Saturday, June 6, 2009

Linux network stack : A brief Intro to packet handling


I was always fascinated by the hidden world of the linux network stack.To me its the most beautiful part of this enchanting operating system. After doing the text book based study of the OSI and TCP/IP model i became a little bit confused, to be true somewhat terrified also.I wanted to come out of the network's block diagrams given in those "famous" books and really wanted to try my hands on the real stuff.A hell lot of things were making me mad...ranging from how in reality these packets are dealt by operating system and networking hardware like switches,routers etc to how the layered architecture is implemented.
After spending a hard time and doing a much prolonged research on the net i was able to get a glimpse of the great world of networks.
The first topic that helped me to buit a basic understanding was NETFILTER HOOKS,then came the scintillating RAW Sockets ,pcap library and much more.

Before going in details i will like to first discuss the two basic data structures related to networks used in Linux network stack .

1. sk_buff : Here is the protagonist, the sailer who sails alone in the great world of networks,from one hope to another in the never ending vicious cycle ,Mr.postman .....yes u guessed right ....its the data structure representing one and only PACKET.Basically it is a c structure representing the packet headers and data.
-->It is defined in #include
-->When a packet arrives to the linux kernel either form the user space or from the network card, this structure is created .
-->It contains all necessary fields and headers like device from which the packet arrived,time stamp etc
-->As the pack is moved from one layer to other headers are added to it.
odyssey...............
once there was a packet .....it jumped over form one hop to another ....switches and routers peeping inside its cloths to get the address he is hiding inside...and at last the voyage ends ..it reaches the last hop(computer) it was destined to..now what?? he rings the bell...and the Ethernet card picks it up.The Ethernet card asks for identification proof...so what ..here it is ..MAC address ...Our gatekeeper(Ethernet card ) matches the MAC address of the computer to that provided by the packet link layer header or checks if it is a link layer broadcast.
If any of the above condition is true ..our packet is welcomed to traverse the Linux network stack.The Ethernet card raises an interrupt ..."hello...there is a packet at the door ...".... now who will handle this interrupt ? Obviously ...the driver of the network card. At this stage the ethernet card's driver makes a call to function alloc_skb(which is a wrapper ie it calls kmalloc() ).Now appropriate memory space is allocated to the packet.The data (headers and data part ) is added to the sk_buff structure.Now what?? The network driver dump it in the CPU Queue.... whenever will cpu get time it will handle the packet ...the buffer is called netif_rx . The CPU will invoke appropriate upper layer prtocol handler ie if the packet has a IP or ICMP etc network layer header then respective protocol handler will bw invoked.

-->The kernel maintains sk_buff structure in a doubly linked list to facillitate searching.
-->when the packet is made in the user space ,headers are added to it as it traverses down the network stack.Each time the protocol handler calls skb_reserve() function to reserve space in the buffer to add its header.

-->One of the element of the sk_buff structure is sock_sk which stores the address of the socket that owns the packet.
-->sk_buff structure also contains net_device *dev(pointer dev of the type net_device) which describes the network device from which it was received or is destined to.

-->the fields like h in the structure is the pointer to layer 4 header ,
nh--> pointer to layer three header
mac --> pointer to layer 2 header.
-->skb_push is used to insert headers likewise skb_pull and skb_reserve are used
sock
It is a structure associated with a socket.When a socket is created in user space this structure is created .It has various fields ranging from its state,protocol etc.

for more information read

1 The Journey of the packet through the network stack by HERALD WALTE

2. Linux Kernel Internals

3.Understanding the linux kernel

4.Kossak and Lifeline --article on PHRACK

5. http://www.tcpdump.org/

6 http://www.packetfactory.net/

7. http://tdlp.org/HowTo/KernelAnalysis-HowTO-1.html

8 visit home page of linux network stack developer : David S.Miller at

http://www.vger.kernel.org/~davem/

9. http://www.invisiblethings.org/