It looks like more reactive, but still not enough. I think I will try something with the pcap library. I saw it can now put packet on a link. I'll try to intercept incoming packet, and then put them in the other interface – Thierry Arrabal Feb 26 '16 at 09:23
  • import os,sys import subprocess flag = 0 def main(): global flag command = ['ifconfig', 'wlan0'] p = subprocess.Popen(command, stdout=subprocess.PIPE) text = p.stdout.read() temp = text.split(' ') for x in temp: if "packets" in x: if flag == 0: print "RX",x flag = 1 else: print "TX",x main() I know you want it in C but just as a proof of concept I tried it in Python and it worked. – Ravi Feb 26 '16 at 09:23
  • Hum, I'll keep it in mind, I just wanted in C because it's my favourite langage ^^ If my piece of code doesn't work, I'll use yours and learn a bit of python ^^ – Thierry Arrabal Feb 26 '16 at 09:40
  • Alright, sorry about the formatting. – Ravi Feb 26 '16 at 09:48
  • I just read your code and it count the packet received and send on wlan0 using ifconfig ? Does it reaaly count each packets ? When I tried a bash script using ifconfig the update where not made packet by packet – Thierry Arrabal Feb 26 '16 at 10:16
  • If you need the difference then all we need to do is to store the previous values and wait for a second (or what ever time you wish to wait) and call the ifconfig/netstat -s command and compute the differene between the two and print the result. Let me know if you are facing any issue doing that.. – Ravi Feb 26 '16 at 16:42
  • But I'd like to be aware of all changes. I've started using the lib pcap and I think it's really the tool that I need :) – Thierry Arrabal Feb 29 '16 at 07:04

2 Answers2

0

I have answered a question (What do I need to build to directly access the Ethernet frame bits in the kernel level? ) some time ago and the response is relevant for your question: In the kernel you have to look at file: http://lxr.free-electrons.com/source/net/core/dev.c there you will find netif_rx for receiving frames from the device driver. There you can also file the transmit functions (finished with suffix 'xmit').

You have the following alternatives in addition to go to the Kernel: pcap, packet sockets, netfilter, ebtables.

Community
  • 1
  • 1
rodolk
  • 5,606
  • 3
  • 28
  • 34
0

Quick answer:

If your AP run Linux, you may want to have a look at the various files in:

/sys/class/net/<some interface>/statistics/

BUT: your question is unclear.

Since my computer will play the role of a routeur (WiFi acces point to be precise) it won't generate packet by itself.

Wrong: your computer and it's interface will generate a lot of packets by itself - though not only TCP/IP. To begin with, "beacon frames" (typically one every 100ms) to signal the presence of your AP. These will be send whether or not a STA(tion) is connected.

There there will also be "management" stuff packets send by your AP as response to STA demands:

  • The "probe responses" you'll send as a reply to "probe requests" send by potential STAs intereted in your AP.
  • Then connection and authentication frames (ex WPA2) exchanged between your AP (hostapd maybe?) and STAs.

Then and only then we enter the world of TCP/IP packets. But we're not done yet with the plumbing: after that, since you're a router, I guess it also run a DHCP server, so there will be the DHCP offers as response to DHCP requests.

And then after that, yes, there will be the actual say "applicatives" packets carried between STAs (all passing through your router AP).

If that's these one packets that you're actually interested in counting, your first problem would be to distinguish them from all the other "infrastructure" packets (not only in the 802.11 infrastructure mode meaning of the term) that I mentioned above carried by the interface. So there is an inherent contradiction in your requirement between a low level info ("number of packet contained in the TX buffer at any time") and a high level wrong presupposition ("since my computer will play the role of a routeur (WiFi acces point to be precise) it won't generate packet by itself").

It's a whole different problem then just packet accounting per interface, and you'll need some kind of DPI (Deep Packet Inspection), pcap can be used here, or sorting and couting at the TCP/IP level per interface or IP (sub)networks, netfilter/iptables can help. But I hope I made it clear that the deeper you go down (at the kernel/interface/interface driver you go), the more "noise" of packets you do not seem to be interested into you'll get.

jbm
  • 3,063
  • 1
  • 16
  • 25
  • Thank you for your answer ! Indeed I was speaking about TPC/IP packet when a I said that my computer run as an AP. I have started to code something this pcap indeed, I thinks it's the tool I need. But I also need to think again at my problem to handle control frame. Thanks a lot :) – Thierry Arrabal Feb 29 '16 at 07:03
  • @ThierryArrabal: as long as you're not running pcap in monitor mode, you won't see the 802.11 management frames, so that's a non-problem. See explanation about normal vs promiscuous vs monitor mode [here](http://stackoverflow.com/a/35535377/5257515). On the AP (not STAs) even normal mode may be OK, minus the (very low) DHCP traffic. – jbm Feb 29 '16 at 07:22
  • But I can't run pcap in monitor mode if I want my interface to continue to send packet, can I ? – Thierry Arrabal Feb 29 '16 at 08:02
  • @ThierryArrabal No, in monitor mode you cannot be part of a network, neither as a STA or as an AP. That's why it's a non-problem in your case for what you intend to do. – jbm Feb 29 '16 at 08:09
  • Ok thank you. I will test my programm without thinking of control frame, just to see. And then I'll about the problem of those frames :) – Thierry Arrabal Feb 29 '16 at 08:14