Are there currently any kernel hooks to support Magic Lantern?
Basically, a "tee" to capture all network packets and pass them
on to a filtering task without affecting normal network activity.
It's like `tcpdump`, but allows packets to be inserted into the
output queue as well without affecting normal network activity.
Yes, I know a module could be written, but I wonder if the
capability already exists.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.
From: "Richard B. Johnson" <[email protected]>
Date: Wed, 28 Nov 2001 08:36:33 -0500 (EST)
Yes, I know a module could be written, but I wonder if the
capability already exists.
I'm pretty sure netfilter (at least at one point) allows
exactly what you describe. Packet filters can be written
in userspace.
"Richard B. Johnson" <[email protected]> writes:
> Are there currently any kernel hooks to support Magic Lantern?
> Basically, a "tee" to capture all network packets and pass them
> on to a filtering task without affecting normal network activity.
> It's like `tcpdump`, but allows packets to be inserted into the
> output queue as well without affecting normal network activity.
The af_packet module can read and write raw ethernet frames.
--
Lars Brinkhoff http://lars.nocrew.org/ Linux, GCC, PDP-10
Brinkhoff Consulting http://www.brinkhoff.se/ programming
On 28 Nov 2001, Lars Brinkhoff wrote:
> "Richard B. Johnson" <[email protected]> writes:
> > Are there currently any kernel hooks to support Magic Lantern?
> > Basically, a "tee" to capture all network packets and pass them
> > on to a filtering task without affecting normal network activity.
> > It's like `tcpdump`, but allows packets to be inserted into the
> > output queue as well without affecting normal network activity.
>
> The af_packet module can read and write raw ethernet frames.
Okay, thanks.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.
> > "Richard B. Johnson" <[email protected]> writes:
> > > Are there currently any kernel hooks to support Magic Lantern?
> > > Basically, a "tee" to capture all network packets and pass them
> > > on to a filtering task without affecting normal network activity.
> > > It's like `tcpdump`, but allows packets to be inserted into the
> > > output queue as well without affecting normal network activity.
> >
> > The af_packet module can read and write raw ethernet frames.
The af_packet module may also be fairly inefficient. If you need performance
over, say, a gigabit link, you may have trouble. I last used it one of the
earlier 2.4 series (2.4.8 I think) with the Acenic Tigon II gigE copper
cards to implement a network flooder; At that time a simple unoptimized loop
sending raw ethernet packets maxed out at at around 80Mbps, while the same loop
sending UDP packets maxed out at around 400. This may have been fixed by now,
I don't know... Just a warning.
-Eric
--
--------------------------------------------
Eric H. Weigle CCS-1, RADIANT team
[email protected] Los Alamos National Lab
(505) 665-4937 http://home.lanl.gov/ehw/
--------------------------------------------
On Wed, 28 Nov 2001, Eric Weigle wrote:
> > > "Richard B. Johnson" <[email protected]> writes:
> > > > Are there currently any kernel hooks to support Magic Lantern?
> > > > Basically, a "tee" to capture all network packets and pass them
> > > > on to a filtering task without affecting normal network activity.
> > > > It's like `tcpdump`, but allows packets to be inserted into the
> > > > output queue as well without affecting normal network activity.
> > >
> > > The af_packet module can read and write raw ethernet frames.
> The af_packet module may also be fairly inefficient. If you need performance
> over, say, a gigabit link, you may have trouble. I last used it one of the
> earlier 2.4 series (2.4.8 I think) with the Acenic Tigon II gigE copper
> cards to implement a network flooder; At that time a simple unoptimized loop
> sending raw ethernet packets maxed out at at around 80Mbps, while the same loop
> sending UDP packets maxed out at around 400. This may have been fixed by now,
> I don't know... Just a warning.
>
> -Eric
Okay. I don't think that performance will be a problem in the near
future. As you no doubt know, the DOJ is "requiring" that these
taps be inserted into Operating Systems so that they can access
computers, of course always in direct correspondence with a
wiretap order (if you believe that, I've got a bridge to sell).
Information is that part of M$ agreement with DOJ was to insert
these taps into their OS. In due course, we will have to counter
this by emulation, i.e., always return a nice new, never touched
distribution disk when queried for a directory <grin>, but
presently, if there are "hooks" for "future enhancements", the
DOJ can't refuse to allow the sale or distribution of an OS
as is now proposed.
Once the DOJ actually reads the Constitution, this problem may
go away altogether, but presently the knee-jerk reaction from 9/11
is to violate everybody's computers!
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.
Eric Weigle <[email protected]> writes:
> > > "Richard B. Johnson" <[email protected]> writes:
> > > > Basically, a "tee" to capture all network packets and pass them
> > > > on to a filtering task without affecting normal network activity.
> > > The af_packet module can read and write raw ethernet frames.
> The af_packet module may also be fairly inefficient. If you need
> performance over, say, a gigabit link, you may have trouble.
Are you (or anyone else) aware of any alternative?
--
Lars Brinkhoff http://lars.nocrew.org/ Linux, GCC, PDP-10
Brinkhoff Consulting http://www.brinkhoff.se/ programming
On Wed, Nov 28, 2001 at 07:54:39PM +0100, Lars Brinkhoff wrote:
> Eric Weigle <[email protected]> writes:
> > > > "Richard B. Johnson" <[email protected]> writes:
> > > > > Basically, a "tee" to capture all network packets and pass them
> > > > > on to a filtering task without affecting normal network activity.
> > > > The af_packet module can read and write raw ethernet frames.
> > The af_packet module may also be fairly inefficient. If you need
> > performance over, say, a gigabit link, you may have trouble.
>
> Are you (or anyone else) aware of any alternative?
I'm sure it's just something silly that's hurt the performance of the
af_packet module (perhaps already fixed, perhaps in my methodology :|)
For the purposes of the work I was doing here (totally unrelated to this
Magic Lantern BS, which I didn't even know what it was until after I posted
the first response in this thread), I just needed to saturate a gigE link for
testing. To do this I just used three boxes flooding UDP packets and that
worked. As far as traffic collection goes (which is what I was testing),
we went with another approach-- an optical tap to snarf off a copy of all
the data on a link, and then a custom kernel I hacked up to do the work
in the kernel itself (avoiding the kernel--user space copy and the stack
entirely). This is not for the faint of heart.
-Eric
--
--------------------------------------------
Eric H. Weigle CCS-1, RADIANT team
[email protected] Los Alamos National Lab
(505) 665-4937 http://home.lanl.gov/ehw/
--------------------------------------------