全部博文(38)
分类: LINUX
2009-09-03 21:54:10
So is there a technique to filter this kind of ARP traffic ? 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17 Anyone can help? Michael Davidson wrote: > Hi, > Forgive me if I point out the obvious. Remember that ARP isn't an > IP protocol it's a peer protocol to IP. In the tc filters shown below > the protocol is IP and the negative offset works on a IP packet but I > suspect that an ARP packet isn't accessible with this technique. If I > ubstitute IP for ARP in the filter statement it isn't accepted. > > Regards Mike D. > > Kristiadi Himawan wrote: > >> >> it's should be 0x0806 0xffff ? >> or you have the example how to catch that kind of traffic >> >> gypsy wrote: >> >>> Kristiadi Himawan wrote: >>> >>> >>>> It's also match to this kind of traffic ? >>>> >>>> 17:16:53.740978 arp who-has 192.43.165.29 tell 192.43.165.30 >>>> 17:16:53.752482 arp reply 192.43.165.29 is-at 00:04:c1:b5:bd:f1 >>>> 17:16:53.812889 arp who-has 192.43.162.194 tell 192.43.162.193 >>>> 17:16:53.812922 arp reply 192.43.162.194 is-at 00:08:c7:c9:a3:17 >>>> >>> >>> >>> >>> No. The 'match u16 0x0800 0xffff' says to ignore ARP. >>> >>> >>> >>>> Lee Sanders wrote: >>>> >>>> >>>> >>>>> You haven't done a search on past posts... >>>>> >>>>> the u32 can be used to match any bit in the ip header. Before the >>>>> ip header, >>>>> there is a frame header. In that frame header you can find the src >>>>> and dst >>>>> mac address. You can trick the u32 filter in using the frame >>>>> header if you >>>>> use negative offsets. >>>>> >>>>> Decimal Offset Description >>>>> -14: DST MAC, 6 bytes >>>>> -8: SRC MAC, 6 bytes >>>>> -2: Eth PROTO, 2 bytes, eg. ETH_P_IP >>>>> 0: Protocol header (IP Header) >>>>> >>>>> Where PPPP is the Eth Proto Code (from >>>>> linux/include/linux/if_ether.h): >>>>> ETH_P_IP= IP = match u16 0x0800 >>>>> Where your MAC = M0M1M2M3M4M5 >>>>> >>>>> Egress (match Dst MAC): >>>>> ... match u16 0xPPPP 0xFFFF at -2 match u32 0xM2M3M4M5 0xFFFFFFFF >>>>> at -12 match >>>>> u16 0xM0M1 0xFFFF at -14 >>>>> >>>>> Ingress (match Src MAC): >>>>> ... match u16 0xPPPP 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 >>>>> match u32 >>>>> 0xM0M1M2M3 0xFFFFFFFF at -8 >>>>> >>>>> The below is simplistic but it works to demonstrate the above. >>>>> >>>>> tc qdisc add dev ppp0 root handle 1:0 htb default 20 >>>>> tc class add dev ppp0 parent 1:0 classid 1:1 htb rate 128kbit ceil >>>>> 128kbit >>>>> >>>>> tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 64kbit ceil >>>>> 128kbit >>>>> tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 64kbit ceil >>>>> 128kbit >>>>> >>>>> tc qdisc add dev ppp0 parent 1:10 handle 100: sfq perturb 10 >>>>> tc qdisc add dev ppp0 parent 1:20 handle 200: sfq perturb 10 >>>>> >>>>> # My Laptop >>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 >>>>> 0x0800 >>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 >>>>> 0xFFFFFFFF >>>>> at -8 flowid 1:10 >>>>> # My Desktop >>>>> tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match u16 >>>>> 0x0800 >>>>> 0xFFFF at -2 match u16 0xM4M5 0xFFFF at -4 match u32 0xM0M1M2M3 >>>>> 0xFFFFFFFF >>>>> at -8 flowid 1:20 >>>>> # change the MAC's of course. >>>>> >>>>> tc -s -d class show dev ppp0 >>>>> tc -s -d qdisc show dev ppp0 >>>>> tc -s -d filter show dev ppp0 >>>>> >>>>> There you have it.