How i can capture packet from DMA ring buffer.

[todik_kh]

Hi everybody, Does anybody work with Linux DMA ring buffer? I wanna capture network packets from DMA ring buffer, just like netfilter. i wanna capture it from DMA, because i wanna get MAC address of I/O packets, so netfilter not included MAC address of out going packets because its on IP level and Ebtables is like that too. I'll be glad if somebody help me, that how i can capture network packets from DMA ring buffer.

[JohnGraham]

...just like netfilter.

Have you tried looking at the netfilter source, or asking on their mailing list?

[todik_kh]

No i didnt try but thats good idea i'll try it. but i dont think that i gonna find my answer because nitfilter is in IP level if i capture packets like netfilter i will capture it from ip level and i dont gonna get mac address in Out put packets. actually i asked from their mails but they didn't answer my question clearly, they just said that search you'll find it, but i know that if i capture packets after Network Driver level in 2 level i can get Mac address in I/O but i cant Drop or accept that packet like netfilter, i just wanna write driver that i can get the mac address and full packet in I/O. and with ability to drop and accept packets.

[JohnGraham]

Have a look at libpcap (there's a nice tutorial on their website here) and see if that's close to what you need.

[todik_kh]

I wrote lots of programs with Libpcap, such as logger and,... The Libpcap source is all user space i wanna write a (Driver) in Kernel Space like Network Drivers, that they are capturing packets from DMA buffer os Socket ring buffer with PF_RING and send it to the user layer with netif_rx(), i just wanna capture packets in kernel space for more speed. I know that there is a way for capturing after network driver. After that, network driver gets the packet i wanna be the first program instead of all others for capturing that packet. I just wanna do this, im searching for this. There is an another way that i have to write a virtual network driver for capturing the packets, but its not a good idea because i have to cancel main network drivers transportation. I just wanna capture packets after network driver, after the network driver gets the packet, i wanna be the first program instead of all others for capturing the packets.

[syazwina09]

Hi,

I have a question about implementing a DMA module, (using ring buffer/circular buffer technology) normally it will run in the kernel space instead of user space. But I don't have that much knowledge about it. It is more useful to code in kernel space? Please help. Thanks.

[todik_kh]

hi
well it depend on your program that you wanna write, for example in my situation that i have to capture all packets with that possibility for drop accept that packet, and for more speed, i have to write it in kernel space, i can capture it with Libpcap Api in user space but i cant drop and accept it with that reason i wanna write a module in kernel space.

So, when we have to write a module in kernel space?
first when we wanna write a Driver for handling the hardware, Second when we wanna get some thing from driver AND we wanna do that with higher speed because kernel space is much more faster that user space, third you wanna write a program that you cant write it in user space for example you wanna write Usb port filtering that its filtering that hole Usb Driver e.g. this file should'nt go or this file should go OR,... this is kind of programs that you have write it in kernel space, in fact you have that possibility to write every program in kernel space but its relay dangerous because kernel space is (Warning as a Error) it means that each Warning would cause of Kernel crash and freezes, e.g. you wanna write Download manager, you don't need to write in kernel space because you can write it in the user space you don't need a Module for that program. and you can write it with only C, you cant write it with c++.
it depend on your program. but its good to learn it, down is a link that it can help you.

[todik_kh]

I cant send you link because Linux forums is saying you cant so find out this bool it on internet


The Linux Kernel Module Programming Guide

Peter Jay Salzman
Michael Burian
Ori Pomerantz

[syazwina09]

Thanks for the info. I am actually trying to solve the packet loss in real time network traffic. Existing solutions mostly done the coding in the kernel meanwhile they implemented lib in the user space. This is why I get confuse because some of it they implemented the DMA module in both space.

[todik_kh]

actually im writing a firewall, and i fond out how to control the packets after Network Driver because when they got the packets from DMA ring buffer then the driver send it to ip Level by (netif_rx()) Api and there is no way to capture the full package in Input and output because netfilter is in ip level and it does not have the Mac Header in Out put package. now im trying to change the Linux source and im adding new things in the fist and last apis, the first api its after Network driver and its sending the packet to the ip level. And the last api for output, its before that packet get send on wire. im writing my things over there for capturing all packets that their captured by Network Driver with that possibility to accept and drop the packets over there or i can send all that packets to user space for other solutions such as Antiviruses IDS/IPS and,... other Firewall rules by Netlink or syscall. if you dont need the Mac header in out put you could use Netfilter its work well it does not have any packet lost or,... you could handle all packets over there. If you need Full packet Like me for handling them you have to write something like me because you cant handle the packet after network driver only you can get copy of packets from DMA ring buffer because the Driver was sent it to IP Level. if you wanna capture packets from DMA ring buffer Check out the PF_RING on ntop website its the best network usage monitoring software.