我在运行 Ubuntu 14.04 的 x86_64 机器上安装了 PFRING-6.6.0(加载了“pf_ring.ko”),以捕获源或目标端口为“2404”的“eth0”上的所有传入数据包(参见下面的代码)。并且代码工作正常。以下代码使用给定的 BPF 过滤器创建一个 pfring 套接字,该套接字应该只捕获传入的“2404”数据包
但我的问题是虽然我在运行 Ubuntu-mate 16.04 的 Raspberry Pi 3 B 机器上安装了相同的 PFRING,但相同的代码是无法捕获传入的数据包。(我已将设备名称更改为“eth0”)。这是与架构相关的问题吗?...如何解决这个问题?
char *device = "eth0";
pfring *pd;
int main(int argc, char *argv[]) {
/* hard coaded filters */
char *bpfFilter "(ip host 10.180.6.105 && ip host 10.180.5.179) && tcp port 2404";
u_int32_t flags = 0;
int i = 0;
flags |= PF_RING_REENTRANT;
flags |= PF_RING_PROMISC;
flags |= PF_RING_HW_TIMESTAMP;
flags |= PF_RING_STRIP_HW_TIMESTAMP;
flags |= PF_RING_CHUNK_MODE;
flags |= PF_RING_IXIA_TIMESTAMP;
pd = pfring_open(device, 256, flags);
if (pd == NULL) {
fprintf(stderr, "pfring_open error [%s] (pf_ring not loaded or interface %s is down ?)\n",
strerror(errno), device);
exit(0);
}
if ((pfring_set_direction(pd, 1)) != 0) /* 0=RX+TX, 1=RX only, 2=TX only */
fprintf (stderr, "capture direction not set\n");
if ((pfring_set_socket_mode(pd, recv_only_mode)) != 0)
fprintf(stderr, "pfring_set_socket_mode unsuccessfull\n");
if ((pfring_set_bpf_filter(pd, bpfFilter)) < 0)
fprintf(stderr, "pfring_set_bpf_filter unsuccessfull\n");
else
fprintf(stderr, "set_bpf_filter successfull\n");
pfring_set_poll_duration(pd, 500);
if (pfring_enable_ring(pd) != 0) {
printf("Failed to enable ring :-(\n");
pfring_close(pd);
}
while(1) {
if ((ret = pfring_is_pkt_available(pd)) == 0) {
printf("No incomming packet %d\n");
continue;
}
if ((ret = pfring_loop(pd[RTUnum], RTUProcesssPacket, (u_char*)&RTUnum, 0)) != 0) {
fprintf(stderr, "Failed to capture packet\n");
sleep(1);
}
}
}
void RTUProcesssPacket(const struct pfring_pkthdr *h,
const u_char *packet, const u_char *user_bytes) {
log packets into pcap file;
parse the packet;
apply IDS rules();
}
OUTPUT:
(ip host 10.180.6.105 && ip host 10.180.5.179) && tcp port 2404
set_bpf_filter successfull
No incomming packet
No incomming packet
No incomming packet
No incomming packet
No incomming packet