1: Cisco AnyConnect Linux Kernel Module
(anyconnect_kdf.ko)

contact: <ac-nvm-admins@cisco.com>
--------------------------------------------------------------------------
Introduction:
This kernel module intercepts network packets at layer 3, using Netfilter, and performs the following:
    1. Extracts meta data information of the packets to track unique flows (both TCP and UDP) and send
        that information to a userland process
    2. Captures the DNS responses and send them to a userland process

Interfaces:
This kernel modules has 2 interfaces for userland processes to communicate
    1. A Netlink socket to pass control messages to the module
    2. A UDP socket for the module to pass data to the userland process

--------------------------------------------------------------------------
Procedure to build:

In order to build the module, follow the steps below:

    $ make

--------------------------------------------------------------------------
Procedure to build and run tests:

In order to build the test app, follow the steps below:

    $ cd test
    $ make

The ./kdf_listener -h provides usage instructions
-------------------------------------------------------------------------

2: Cisco AnyConnect eBPF Module (interceptor.bpf.c)

contact: <ac-nvm-admins@cisco.com>
--------------------------------------------------------------------------
Introduction:
This file (interceptor.bpf.c) implements a BPF (Berkeley Packet Filter) kernel program that:

    1. Intercepts network packets at the TC (Traffic Control) layer for both ingress and egress traffic
    2. Specially identifies and processes DNS traffic (UDP port 53)
    3. Handles both regular network interfaces and VPN interfaces
    4. Extracts metadata like:
        a. IP and transport layer headers (IPv4/IPv6, TCP/UDP)
        b. Process ID (pid) that generated the traffic
        c. Process creation time
        d. Packet direction (inbound/outbound)

The intercepted packet data is stored in a ring buffer for processing by a userspace application. The program features configurable debug logging and special handling for DNS responses, where it captures the full DNS payload.

--------------------------------------------------------------------------
Generate the vmlinux.h(optional):

    - Use `bpftool` to generate vmlinux.h:
      ```
      bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
      ```

Procedure to build:

1. **Compile the eBPF Program: interceptor.bpf.c**:
    - Use `clang` to compile the eBPF program into an object file:
      ```
      clang -O2 -g -target bpf -c interceptor.bpf.c -o interceptor.bpf.o
      ```

2. **Generate the Skeleton Header**:
    - Use `bpftool` to generate the skeleton header file:
      ```
      bpftool gen skeleton interceptor.bpf.o > interceptor.bpf.skel.h
      ```
-------------------------------------------------------------------------
