Re: Libpcap capturing point

[Guy Harris <guy () alum mit edu>]

On Thu, Jul 24, 2003 at 07:49:12PM +0200, Jorge Lanza wrote:
> We've been developing a virtual network device and now we are exporting it 
> to the netfilter phylosophy. When capturing packets with libpcap (ethereal) 
> we are not sure at which level the packet is got. I say so, cause when 
> using netfilter we modify the packet information, and in ethereal the 
> information displayed is the packet with the modifications (some private 
> headers has been removed)
>
> So there's our doubt. Where does libpcap capture the packet? Before or 
> after the driver or after crossing all the ip stack?

It depends on the way your network stack is set up, including your
virtual network device, and on the way the packet capture mechanism in
your OS works, and on the network interface on which you're capturing.

> We want to see it as 
> it's received from the network without any modifications, is it
> possible?

If your virtual network device gets its input from a real network
device, try capturing on the real network device.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe