dumpcap, interfaces, and promiscuous mode

dumpcap, interfaces, and promiscuous mode

[Ben Magistro]

[-- Attachment #1: Type: text/plain, Size: 2298 bytes --]

I'd like to start out by saying what I believed to be a simple change
(a8dde09 ("app/dumpcap: allow help/version without primary process")) seems
to have had more ripples than I anticipated.  I'd like to just get a
conversation going here before developing/submitting a patch.  I think this
will likely need to be at least two patches just to keep scope in check.

With regard to interface selection, the most recent patch (7f3623a
("app/dumpcap: fix select interface")) breaks capturing on
multiple interfaces.  You can still specify the `-i` option as many times
as you would like but only the last entry is used in the capture selection
as each entry just overwrites the previous entry.  I believe this needs to
be flipped to an array or similar structure that can have entries
appended to it as the arguments are processed.  Selecting all interfaces
with the asterisk seems to be unaffected but could also result in capturing
traffic on unnecessary interfaces.

With regard to promiscuous mode, there are two areas of concern here.  The
first is this flag is global and not per interface.  I can envision a
scenario where you might want to capture on one interface in promiscuous
mode and on a second not in promiscuous mode.  My first thought is to make
this option follow the interface parameter then when parsing arguments so
that it can be associated with a specific interface.  The second is that if
I run a capture in promiscuous mode and then stop the capture, it will also
disable promiscuous mode.  Generally I think I would agree with this
behavior as it follows how a typical call to tcpdump should behave.  The
concern here though is that that the main process may have been
started/running with promiscuous mode and stopping a capture would change
that mode for the main process.  My first thought here is to query the
initial state and check that when quitting to know if it should disable
promiscuous mode or not.  This brings me to another aspect here and I don't
think changing the behaviour of the `-p` flag is appropriate, but can see
maybe adding an option to inherit the main process's promiscuous state(s)
when starting.

Happy to try and work on some of these changes but want to talk through the
issues first so we can try to address all of them.

Cheers,

Ben Magistro

[-- Attachment #2: Type: text/html, Size: 2492 bytes --]

Re: dumpcap, interfaces, and promiscuous mode

[Stephen Hemminger]

On Tue, 27 Dec 2022 09:26:14 -0500
Ben Magistro <koncept1@gmail.com> wrote:

> I'd like to start out by saying what I believed to be a simple change
> (a8dde09 ("app/dumpcap: allow help/version without primary process")) seems
> to have had more ripples than I anticipated.  I'd like to just get a
> conversation going here before developing/submitting a patch.  I think this
> will likely need to be at least two patches just to keep scope in check.
> 
> With regard to interface selection, the most recent patch (7f3623a
> ("app/dumpcap: fix select interface")) breaks capturing on
> multiple interfaces.  You can still specify the `-i` option as many times
> as you would like but only the last entry is used in the capture selection
> as each entry just overwrites the previous entry.  I believe this needs to
> be flipped to an array or similar structure that can have entries
> appended to it as the arguments are processed.  Selecting all interfaces
> with the asterisk seems to be unaffected but could also result in capturing
> traffic on unnecessary interfaces.
> 
> With regard to promiscuous mode, there are two areas of concern here.  The
> first is this flag is global and not per interface.  I can envision a
> scenario where you might want to capture on one interface in promiscuous
> mode and on a second not in promiscuous mode.  My first thought is to make
> this option follow the interface parameter then when parsing arguments so
> that it can be associated with a specific interface.  The second is that if
> I run a capture in promiscuous mode and then stop the capture, it will also
> disable promiscuous mode.  Generally I think I would agree with this
> behavior as it follows how a typical call to tcpdump should behave.  The
> concern here though is that that the main process may have been
> started/running with promiscuous mode and stopping a capture would change
> that mode for the main process.  My first thought here is to query the
> initial state and check that when quitting to know if it should disable
> promiscuous mode or not.  This brings me to another aspect here and I don't
> think changing the behaviour of the `-p` flag is appropriate, but can see
> maybe adding an option to inherit the main process's promiscuous state(s)
> when starting.
> 
> Happy to try and work on some of these changes but want to talk through the
> issues first so we can try to address all of them.
> 
> Cheers,
> 
> Ben Magistro

I believe all this got fixed by the 22.11 version.
Since dumpcap has interface parameter, it should only enable the ones it
is using.

The user interface for the DPDK version of dumpcap is modeled after
the wireshark version. In general would not like to invent lots of new
DPDK specific options here.

Re: dumpcap, interfaces, and promiscuous mode

[Ben Magistro]

[-- Attachment #1: Type: text/plain, Size: 5835 bytes --]

I would like to respectfully ask that you please re-read my initial email.

Unfortunately the interface selection issue I describe is not resolved in
22.11 (currently running).  It is also easily observed by reviewing the
current code (once one knows to look for it).  I'll be the first to admit I
did not catch it when looking at the patch.  To try and summarize it again
here, it is trying to store an array of interfaces (multiple -i options)
into a single char variable.  The only interface that is persisted to
selection is the last one specified because it overwrites the
previously saved interface(s).  If the intent is to only support capturing
on a single interface then the asterisk option should be removed, it should
become an error to specify the interface multiple times, and the associated
documentation should be updated to reflect this.  However, I do not believe
the intent is to limit capture to a single interface and would not support
such a change.

I can understand modeling dumpcap off the wireshark version but DPDK brings
its own unique capabilities and I believe those need to be accounted for
too.

Looking at the man page of wireshark's dumpcap, it indicates that the "-p"
option can be specified multiple times and it needs to be relative to the
interface [1], if it is not it may be ignored.  Implementing this change
seems like it would bring DPDK dumpcap closer to the behavior of
wireshark's dumpcap when specifying the interface's promiscuous mode.

The above promiscuous mode change does not address the potential issue of
stopping a capture and it changing an interface's promiscuous mode for the
main application that continues to run.  The only path forward here that I
can see is storing the initial promiscuous mode state on each interface
that a capture is occurring on and checking that to determine what should
be done when stopping dumpcap.

This leaves the last question of being able to just inherit the main
process's promiscuous state so that a user doesn't necessarily need to know
which interfaces are in which state when starting dumpcap to troubleshoot
something.  Tying in to the previous about storing the state, it would
potentially avoid a user starting all interfaces in promiscuous mode which
might result in different traffic in the capture than the application
normally sees.

Finally after looking at the wireshark dumpcap man page, I believe there is
a new issue here as well.  The man page states that if a capture will occur
on multiple interfaces, the file will be saved in pcapng format.  Quickly
at the code it does not look like this is the current behavior of DPDK
dumpcap.

As mentioned before I am happy to try and work on some of these changes,
but would like to have something of a plan before starting that work.

Cheers,

Ben Magistro

[1] https://www.wireshark.org/docs/man-pages/dumpcap.html

On Tue, Dec 27, 2022 at 11:43 AM Stephen Hemminger <
stephen@networkplumber.org> wrote:

> On Tue, 27 Dec 2022 09:26:14 -0500
> Ben Magistro <koncept1@gmail.com> wrote:
>
> > I'd like to start out by saying what I believed to be a simple change
> > (a8dde09 ("app/dumpcap: allow help/version without primary process"))
> seems
> > to have had more ripples than I anticipated.  I'd like to just get a
> > conversation going here before developing/submitting a patch.  I think
> this
> > will likely need to be at least two patches just to keep scope in check.
> >
> > With regard to interface selection, the most recent patch (7f3623a
> > ("app/dumpcap: fix select interface")) breaks capturing on
> > multiple interfaces.  You can still specify the `-i` option as many times
> > as you would like but only the last entry is used in the capture
> selection
> > as each entry just overwrites the previous entry.  I believe this needs
> to
> > be flipped to an array or similar structure that can have entries
> > appended to it as the arguments are processed.  Selecting all interfaces
> > with the asterisk seems to be unaffected but could also result in
> capturing
> > traffic on unnecessary interfaces.
> >
> > With regard to promiscuous mode, there are two areas of concern here.
> The
> > first is this flag is global and not per interface.  I can envision a
> > scenario where you might want to capture on one interface in promiscuous
> > mode and on a second not in promiscuous mode.  My first thought is to
> make
> > this option follow the interface parameter then when parsing arguments so
> > that it can be associated with a specific interface.  The second is that
> if
> > I run a capture in promiscuous mode and then stop the capture, it will
> also
> > disable promiscuous mode.  Generally I think I would agree with this
> > behavior as it follows how a typical call to tcpdump should behave.  The
> > concern here though is that that the main process may have been
> > started/running with promiscuous mode and stopping a capture would change
> > that mode for the main process.  My first thought here is to query the
> > initial state and check that when quitting to know if it should disable
> > promiscuous mode or not.  This brings me to another aspect here and I
> don't
> > think changing the behaviour of the `-p` flag is appropriate, but can see
> > maybe adding an option to inherit the main process's promiscuous state(s)
> > when starting.
> >
> > Happy to try and work on some of these changes but want to talk through
> the
> > issues first so we can try to address all of them.
> >
> > Cheers,
> >
> > Ben Magistro
>
> I believe all this got fixed by the 22.11 version.
> Since dumpcap has interface parameter, it should only enable the ones it
> is using.
>
> The user interface for the DPDK version of dumpcap is modeled after
> the wireshark version. In general would not like to invent lots of new
> DPDK specific options here.
>

[-- Attachment #2: Type: text/html, Size: 6877 bytes --]

Re: dumpcap, interfaces, and promiscuous mode

[Stephen Hemminger]

On Wed, 28 Dec 2022 09:12:12 -0500
Ben Magistro <koncept1@gmail.com> wrote:

> I would like to respectfully ask that you please re-read my initial email.
> 
> Unfortunately the interface selection issue I describe is not resolved in
> 22.11 (currently running).  It is also easily observed by reviewing the
> current code (once one knows to look for it).  I'll be the first to admit I
> did not catch it when looking at the patch.  To try and summarize it again
> here, it is trying to store an array of interfaces (multiple -i options)
> into a single char variable.  The only interface that is persisted to
> selection is the last one specified because it overwrites the
> previously saved interface(s).  If the intent is to only support capturing
> on a single interface then the asterisk option should be removed, it should
> become an error to specify the interface multiple times, and the associated
> documentation should be updated to reflect this.  However, I do not believe
> the intent is to limit capture to a single interface and would not support
> such a change.
> 
> I can understand modeling dumpcap off the wireshark version but DPDK brings
> its own unique capabilities and I believe those need to be accounted for
> too.
> 
> Looking at the man page of wireshark's dumpcap, it indicates that the "-p"
> option can be specified multiple times and it needs to be relative to the
> interface [1], if it is not it may be ignored.  Implementing this change
> seems like it would bring DPDK dumpcap closer to the behavior of
> wireshark's dumpcap when specifying the interface's promiscuous mode.
> 
> The above promiscuous mode change does not address the potential issue of
> stopping a capture and it changing an interface's promiscuous mode for the
> main application that continues to run.  The only path forward here that I
> can see is storing the initial promiscuous mode state on each interface
> that a capture is occurring on and checking that to determine what should
> be done when stopping dumpcap.
> 
> This leaves the last question of being able to just inherit the main
> process's promiscuous state so that a user doesn't necessarily need to know
> which interfaces are in which state when starting dumpcap to troubleshoot
> something.  Tying in to the previous about storing the state, it would
> potentially avoid a user starting all interfaces in promiscuous mode which
> might result in different traffic in the capture than the application
> normally sees.
> 
> Finally after looking at the wireshark dumpcap man page, I believe there is
> a new issue here as well.  The man page states that if a capture will occur
> on multiple interfaces, the file will be saved in pcapng format.  Quickly
> at the code it does not look like this is the current behavior of DPDK
> dumpcap.
> 
> As mentioned before I am happy to try and work on some of these changes,
> but would like to have something of a plan before starting that work.
> 
> Cheers,
> 
> Ben Magistro
> 
> [1] https://www.wireshark.org/docs/man-pages/dumpcap.html
> 
> On Tue, Dec 27, 2022 at 11:43 AM Stephen Hemminger <
> stephen@networkplumber.org> wrote:  
> 
> > On Tue, 27 Dec 2022 09:26:14 -0500
> > Ben Magistro <koncept1@gmail.com> wrote:
> >  
> > > I'd like to start out by saying what I believed to be a simple change
> > > (a8dde09 ("app/dumpcap: allow help/version without primary process"))  
> > seems  
> > > to have had more ripples than I anticipated.  I'd like to just get a
> > > conversation going here before developing/submitting a patch.  I think  
> > this  
> > > will likely need to be at least two patches just to keep scope in check.
> > >
> > > With regard to interface selection, the most recent patch (7f3623a
> > > ("app/dumpcap: fix select interface")) breaks capturing on
> > > multiple interfaces.  You can still specify the `-i` option as many times
> > > as you would like but only the last entry is used in the capture  
> > selection  
> > > as each entry just overwrites the previous entry.  I believe this needs  
> > to  
> > > be flipped to an array or similar structure that can have entries
> > > appended to it as the arguments are processed.  Selecting all interfaces
> > > with the asterisk seems to be unaffected but could also result in  
> > capturing  
> > > traffic on unnecessary interfaces.
> > >
> > > With regard to promiscuous mode, there are two areas of concern here.  
> > The  
> > > first is this flag is global and not per interface.  I can envision a
> > > scenario where you might want to capture on one interface in promiscuous
> > > mode and on a second not in promiscuous mode.  My first thought is to  
> > make  
> > > this option follow the interface parameter then when parsing arguments so
> > > that it can be associated with a specific interface.  The second is that  
> > if  
> > > I run a capture in promiscuous mode and then stop the capture, it will  
> > also  
> > > disable promiscuous mode.  Generally I think I would agree with this
> > > behavior as it follows how a typical call to tcpdump should behave.  The
> > > concern here though is that that the main process may have been
> > > started/running with promiscuous mode and stopping a capture would change
> > > that mode for the main process.  My first thought here is to query the
> > > initial state and check that when quitting to know if it should disable
> > > promiscuous mode or not.  This brings me to another aspect here and I  
> > don't  
> > > think changing the behaviour of the `-p` flag is appropriate, but can see
> > > maybe adding an option to inherit the main process's promiscuous state(s)
> > > when starting.
> > >
> > > Happy to try and work on some of these changes but want to talk through  
> > the  
> > > issues first so we can try to address all of them.
> > >
> > > Cheers,
> > >
> > > Ben Magistro  
> >
> > I believe all this got fixed by the 22.11 version.
> > Since dumpcap has interface parameter, it should only enable the ones it
> > is using.
> >
> > The user interface for the DPDK version of dumpcap is modeled after
> > the wireshark version. In general would not like to invent lots of new
> > DPDK specific options here.
> >  

Your right, there are three different bugs here.

To summarize:
1. Even DPDK 22.11 is not keeping track of interfaces correctly; appears
to be related to command line parsing changes.

2. Promiscuous mode is not restored on exit. The non DPDK (kernel version)
gets this as part of the API (promiscuous is a counter). This should be
fixable for normal exit. If dumpcap crashes, not easy to handle.

3. Promiscuous option parsing is not the same as dumpcap.

If you have any relevant patches, please post. Will look at these
bugs in coming year.