Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packetbeat: Enable setting promiscuous mode automatically #11366

Merged
merged 36 commits into from
Feb 5, 2020
Merged

packetbeat: Enable setting promiscuous mode automatically #11366

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
ffd96e6
Enable setting of promiscuous mode
michalpristas Mar 20, 2019
46db28a
seccomp disabled
michalpristas Mar 20, 2019
1c2146a
Merge branch 'master' of https://github.com/elastic/beats into fix-700
michalpristas Mar 21, 2019
637eaab
update faq
michalpristas Mar 21, 2019
1ff4818
changelog
michalpristas Mar 21, 2019
7fc011e
fix
michalpristas Mar 21, 2019
4e140f3
mage update
michalpristas Mar 21, 2019
9ef3f56
Merge branch 'master' into fix-700
michalpristas Mar 21, 2019
70dc0cd
syscall
michalpristas Mar 21, 2019
fbe7398
syscall
michalpristas Mar 21, 2019
8c87687
whitespaces
michalpristas Mar 21, 2019
c00eb6f
typo
michalpristas Mar 21, 2019
24db049
review round
michalpristas Mar 21, 2019
1d2f681
not breaking
michalpristas Mar 22, 2019
185fbff
Merge branch 'master' into fix-700
michalpristas Mar 22, 2019
8e83262
first attemp for system test
michalpristas Mar 22, 2019
22048ec
it's autopep8 style :notes:
michalpristas Mar 22, 2019
49cd7a6
more strict for devices count
michalpristas Mar 22, 2019
fa877f5
import unit test
michalpristas Mar 22, 2019
2065731
fixed tests :party:
michalpristas Mar 22, 2019
cdd6069
Merge branch 'master' into fix-700
michalpristas Mar 26, 2019
24109ff
use test environment
michalpristas Mar 26, 2019
4bafbee
Merge branch 'master' into fix-700
michalpristas Mar 26, 2019
ae6bf1c
Merge branch 'master' into fix-700
michalpristas Mar 29, 2019
498c230
Merge branch 'master' into fix-700
michalpristas Mar 29, 2019
8a99e60
Merge branch 'master' into fix-700
michalpristas Apr 1, 2019
93e48ac
Merge branch 'master' into fix-700
michalpristas Apr 8, 2019
23d5948
configurable promisc mode
michalpristas Apr 8, 2019
9111121
meta reference
michalpristas Apr 8, 2019
52ce33e
invalid condition, shame on me
michalpristas Apr 8, 2019
70d02b0
Merge branch 'master' into fix-700
michalpristas Apr 12, 2019
ef0ae7d
Merge branch 'master' into fix-700
michalpristas Feb 5, 2020
7bb2402
changelog merge fix
michalpristas Feb 5, 2020
a00e370
updated dockerfile for packetbeat
michalpristas Feb 5, 2020
941f534
added comment
michalpristas Feb 5, 2020
bbcc013
updated config file
michalpristas Feb 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- `http.response.body` moves to `http.response.body.content`
- Changed Packetbeat fields to align with ECS. {issue}7968[7968]
- Removed trailing dot from domain names reported by the DNS protocol. {pull}9941[9941]
- Enable setting promiscuous mode automatically. {pull}11366[11366]

*Winlogbeat*

Expand Down
62 changes: 59 additions & 3 deletions packetbeat/sniffer/afpacket_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,22 +20,40 @@
package sniffer

import (
"fmt"
"syscall"
"time"
"unsafe"

"github.com/elastic/beats/libbeat/logp"

"github.com/tsg/gopacket"
"github.com/tsg/gopacket/afpacket"
"github.com/tsg/gopacket/layers"
)

type afpacketHandle struct {
TPacket *afpacket.TPacket
TPacket *afpacket.TPacket
promicsPreviousState bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in promics.

device string
}

func newAfpacketHandle(device string, snaplen int, block_size int, num_blocks int,
timeout time.Duration) (*afpacketHandle, error) {

h := &afpacketHandle{}
var err error
promiscEnabled, err := isPromiscEnabled(device)
if err != nil {
logp.Err("Failed to get promiscuous mode for device '%s': %v", device, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it fails here then when closing we don't really know what the previous state was so we should not try to restore it based on this value.

}

h := &afpacketHandle{
promicsPreviousState: promiscEnabled,
device: device,
}

if err := setPromiscMode(device, true); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why change mode if it's already enabled?

logp.Err("Failed to set promiscuous mode for device '%s': %v", device, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to inform users what the impact is and what a possible workaround is.

If Packetbeat is going to continue operating then I'd probably go for the Warn level.

}

if device == "any" {
h.TPacket, err = afpacket.NewTPacket(
Expand Down Expand Up @@ -69,4 +87,42 @@ func (h *afpacketHandle) LinkType() layers.LinkType {

func (h *afpacketHandle) Close() {
h.TPacket.Close()
if err := setPromiscMode(h.device, h.promicsPreviousState); err != nil {
logp.Err("Failed to set promiscuous mode for device '%s': %v", h.device, err)
}
}

func isPromiscEnabled(device string) (bool, error) {
if device == "any" {
return false, nil
}

s, e := syscall.Socket(syscall.AF_INET, syscall.SOCK_DGRAM, 0)
if e != nil {
return false, e
}

defer syscall.Close(s)

var ifl struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's ifl stand for? I'm thinking using ifreq might make this more recognizable to some familiar with ioctl and network device programming. Or perhaps some comments here explaining that this is the ifreq structure from linux/if.h.

name [syscall.IFNAMSIZ]byte
flags uint16
}

copy(ifl.name[:], []byte(device))
_, _, ep := syscall.Syscall(syscall.SYS_IOCTL, uintptr(s), syscall.SIOCGIFFLAGS, uintptr(unsafe.Pointer(&ifl)))
if ep != 0 {
return false, fmt.Errorf("Syscall SIOCGIFFLAGS exited with %v", ep)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about

fmt.Errorf("ioctl command SIOCGIFFLAGS failed to get device flags for %v: return code %d", device, ep)

}

return ifl.flags&uint16(syscall.IFF_PROMISC) != 0, nil
}

func setPromiscMode(device string, enabled bool) error {
if device == "any" {
logp.Warn("Cannot set promiscuous mode to device 'any'")
return nil
}

return syscall.SetLsfPromisc(device, enabled)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function says its deprecated. Have you checked out what it recommends to use?

Copy link
Contributor Author

@michalpristas michalpristas Mar 21, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it says x/net where I did not find anything useful. so, for now, I went with this with a possible rewrite to direct syscalls

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's at least add a code comment here explaining the issue + follow up issue in repo.

}