I would like to retrieve the Ethernet Frame bits for all the Ethernet frames on the wire no matter if they are destined (MAC level) for my machine or not.
The logic for that has to be at the kernel level.
So in order to achieve this do I need to build a separate kernel module or Ethernet driver or Ethernet network interface
Note: I have just started learning Linux kernel module development for my project. I'm sorry if it is not the appropriate place to post this question.
For receiving frames destined to all hosts you must set your network interface in promiscuous mode.
For getting frames you can use different alternatives:
- pcap API (library libpcap)
- packet sockets: http://man7.org/linux/man-pages/man7/packet.7.html
- Look at ebtables (I've never used it so I'm not sure in this point): http://linux.die.net/man/8/ebtables
- Here netfilter is proposed: How to capture network frames in a kernel module
If you still want to hack the kernel you don't need to create a new Ethernet device driver, just write a kernel module that registers to receive frames received from the Ethernet device driver. Look at kernel file http://lxr.free-electrons.com/source/net/core/dev.c , you can begin with function:
int netif_rx(struct sk_buff *skb)
This is the one receiving frames from the device driver.
There are very good tools available for capturing and retrieving a Ethernet frames. This tools are tcpdump and wireshark. Tcpdump is command line utility where as wireshark is GUI based utility. You can use them whichever is comfortable to you. For more information on this tool please see following links:
It depends on the version of linux kernel and also on the processor that is being used.
In general, you may need to do some changes at the level of your network driver's interrupt handler. Normally, as soon as the packet is received, the driver will be interrupted with the corresponding receive interrupt. Once the receive interrupt is determined, the packet shall not be completely processed in the interrupt handler itself. Instead, the handler will trigger a bottom half that shall do the further processing of the packet and this is where you might need to determine the packet type and handle it according to your requirement. Also, note that some NICs would have directly DMA'd the data into sk_buff from where it will be sent to the stack. In such case, sk_buff can be fetched for your use once it is got from DMA (sk_buff holds info of packet like data, header).
Netfilter is one of the good options to try. It is a packet filtering framework (set of hooks) with callback functions getting invoked when the respective hook is traversed by the packet. This in-turn can enable you to classify / process packets as per your requirement.
Also, note that some processors have hardware based packet processing / accelerator modules that can be configured to filter packet type / protocol of interest by just configuring the respective input ports. Some hardware modules can also extract the payload's meta data and place it in a buffer as per certain configured extraction/parsing rules without any kind of intervention from user.
These are few high level views on retrieval & processing of Ethernet frames and note that it is closely knitted with your system architecture/design/driver.
来源:https://stackoverflow.com/questions/33498803/what-do-i-need-to-build-to-directly-access-the-ethernet-frame-bits-in-the-kernel