Skip to content
/ nldecap Public

Pretty-printing for netlink monitoring device captures

License

Notifications You must be signed in to change notification settings

etene/nldecap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

nldecap Build Status

Pretty-printing for netlink monitoring device captures.

nldecap allows you to see what's happening over the netlink interface, in a human-readable way.

Requirements

Basic Usage

./nldecap.py <pcap file or - for stdin>

See ./nldecap.py -h for all options and their help.

The pcap file

nldecap takes a pcap file as its first argument, or - for standard input.

This file is typically obtained by capturing on a nlmon interface with tcpdump(8), although the - syntax allows reading directly tcpdump's piped output, like this:

# tcpdump -i nlmon0 -U -w - | ./nldecap.py -

The -U argument to tcpdump makes its packet output unbuffered, which means packets will be displayed immediately upon reception and not after a buffer-induced delay.

nlmon interfaces

Netlink Monitoring interfaces allow capturing traffic over netlink sockets with traditional packet capture tools.

This makes them very useful for netlink-related troubleshooting, and they're also easy to setup:

# ip link add nlmon0 type nlmon
# ip link set nlmon0 up

or with pyroute2:

ipr = IPRoute()
ipr.link("add", ifname="nlmon0", kind="nlmon", state="up")

TODO

  • Determine minimal pyroute2 version
  • More tests

In action

$ # Using the builtin tree-like display
$ ./nldecap.py ipr.cap
[packet 1] message 1 (rtmsg)
├─family : 2
├─dst_len : 0
├─proto : 0
├─tos : 0
├─event : 'RTM_GETROUTE'
├─header
│ ├─pid : 0
│ ├─length : 40
│ ├─flags : 769
│ ├─error : None
│ ├─type : 26
│ └─sequence_number : 1497801523
├─flags : 0
├─attrs
│ ├[0] RTA_UNSPEC : None
│ └[1] UNKNOWN
│   └─header
│     ├─length : 8
│     └─type : 29
├─table : 0
├─src_len : 0
├─type : 0
└─scope : 0

$ # Using the pprint display
$ ./nldecap.py ipr.cap -p
[packet 1] message 1 (rtmsg)
{'attrs': [('RTA_UNSPEC', None),
           ('UNKNOWN', {'header': {'length': 8, 'type': 29}})],
 'dst_len': 0,
 'event': 'RTM_GETROUTE',
 'family': 2,
 'flags': 0,
 'header': {'error': None,
            'flags': 769,
            'length': 40,
            'pid': 0,
            'sequence_number': 1497801523,
            'type': 26},
 'proto': 0,
 'scope': 0,
 'src_len': 0,
 'table': 0,
 'tos': 0,
 'type': 0}