Re: Can I be able to use Libpcap for capturing packets on Unix socket by the following way described in the body of the mail

["Jefferson Ogata" <Jefferson.Ogata () noaa gov>]

On 03/13/2006 01:28 AM, Santosh wrote:
> I need a clarification regarding Libpcap library. What I am doing is instead 
> of writing the packets on to ethernet interface, I am writing on to the Unix 
> socket.
> I am using Libnet library for building and injecting the packets. I have 
> modified the Libnet library for supporting Unix sockets. For capturing the 
> packets on unix sockets I am thinking of using Libpcap library.

The concept of "capturing" on UNIX-domain sockets doesn't really make
much sense. One doesn't use libpcap to capture on an Internet-domain
socket; one captures on an interface. Traffic from multiple
Internet-domain sockets, as well as non-socket-based traffic (e.g. ICMP
messages), is multiplexed over an interface by necessity, since the
interface is the egress for network traffic from the host. The interface
thus provides the observation point for capturing to occur.

There is no parallel with UNIX-domain sockets. There is no API I know of
for a third party to observe UNIX-domain datagrams as they traverse from
socket to socket.

In short, I don't understand what you are trying to achieve. If you want
to monitor stream-based UNIX-domain socket activity, the only way I know
of is to act as a proxy between your client and server.

If you want to write a traffic log from your server or client, and wish
simply to use libpcap format, well, what's the point? There are no IP or
other protocol headers on UNIX-domain messages, so it's not as if you
will then be able to use other existing tools to analyze the traffic,
since your messages aren't IP packets.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.