New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Add testing for capture (pf_ring/afpacket/pcap/pcapgo/...) #561
Comments
For another project, I wrote https://github.com/google/stenographer/blob/master/integration_test/test.sh. It creates dummy interfaces and sends/receives traffic on them. It works fine, just requires sudo:required (https://github.com/google/stenographer/blob/master/.travis.yml#L4) In short, it:
|
The above should work fine for afpacket and pcap, for pf_ring we'd have to figure out what the various PF_RING licenses allow us to do, as well as how to correctly modprobe them. I do wonder, though, if just adding sudo:required to the test you're discussing might allow you to add it in as is. |
Hmm well when I looked around I found travis-ci/travis-ci#2291 which states that loading kernel modules is not supported. I have to admit I actually didn't try out loading kernel modules... As for license - vanilla pf_ring is gplv2 for kernel and lgplv2 for userspace libraries. Only components we do not need, need a special license (pf_ring_zc, nprobe, n2disk). Additionally, pf_ring points to here for a golang userspace lib (https://github.com/ntop/PF_RING/blob/dev/userland/go/README) - so it should be possible to work something out |
ok installing pf_ring via dkms worked and modprobe didn't throw an error - tomorrow I'll try out if it actually worked |
Tried everything out and looks like loading kernel modules works perfectly - even self compiled ones. |
I had a look at your solution for stenographer and think this is not the best way for gopacket because testing sending out packets would be a bit more complicated or need the same capturing. Additionally, I think it would be better to have something, which can have both sides (sending with gopacket + receiving and comparing, or the other way around) directly inside go test with easily accessible methods. So I had a look at tun/tap. I think this also represents the environment a bit better, since we basically emulate the network card with a file descriptor which can receive/send packets with read and write (basically our "virtual network card) and on the other end a network device, that looks like a real network device. With this it would be also possible to test without promisc mode, if needed. Test setup can be seen at: https://github.com/notti/gopacket-taptest-poc https://travis-ci.com/notti/gopacket-taptest-poc This testsetup
Step 6 would be closing the file descriptor, after which the tap network device is removed. The devices live as long something is connected to them. Alternatively the tap network device can be made persistent with an additional ioctl before closing the fd. Steps 4 and 5 are preceeded with TEST in the logoutput and step 2 with MONITOR The travis part is also very simple:
First two lines install the ntop repository, which has pf_ring debs. The test is executed by compiling it and then running it with sudo. This must be in two steps, since per default sudo cleans PATH and then go gets a bit upset...
Questions
|
tun/tap seems like another excellent way to go about this, so I'd say go for it! Maybe we can add a gopacket/tuntap subpackage with the necessary stuff for easily creating tun/tap interfaces, then we can start writing some tests in other directories (/pcap, /afpacket, /pfring) to use it? Obviously, tun/tap and anything that uses it will need a +linux build tag, so for tests in the /pcap directory we'll probably need to cordon those tests into separate files. |
Yes, that would be my plan.
Well as far as I know, there is also tuntap for osx available, and a quick search also turns up something for windows. Since I have neither of those two available for coding looks like we have to start out with +linux and hope somebody else has a look at those two. I'll close this for now, start coding/designing a generic tuntap interface and will make a pull request as soon as it's ready. When that one landed in gopacket, I'll try to come up with a testing framework. |
Note: I accept cookies as well as pull requests. |
I wondered if it would be possible to make network capture/sending out packets testable on travis-ci. So I tried out some stuff and came up with this proof of concept. There is also Travis-ci output.
What is needed?
How does it work?
On travis-ci we can not load kernel modules (for security reasons) so the solution for this is to use qemu and run our own linux. Since kvm is not available this is a bit slower - but not that bad (booting + a short test took just a second).
To make everything fast and compact this setup does the following things:
Steps that get executed:
Inside the guest init does the following:
test
to the control channelThe network device on the host works via a socket provided to qemu. The packet format on this socket is a big endian uint32 with the packet size followed by the network packet. Packets sent to this socket appear in the network device in the guest - and packets sent to the network device appear on the host in the socket.
The control socket can be used for synchronization (on the host it is a socket, and on the guest a char-device).
Alternatives
Travis-ci can be tricked into loading veth by requesting docker in travis.yml. With this We can create our private network devices and use those for testing. But with this only methods compiled in the travis-ci image can be tested (pcapgo, pcap should also work, af_packet I'm not sure, pf_ring definitely not).
Open questions
The text was updated successfully, but these errors were encountered: