Nosy

Introduction

Nosy is a Linux based bus analyzer / traffic sniffer for firewire / IEEE1394. It consists of a simple snoop-mode driver for the PCILynx IEEE1394 chipset from Texas Instruments and a user space protocol decoding application. Unlike the widely used OHCI chipset, the PCILynx chipset has a snoop-mode, where all packets from the IEEE1394 bus are received and stored. This is often also referred to as promiscuous mode.

The application consists of a kernel driver for the card and and text-mode userlevel application which reads the snooped data and prints it. The kernel driver does not depend the standard linux IEEE1394 stack from www.linux1394.org. It can run in parallel with the standard stack, and you can connect the PCILynx card to an OHCI card managed by the stack to inspect the behaviour of the standard stack.

The latest release is nosy-0.3.tar.gz, see the download section for a list of changes in that release.

Nosy is free software, released under the GNU Public License (GPL). Written by Kristian Høgsberg (krh@bitplanet.net).

Screenshots

Not exactly screenshots, but some example logging sessions. This first one is showing the packet mode output from the usermode dump program. In this mode, the program just dumps the packets to stdout as they arrive:

self id: phy_id=00, link active, gap_count=63, speed=S400, irm contender
self id: phy_id=01, link active, gap_count=63, speed=S400, irm contender
self id: phy_id=02, link not active, gap_count=63, speed=S400
self id: phy_id=03, link active, gap_count=63, speed=S400, irm contender
read_quadlet: dest=ffc0, tl=1d, src=ffc3, offs=fffff0000400 crc=5588adc9, ack_pending
read_quadlet_response: dest=ffc3, tl=1d, src=ffc0, rcode=complete, data=04048b5c crc=30ba901c, ack_complete
read_quadlet: dest=ffc0, tl=1e, src=ffc3, offs=fffff000040c crc=7cc5f9bb, ack_pending
read_quadlet_response: dest=ffc3, tl=1e, src=ffc0, rcode=complete, data=00015623 crc=71c285ed, ack_complete
read_quadlet: dest=ffc0, tl=1f, src=ffc3, offs=fffff0000410 crc=0e18035d, ack_pending
read_quadlet_response: dest=ffc3, tl=1f, src=ffc0, rcode=complete, data=100003e9 crc=283a731f, ack_complete
read_quadlet: dest=ffc2, tl=20, src=ffc3, offs=fffff0000400 crc=180ad5df, no ack
read_quadlet: dest=ffc2, tl=21, src=ffc3, offs=fffff0000400 crc=13ca6f2d, no ack
read_quadlet: dest=ffc0, tl=22, src=ffc3, offs=fffff0000408 crc=de1b5fe8, ack_pending
read_quadlet_response: dest=ffc3, tl=22, src=ffc0, rcode=complete, data=e000a002 crc=0827e6a9, ack_complete
read_quadlet: dest=ffc2, tl=23, src=ffc3, offs=fffff0000408 crc=2243f771, no ack
read_quadlet: dest=ffc2, tl=24, src=ffc3, offs=fffff0000408 crc=1100d3af, no ack
read_quadlet: dest=ffc1, tl=0e, src=ffc0, offs=fffff0000400 crc=5d075245, ack_pending
read_quadlet_response: dest=ffc0, tl=0e, src=ffc1, rcode=complete, data=040477f9 crc=e87872fe, ack_complete
read_quadlet: dest=ffc1, tl=0f, src=ffc0, offs=fffff0000404 crc=45c39e6b, ack_pending

As can be seen from the above dump, the PCILynx chipset picks up both PHY-packets (i.e. the self ID pakets) and acknowledge codes. The node with phy ID 2 is the PCILynx card, and the self IDs shows that its link layer is not active. Later on, when node 3 tries to read from the card anyway it gets "no ack" — this is the intended behaviour.

The second trace shows the transaction mode of the usermode program. In this mode the program maintains a list of pending transactions for all nodes and analyzes the packets to match request and response subactions. Once a transaction finishes, the two subactions are printed to stdout. We also see that the lock transaction decoding isn't quite finished yet.

completed transaction (ffc0->ffc3, tlabel=d)
read_quadlet: dest=ffc3, tl=0d, src=ffc0, offs=fffff0000428 crc=08f5d460, ack_pending
read_quadlet_response: dest=ffc0, tl=0d, src=ffc3, rcode=complete, data=c3000004 crc=e72ee067, ack_complete
 
completed transaction (ffc1->ffc3, tlabel=1c)
lock_request: dest=ffc3, tl=1c, src=ffc1,  [packet specific fields] crc=3c3a3f33, ack_pending
lock_response: dest=ffc1, tl=1c, src=ffc3,  [packet specific fields] crc=ffffffff, ack_complete
 
completed transaction (ffc1->ffc3, tlabel=1d)
lock_request: dest=ffc3, tl=1d, src=ffc1,  [packet specific fields] crc=e783c29d, ack_pending
lock_response: dest=ffc1, tl=1d, src=ffc3,  [packet specific fields] crc=8330ad0d, ack_complete

Features

Well, hardly any, except for the core snooping functionality:

• Kernel driver supports multiple usermode clients,
• Each client can set up a simple kernel level tcode filter,
• The usermode program is capable of matching up request and response subactions and printing them as transactions.

Todo

Plenty, eventually:

• Optimize DMA usage so we dont get an interrupt for each packet. Currently every packet causes an interrupt, which results in some CPU-load. I dont think the driver looses packets though, there is a 64kb memory buffer on the chipset which sits between the link layer and the PCI bus.
• Use VM tricks to DMA packets directly into pinned usermode pages. I know this can be done, but I've never looked into the details.
• Decode more protocols: AV/C, SPB2, IP1394 and such.
• Quantitative/statistical analysis of isochronous data — estimate the average transfer rate, timestamp jitter etc.
• Write the big, easy-to-use, polished GUI frontend and a 200 page manual.
• Buy a PCILynx 1394b card, when/if they become available and make it work with that...

At this point, it is probably good etiquette to mention that I'm not actively working on nosy at the time.

Getting a PCILynx card

IEEE1394 cards based on the PCILynx chipset can be a bit difficult to get. Most IEEE1394 cards today use the OHCI chipset, since this is the only chipset Microsoft Windows supports. I have found PCILynx based PCI cards from the following three vendors: IOI1394, Firewire Depot and Unibrain. Of these three cards, I've only tried the Unibrain card, which seems to be of pretty good quality, but also quite expensive. Personally I am using a fourth kind of PCILynx controller, a Cardbus based controller from Newer Technology. It is out of production now, but TechnoWarehouse has some for sale from this page.

Download

Wed Dec 20, 2006: Ok, didn't get gitweb set up on bitplanet.net, so I moved the nosy git repo to freedesktop.org: http://gitweb.freedesktop.org/?p=users/krh/nosy.git

Sat Nov 11, 2006: Another year, another version control system. Nosy is now maintained in git, available from this repo: http://bitplanet.net/~krh/nosy/nosy.git.

Sat Dec 10, 2005: Nosy development now takes place in this mercurial repository. The latest version of nosy now uses sysfs and udev to automatically create the /dev/nosy device file.

Mon Sep 27, 2004: There's a nosy-0.3.tar.gz release out. This one includes a set of patches from Jody McIntyre to avoid oopses when accessing /dev/nosy without the pcilynx card, changes to use the standard kernel build system for the nosy kernel module, and support for printing the payload for block payload packets.

Nosy version 0.2 was released on September 14, 2004 and corresponds to revision 44 in subversion: nosy-0.2.tar.gz. This release has been updated to work with linux 2.6, packet timestamping has been added, the packet decoding logic has been generalized and a new "stats" display mode has been added.

The first release of nosy was on August 6, 2003 and can be downloaded here: nosy-aug-6-2003.tar.gz.