tcpdump mailing list archives
Re: libpcap : Reading from kernel interface
From: madhuresh <madhurag () iitk ac in>
Date: Fri, 01 Sep 2006 15:58:06 +0530
Guy Harris wrote:
No much difference, just that the version of hostap which comes with kernel tree is 0.4.4. Also its only after kernel version 2.6.13 that hostap is distributed along with the linux kernel, because previously it came only as an external package. [check hostap site for further details]madhuresh wrote:Yes you are right. I was mentioning about hostap-driver-0.4.7 which works as a module with linux kernel.(The linux-2.6.17.3 kernel has a drivers/net/wireless/hostap directory. What's the difference between that driver - or any versions from later Linux kernels - and the hostap-driver-0.4.7 driver?)
can you name a few of them ? As far as i know, the two famous drivers like hostap as well as madwifi strips the required dataSo is it a netlink socket ?No.It's a PF_PACKET socket. Netlink sockets are PF_NETLINK sockets and are implemented by the code in net/netlink; PF_PACKET sockets are implemented by the code in net/packet. PF_PACKET sockets are the right mechanism for supplying raw link-layer packets to an application and for allowing applications to send raw link-layer packets.I was thinking of copying the packets (with these extra details) to this new interface from which libpcap can read. Say this interface is xyz0, so when tcpdump is invoked like ./tcpdump -i xyz0, then libpcap should read from the new interface.Why do you have to implement a separate interface?I think some other wireless drivers do that -
but libpcap reads from those interfaces by reading from a PF_PACKET socket.
okay so its not netlink socket. Thanks for clarification
Well....the details i am looking for are present in the prism header. Also i believe that when hardware (wireless card) passes the information to driver, it passes only prism header right ? So how any further information !!!To supply information such as signal strength, have your new interface type provide an ARPHRD value of ARPHRD_IEEE80211_RADIOTAP, and supply radiotap headers with the information in question. If you do that, you will have to make *ABSOLUTELY NO CHANGES* to modern libpcap (i.e., libpcap 0.9.x and later).(Yes, a radiotap header is different from a Prism header. I'd like to see radiotap headers conquer the Linux world they way they've conquered the BSD world.)
Please let me know if i am thinking in the right direction.Any other nice approach to get these extra details from kernel space to user space ?The correct approach for that in Linux is PF_PACKET sockets, as if you do that right, you don't have to do *anything* to libpcap. (Changing as few pieces of software as possible is, *ceteris paribus*, a Good Thing.)
surely agree
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks -madhuresh -- Madhuresh Agrawal Senior Undergraduate Department of Computer Science and Engineering Indian Institute of Technology Kanpur - 208016 Phone : (+91) 9935184990 HomePage: http://home.iitk.ac.in/~madhurag - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- libpcap madhurag (Aug 29)
- Re: libpcap Rick Jones (Aug 30)
- libpcap : Reading from kernel interface madhurag (Aug 30)
- Re: libpcap : Reading from kernel interface Rick Jones (Aug 30)
- Re: libpcap : Reading from kernel interface Guy Harris (Aug 31)
- Re: libpcap : Reading from kernel interface madhuresh (Aug 31)
- Re: libpcap : Reading from kernel interface Guy Harris (Sep 01)
- Re: libpcap : Reading from kernel interface madhuresh (Sep 01)
- libpcap : Reading from kernel interface madhurag (Aug 30)
- Re: libpcap Rick Jones (Aug 30)