下面是snort3的一个抽象的框架图, 要介绍的DAQ是sniffer部分;
默认的daq是pcap,当然还有其它的实现方式;为了兼容各种sniffer,提供统一的接口,就有了libdaq这个库:
通过阅读代码,抽象出来一个软件框架图:
另类API:一类是供其上的binary使用,不需要关心使用哪一类sniffer,二是中间件API,每类plugin都需要实现其中重要的函数;
当前已经实现的模块包括:
./modules/
├── afpacket
├── bpf
├── divert
├── dump
├── fst
├── netmap
├── nfq
├── pcap
└── trace
有个大致的总结:
?Pcap: default DAQ
?AFPACKET:
similar
to the memory mapped pcap DAQ but no external library is
required
?NFQ:
built
on top of the Linux netfilter packet filtering framework; the module operates on packets queued by
the kernel packet filter for userspace consumption via the NFQUEUE mechanism, usually controlled by iptables
rules.
?Dump:
A
wrapper DAQ module that presents the configuration stack as inline-interface-
and injection-capable.
?Netmap:
built
on top of the netmap project; The netmap project is a framework for very high speed packet I/O.
?FST:
The
Flow State Table (FST) DAQ module is a wrapper module that mimics operating on
top of a flow-tracking dataplane.
阅读(3589) | 评论(0) | 转发(0) |