Capturing Layer 3 Traffic

Peter John · 01-05-2007, 03:16 AM

How can we capture Layer 3 traffic on to our application / driver

Thanks
Peter

macemoneta · 01-05-2007, 08:40 PM

I assume you are refering to network traffic. The tcpdump command will let you capture any portion of each packet that pass filtering, including all the data.

Peter John · 01-06-2007, 02:05 AM

I want to be in b/n layer3 and layer2 and capture it when kernel sends packets to layer 2.

Peter John

Peter John · 01-07-2007, 04:22 AM

Between IP and Ethernet Layer in the kernel.

Can this be done ???

Peter

chort · 01-07-2007, 05:17 AM

Quote:

Originally Posted by Peter John

Between IP and Ethernet Layer in the kernel.

Can this be done ???

Peter

Sure. Checkout the kernel source and edit the TCP/IP stack to include your capturing code, then recompile...

The BPF (which is what all the other "sniffers" are built on top of) will let you observe packets on the wire, but it's not actually tracing the different operations happening in the kernel and giving you a blow-by-blow report. If you want to be in the kernel, you're going to have to write a "shim" that sits in the stack itself.

Peter John · 01-07-2007, 11:10 PM

Our Company has its own BT Stack. We want to integrate it with Linux and check "TCP/IP Over BT" functionality. i.e Layer 2 and Layer1 as our BT stack, which is functional on linux. Is there any way we can do it without kernel recompile ?

Peter John · 01-07-2007, 11:12 PM

We have our own BT Stack. We want to integrate it with Linux and check "TCP/IP Over BT" functionality. i.e Layer 2 and Layer1 as our BT stack, which is functional on linux. Is there any way we can do it without kernel recompile ?

chort · 01-07-2007, 11:27 PM

So you have a working implementation of Bluetooth for Linux and want to transport TCP/IP over it? Do you just need to watch the packets on the wire to make sure there are no anomalies, or do you need something more intrusive than that? If it's more than just observing wire traffic (well, a virtual "wire" in this case) then you're probably better off posting in either the Programming or Linux Software -> Kernel forums.

Although it's out of my realm of expertise, I doubt it's possible to achive without recompiling the kernel... Maybe it's possible to insert as a kernel module...

macemoneta · 01-07-2007, 11:33 PM

If you want to integrate into existing kernel space, you can either:

- create you own kernel module. This requires compiling the module itself against the current kernel, a process that must be repeated on each kernel upgrade. This is how many proprietary drivers are implemented. The downside is that you must "taint" the kernel (unless the code is open source under a GPL compatible license), so you become the first line of debugging for all kernel bugs for your customers.

- You can use a facility like SystemTap, if it provides the functionality you need.

- You can simply place the Ethernet interface into permissive mode (as tcpdump does), if that provides the functionality you need.

Failing all of the above, directly modifying the kernel would be need as chort indicated. However, if you are distributing the code outside your company, you are required to return the modifications to the kernel developers under the GPL.

Peter John · 01-07-2007, 11:50 PM

We need to implement transporting of TCP/IP over BT Stack.

Peter

macemoneta · 01-07-2007, 11:54 PM

TCP/IP over BT is already part of Linux, via BNEP (Bluetooth Network Encapsulation Protocol). Take a looks at this article for an overview.

Peter John · 01-08-2007, 01:26 AM

Corrections : Over OUR BT Stack, so how can we make the Kernel to route TCP/IP traffic to our BT Stack

Peter

nx5000 · 01-08-2007, 04:21 AM

Make your "BT stack" act as a network driver in terms of interface?
open,stop,start_hard_xmit,..
The current is BNEP, see this:
http://grouper.ieee.org/groups/802/1...tooth/BNEP.pdf

And then... look at the source of bnep?