[SOLVED] Problem with filtering network packets

[Alex_Justes]

i've registered hook-function with netfilter(NF_IP_PRE_ROUTING), so i have an ability to watch every packet, that comes from the network. I want to know, is there are any methods to look into the data part of the packet(i.e. http headers)?

here is the problem:
skb->len returns right size of the whole packet, but when i read skb->len bytes from skb->data i get only ip and tcp headers and then some strange bytes(no correct data(i.e. http headers))) (skb have type struct sk_buff *)

P.S.
Kernel - 2.6.31

[Lazydog]

Have you looked at tcpdump or wireshark for capturing the packets? They both will caputer the complete packet data and all.

[Alex_Justes]

>>tcpdump or wireshark

It appears, that they are using pcap library, so they can only capture. However i need tools to modify packet on the fly(depending on it's contents). As i know, pcap doesn't provides such capabilities.

[Alex_Justes]

Seems to be i solve one part of that puzzle:

if (skb->data_len > 0) then the packet is fragmented(i.e. protocol headers stays in the skb->data, other contents of the packet are situated in some fragments)

skb_shinfo(skb)->frags - it is pointer to an array of fragments of our packet
skb_shinfo(skb)->nr_frags - it is amount of such fragments

Each entry in this array is struct skb_frag_struct(see comment), so, it seems to be possible to get data from different pages. =)

/*
struct skb_frag_struct{
struct page *page;
__u32 page_offset;
__u32 size;
};
*/

[Alex_Justes]

I've found lazy but simple solution =)

skb_linearize(skb); - makes fragmented sk_buff to linear one. So you can read skb->len bytes from skb->data without any problems with pages and packet's fragments.