tcpdump mailing list archives
Re: wireshark extension for a Kernel Module (like Usbmon)
From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 7 Mar 2022 10:37:13 -0800
--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Mon, 7 Mar 2022 10:37:13 -0800
On Mar 7, 2022, at 5:55 AM, Christian via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:hello out there, I created a kernel probe module and I want to watch the outputs of that module with pcap/Wireshark or tcpdump... Just like usbmon. My prefered tool is dumpcap. So I defined a char device in the dev-directory /dev/kpnode from which the pcap interface can read the output of that module. In order to enable reading, I started to place a handler function into libpcap: In pcap.c I put in #ifdef PCAP_SUPPORT_KPNODE #include "pcap-kpnode.h" #endif and later: #ifdef PCAP_SUPPORT_KPNODE { kpnode_findalldevs, kpnode_create }, #endifThat's the correct way to add it to the table of libpcap modules.further down: #ifdef PCAP_SUPPORT_KPNODE || strstr(device, "kpnode") != NULL #endifThat's presumably in pcap_lookupnet(); if so, that's the correct way to add kpnode there. (I need to change that to use a better mechanism, so that it's the responsibility of the module to handle that, rather than hardcoding module information in a function.)The functions kpnode_findalldevs and kpnode_create are in my files pcap-kpnode.c and pcap-kpnode.h. They are not finished yet but the subject of this mail is for now, how to connect these functions into libpcap and Wireshark so that they are evoked if a device /dev/kpnode emerges. Further I added an entry to configure.ac: AC_DEFINE(PCAP_SUPPORT_KPNODE, 1, [target host supports Linux kpmode]) Im not sure if editing the autoconf input file is too much, because I don't want to commit my changes to other platforms, it's just a small project of my own.If you're just doing it on your own, and you will be using this modified libpcap only on systems where kpnode is available, the easiest way to do it would be to leave out the #ifdef`s for PCAP_SUPPORT_KPNODE. If your entry in configure.ac unconditionally sets PCAP_SUPPORT_KPNODE, it's not useful, as it's equivalent to just removing the #ifdefs and hardwiring kpnode support into your version of libpcap. If it *doesn't* unconditionally set PCAP_SUPPORT_KPNODE, then you might as well leave the #ifdefs in.But there are also some entries for USBMON in e.x. CMakeList.txt and more.If you're not planning on committing your changes, and you don't plan to use CMake in the build process, there's no need to modify CMakeList.txt and anything else CMake-related, such as cmakeconfig.h.in.After execution of the configure script I put manually my files into the EXTRA_DIST list.EXTRA_DIST is useful only if you plan to do "make releasetar" to make a source tarball - and if you want to do *that*, add it to Makefile.in, not to Makefile, so you won't have to fix Makefile manually.But so far, when I build the pcap library not even the symbol kpnode appears in the binaryDo you mean that a symbol named "kpnode" doesn't appear in the (shared) library binary? Or do you mean that symbols with "kpnode" in their names, such as kpnode_findalldevs and kpnode_create, don't appear in the library binary? If so, are you looking for *exported* symbols or *all* symbols? On most platforms - and Linux is one such platform - we compile libpcap so that *only* routines we've designated as being libpcap APIs are exported by the library; others are internal-only symbols. For example, if I do $ nm libpcap.so.1.11.0-PRE-GIT | egrep usb_ 000000000002f480 t swap_linux_usb_header.isra.0 000000000000ee60 t usb_activate 000000000000eb00 t usb_cleanup_linux_mmap 000000000000f300 t usb_create 000000000000f150 t usb_findalldevs 000000000000e670 t usb_inject_linux 000000000000e6b0 t usb_read_linux_bin 000000000000e860 t usb_read_linux_mmap 000000000000e660 t usb_setdirection_linux 000000000000edc0 t usb_set_ring_size 000000000000ed20 t usb_stats_linux_bin on my Ubuntu 20.04 VM, it shows symbols for the Linux usbmon module, *but* they aren't exported symbols - they're shown with 't', not 'T'. By contrast, if I do 4$ nm libpcap.so.1.11.0-PRE-GIT | egrep pcap_open 0000000000012ea0 T pcap_open 000000000001bdc0 T pcap_open_dead 000000000001bce0 T pcap_open_dead_with_tstamp_precision 000000000001b9a0 T pcap_open_live 000000000002cf20 T pcap_open_offline 000000000001ab10 t pcap_open_offline_common 000000000002cde0 T pcap_open_offline_with_tstamp_precision 0000000000015b70 t pcap_open_rpcap symbols such as pcap_open(), pcap_open_live(), pcap_open_offline(), etc. *are* exported symbols - they're shown with 'T'. So, to check for symbols, you should do "nm" and pipe the result to "egrep kpnode_". Those symbols should show up with 't', not 'T', as they aren't part of the API - kpnode_findalldevs() should automatically get called if a program calls pcap_findalldevs() (e.g., if tcpdump is compile with this library, "tcpdump -D" should cause kpnode_findalldevs() to be called, and should show the kpnode device(s)), and kpnode_create() should automatically get called if a program calls pcap_create() (or pcap_open_live()) on a kpnode device (e.g., if tcpdump is compile with this library, "tcpdump -i kpnode", or whatever the name of a kpnode device is, should cause kpnode_create() to be called, and should capture on that kpnode device if run with sufficient privileges to do so).but there is an object file of my handler file pcap-kpnode.c. So my changes are not in the library.You *also* need to modify configure.ac so that, if it sets PCAP_SUPPORT_KPNODE, it also does MODULE_C_SRC="$MODULE_C_SRC pcap-kpnode.c" to add pcap-kpnode.c to the the list of libpcap module source files. Not only will that cause it to be compiled into an object file, it will also cause that object file to be included in the library. Given that you got a pcap-kpnode.o file, then either you compiled it manually yourself, or you made a change of that sort, or you manually added pcap-kpnode.c to the list of module source files in the Makefile after configuring, or you manually added it to the list of module source files in Makefile.in *before* configuring, or you added it to another source file list, or you did something else. Which of those did you do?
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- wireshark extension for a Kernel Module (like Usbmon) Christian via tcpdump-workers (Mar 07)
- Re: wireshark extension for a Kernel Module (like Usbmon) Guy Harris via tcpdump-workers (Mar 07)
- Message not available
- Re: wireshark extension for a Kernel Module (like Usbmon) Christian via tcpdump-workers (Mar 08)
- Re: wireshark extension for a Kernel Module (like Usbmon) Christian via tcpdump-workers (Mar 08)
- Re: wireshark extension for a Kernel Module (like Usbmon) Christian via tcpdump-workers (Mar 08)