nfqueue ethernet packet frame capture

nfqueue ethernet packet frame capture

[ilker]

Hi All,

I am working on nfqueue to capture packets from networks.
I am not able to capture destination MAC addresses using NFQUEUE.
Is there a way to capture a full ethernet frame (especially
destination MAC address) using NFQUEUE library?

Thanks for your help
Regards,

Re: nfqueue ethernet packet frame capture

[Pablo Neira Ayuso]

On Wed, Mar 17, 2021 at 03:35:56PM +0300, ilker wrote:
> Hi All,
> 
> I am working on nfqueue to capture packets from networks.
> I am not able to capture destination MAC addresses using NFQUEUE.
> Is there a way to capture a full ethernet frame (especially
> destination MAC address) using NFQUEUE library?

nfq_get_packet_hw() might help?

Re: nfqueue ethernet packet frame capture

[Pablo Neira Ayuso]

On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote:
> it only gives the source MAC address:(
> I need the destination MAC address.. I will use
> src_mac+dst_mac+ethertype and reconstruct the full ETH header.
> I tried
> nfq_get_physindev_name
> nfq_get_physoutdev_name
> nfq_get_indev_name
> nfq_get_outdev_name
> 
> but neither of them gave me a MAC.
> A libpcap fanboy said that netfilter can not and libpcap can give.. I
> don't want to convert my code to pcap that is why I am looking for a
> solution.

nfq_get_indev_name provides the input device. From userspace, you can
retrieve the destination MAC from the indev. The ethernet protocol is
coming in the ->hw_protocol field.

Re: nfqueue ethernet packet frame capture

[Pablo Neira Ayuso]

On Wed, Mar 17, 2021 at 04:53:09PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote:
> > it only gives the source MAC address:(
> > I need the destination MAC address.. I will use
> > src_mac+dst_mac+ethertype and reconstruct the full ETH header.
> > I tried
> > nfq_get_physindev_name
> > nfq_get_physoutdev_name
> > nfq_get_indev_name
> > nfq_get_outdev_name
> > 
> > but neither of them gave me a MAC.
> > A libpcap fanboy said that netfilter can not and libpcap can give.. I
> > don't want to convert my code to pcap that is why I am looking for a
> > solution.
> 
> nfq_get_indev_name provides the input device. From userspace, you can
> retrieve the destination MAC from the indev. The ethernet protocol is
> coming in the ->hw_protocol field.

I'm assuming your setup is a router, then destination MAC can be
infered.

Re: nfqueue ethernet packet frame capture

[ilker]

What i get from indev from a sample capture are as follows;
indev_name = *
outdev_name = wlan0
physindev_name = *
physoutdev_name = *

nfq_get_physindev_name returns device name on my host. I can retrieve
wlan0 mac but this would be the MAC address on my host. (I am testing
my application on PC for now but the target is a router as you said)

What I am looking for is a destination MAC address. e.g. when I
capture the network on the same host via libpcap, I get following dump
17:29:34.575912 AA:AA:AA:AA:AA:AA > BB:BB:BB:BB:BB:BB, ethertype IPv4
(0x0800), length 1197: (tos 0x0, ttl 57, id 37046, offset 0, flags
[DF], proto TCP (6), length 1183)

where AA:AA:AA:AA:AA:AA is the gateway_MAC_address that my PC
connected and BB:BB:BB:BB:BB:BB is the wlan_interface_mac of my PC.
My aim is to capture my gateway mac address (AA:AA:AA:AA:AA:AA) as a
destination MAC from my PC via NFQUEUE. (like tcpdump example)

Is that possible?

Thanks for your help
regards,

On Wed, Mar 17, 2021 at 6:54 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Wed, Mar 17, 2021 at 04:53:09PM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote:
> > > it only gives the source MAC address:(
> > > I need the destination MAC address.. I will use
> > > src_mac+dst_mac+ethertype and reconstruct the full ETH header.
> > > I tried
> > > nfq_get_physindev_name
> > > nfq_get_physoutdev_name
> > > nfq_get_indev_name
> > > nfq_get_outdev_name
> > >
> > > but neither of them gave me a MAC.
> > > A libpcap fanboy said that netfilter can not and libpcap can give.. I
> > > don't want to convert my code to pcap that is why I am looking for a
> > > solution.
> >
> > nfq_get_indev_name provides the input device. From userspace, you can
> > retrieve the destination MAC from the indev. The ethernet protocol is
> > coming in the ->hw_protocol field.
>
> I'm assuming your setup is a router, then destination MAC can be
> infered.

Re: nfqueue ethernet packet frame capture

[Pablo Neira Ayuso]

On Wed, Mar 17, 2021 at 08:49:18PM +0300, ilker wrote:
> What i get from indev from a sample capture are as follows;
> indev_name = *
> outdev_name = wlan0
> physindev_name = *
> physoutdev_name = *

I see, so you'd like to catch the packet from the output path.

> nfq_get_physindev_name returns device name on my host. I can retrieve
> wlan0 mac but this would be the MAC address on my host. (I am testing
> my application on PC for now but the target is a router as you said)
> 
> What I am looking for is a destination MAC address. e.g. when I
> capture the network on the same host via libpcap, I get following dump
> 17:29:34.575912 AA:AA:AA:AA:AA:AA > BB:BB:BB:BB:BB:BB, ethertype IPv4
> (0x0800), length 1197: (tos 0x0, ttl 57, id 37046, offset 0, flags
> [DF], proto TCP (6), length 1183)
> 
> where AA:AA:AA:AA:AA:AA is the gateway_MAC_address that my PC
> connected and BB:BB:BB:BB:BB:BB is the wlan_interface_mac of my PC.
> My aim is to capture my gateway mac address (AA:AA:AA:AA:AA:AA) as a
> destination MAC from my PC via NFQUEUE. (like tcpdump example)
> 
> Is that possible?

The problem is that the MAC address is not yet know from the output
path (postrouting hook) since it comes before the neighbour layer.
So the MAC address is not yet know.

You could catch the packet via nfqueue and then send a query to obtain
the destination MAC address by the IP destination through rtnetlink
(neighbour cache lookup from userspace).

An alternative would be to have netfilter egress hook (layer 2 MAC
information is already available from there) and add nfqueue support
too, but that's not available upstream.