* nfqueue ethernet packet frame capture @ 2021-03-17 12:35 ilker 2021-03-17 14:37 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: ilker @ 2021-03-17 12:35 UTC (permalink / raw) To: netfilter Hi All, I am working on nfqueue to capture packets from networks. I am not able to capture destination MAC addresses using NFQUEUE. Is there a way to capture a full ethernet frame (especially destination MAC address) using NFQUEUE library? Thanks for your help Regards, ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfqueue ethernet packet frame capture 2021-03-17 12:35 nfqueue ethernet packet frame capture ilker @ 2021-03-17 14:37 ` Pablo Neira Ayuso [not found] ` <CADtAAp7Da8BtAK2zvhnT-RTG1myzbZ6k0xZgmifhsuYLAukDCQ@mail.gmail.com> 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2021-03-17 14:37 UTC (permalink / raw) To: ilker; +Cc: netfilter On Wed, Mar 17, 2021 at 03:35:56PM +0300, ilker wrote: > Hi All, > > I am working on nfqueue to capture packets from networks. > I am not able to capture destination MAC addresses using NFQUEUE. > Is there a way to capture a full ethernet frame (especially > destination MAC address) using NFQUEUE library? nfq_get_packet_hw() might help? ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <CADtAAp7Da8BtAK2zvhnT-RTG1myzbZ6k0xZgmifhsuYLAukDCQ@mail.gmail.com>]
[parent not found: <20210317155251.GA1140@salvia>]
* Re: nfqueue ethernet packet frame capture [not found] ` <20210317155251.GA1140@salvia> @ 2021-03-17 15:53 ` Pablo Neira Ayuso 2021-03-17 15:54 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2021-03-17 15:53 UTC (permalink / raw) To: ilker; +Cc: netfilter On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote: > it only gives the source MAC address:( > I need the destination MAC address.. I will use > src_mac+dst_mac+ethertype and reconstruct the full ETH header. > I tried > nfq_get_physindev_name > nfq_get_physoutdev_name > nfq_get_indev_name > nfq_get_outdev_name > > but neither of them gave me a MAC. > A libpcap fanboy said that netfilter can not and libpcap can give.. I > don't want to convert my code to pcap that is why I am looking for a > solution. nfq_get_indev_name provides the input device. From userspace, you can retrieve the destination MAC from the indev. The ethernet protocol is coming in the ->hw_protocol field. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfqueue ethernet packet frame capture 2021-03-17 15:53 ` Pablo Neira Ayuso @ 2021-03-17 15:54 ` Pablo Neira Ayuso 2021-03-17 17:49 ` ilker 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2021-03-17 15:54 UTC (permalink / raw) To: ilker; +Cc: netfilter On Wed, Mar 17, 2021 at 04:53:09PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote: > > it only gives the source MAC address:( > > I need the destination MAC address.. I will use > > src_mac+dst_mac+ethertype and reconstruct the full ETH header. > > I tried > > nfq_get_physindev_name > > nfq_get_physoutdev_name > > nfq_get_indev_name > > nfq_get_outdev_name > > > > but neither of them gave me a MAC. > > A libpcap fanboy said that netfilter can not and libpcap can give.. I > > don't want to convert my code to pcap that is why I am looking for a > > solution. > > nfq_get_indev_name provides the input device. From userspace, you can > retrieve the destination MAC from the indev. The ethernet protocol is > coming in the ->hw_protocol field. I'm assuming your setup is a router, then destination MAC can be infered. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfqueue ethernet packet frame capture 2021-03-17 15:54 ` Pablo Neira Ayuso @ 2021-03-17 17:49 ` ilker 2021-03-18 0:39 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: ilker @ 2021-03-17 17:49 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter What i get from indev from a sample capture are as follows; indev_name = * outdev_name = wlan0 physindev_name = * physoutdev_name = * nfq_get_physindev_name returns device name on my host. I can retrieve wlan0 mac but this would be the MAC address on my host. (I am testing my application on PC for now but the target is a router as you said) What I am looking for is a destination MAC address. e.g. when I capture the network on the same host via libpcap, I get following dump 17:29:34.575912 AA:AA:AA:AA:AA:AA > BB:BB:BB:BB:BB:BB, ethertype IPv4 (0x0800), length 1197: (tos 0x0, ttl 57, id 37046, offset 0, flags [DF], proto TCP (6), length 1183) where AA:AA:AA:AA:AA:AA is the gateway_MAC_address that my PC connected and BB:BB:BB:BB:BB:BB is the wlan_interface_mac of my PC. My aim is to capture my gateway mac address (AA:AA:AA:AA:AA:AA) as a destination MAC from my PC via NFQUEUE. (like tcpdump example) Is that possible? Thanks for your help regards, On Wed, Mar 17, 2021 at 6:54 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Wed, Mar 17, 2021 at 04:53:09PM +0100, Pablo Neira Ayuso wrote: > > On Wed, Mar 17, 2021 at 05:41:53PM +0300, ilker wrote: > > > it only gives the source MAC address:( > > > I need the destination MAC address.. I will use > > > src_mac+dst_mac+ethertype and reconstruct the full ETH header. > > > I tried > > > nfq_get_physindev_name > > > nfq_get_physoutdev_name > > > nfq_get_indev_name > > > nfq_get_outdev_name > > > > > > but neither of them gave me a MAC. > > > A libpcap fanboy said that netfilter can not and libpcap can give.. I > > > don't want to convert my code to pcap that is why I am looking for a > > > solution. > > > > nfq_get_indev_name provides the input device. From userspace, you can > > retrieve the destination MAC from the indev. The ethernet protocol is > > coming in the ->hw_protocol field. > > I'm assuming your setup is a router, then destination MAC can be > infered. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nfqueue ethernet packet frame capture 2021-03-17 17:49 ` ilker @ 2021-03-18 0:39 ` Pablo Neira Ayuso 0 siblings, 0 replies; 6+ messages in thread From: Pablo Neira Ayuso @ 2021-03-18 0:39 UTC (permalink / raw) To: ilker; +Cc: netfilter On Wed, Mar 17, 2021 at 08:49:18PM +0300, ilker wrote: > What i get from indev from a sample capture are as follows; > indev_name = * > outdev_name = wlan0 > physindev_name = * > physoutdev_name = * I see, so you'd like to catch the packet from the output path. > nfq_get_physindev_name returns device name on my host. I can retrieve > wlan0 mac but this would be the MAC address on my host. (I am testing > my application on PC for now but the target is a router as you said) > > What I am looking for is a destination MAC address. e.g. when I > capture the network on the same host via libpcap, I get following dump > 17:29:34.575912 AA:AA:AA:AA:AA:AA > BB:BB:BB:BB:BB:BB, ethertype IPv4 > (0x0800), length 1197: (tos 0x0, ttl 57, id 37046, offset 0, flags > [DF], proto TCP (6), length 1183) > > where AA:AA:AA:AA:AA:AA is the gateway_MAC_address that my PC > connected and BB:BB:BB:BB:BB:BB is the wlan_interface_mac of my PC. > My aim is to capture my gateway mac address (AA:AA:AA:AA:AA:AA) as a > destination MAC from my PC via NFQUEUE. (like tcpdump example) > > Is that possible? The problem is that the MAC address is not yet know from the output path (postrouting hook) since it comes before the neighbour layer. So the MAC address is not yet know. You could catch the packet via nfqueue and then send a query to obtain the destination MAC address by the IP destination through rtnetlink (neighbour cache lookup from userspace). An alternative would be to have netfilter egress hook (layer 2 MAC information is already available from there) and add nfqueue support too, but that's not available upstream. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-03-18 0:39 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-17 12:35 nfqueue ethernet packet frame capture ilker 2021-03-17 14:37 ` Pablo Neira Ayuso [not found] ` <CADtAAp7Da8BtAK2zvhnT-RTG1myzbZ6k0xZgmifhsuYLAukDCQ@mail.gmail.com> [not found] ` <20210317155251.GA1140@salvia> 2021-03-17 15:53 ` Pablo Neira Ayuso 2021-03-17 15:54 ` Pablo Neira Ayuso 2021-03-17 17:49 ` ilker 2021-03-18 0:39 ` Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.