Re: Libpcap capturing point

[Jorge Lanza <jlanza () tlmat unican es>]

I've continued with my tests, and I think there's no way in doing what I 
like with pcap.

I've write a very simple netfilter module (modification of an example find 
on the web), which I attach. I have print some value of the packet while it 
is crossing netfilter. I modified this packet in order to see what is 
displayed in the ethereal window. Then I have set the packet to be drop 
just to see if pcap captures all the packet or only the ones that passes 
all the linux network stack.

                Example dropping ICMP packet
                Value not modified data[50] = 2A
                Value modified data[50] = FF

Well the packets are display, even the ones that should be drop. However 
the value displayed in ethereal is the modified one (FF). So it seems to be 
that pcap captures the packet someway in between the packet arrival at the 
network card and the end of the linux network stack.

Can anyone, probably a developer, explain that? In which point is the 
packet captured? Probably some other has come up with this problem.
I'm trying to get some statistics and I need to get then before the packet 
has been modified. I would like to avoid writing another kernel module or 
modifying the already done.

Any help is really welcomed.

TA.

P.D.: If you like to test it, just insmod the module and ping with -s 172 
(that way the packet is modified and then discard) while ethereal is 
capturing. Then read the info of ethereal. You'll see a value FF where it 
should be another.


At 11:12 24/07/2003 -0700, Guy Harris wrote:
>On Thu, Jul 24, 2003 at 07:49:12PM +0200, Jorge Lanza wrote:m
>> We've been developing a virtual network device and now we are exporting it
>> to the netfilter phylosophy. When capturing packets with libpcap 
(ethereal)
>> we are not sure at which level the packet is got. I say so, cause when
>> using netfilter we modify the packet information, and in ethereal the
>> information displayed is the packet with the modifications (some private
>> headers has been removed)
>>
>> So there's our doubt. Where does libpcap capture the packet? Before or
>> after the driver or after crossing all the ip stack?
>
>It depends on the way your network stack is set up, including your
>virtual network device, and on the way the packet capture mechanism in
>your OS works, and on the network interface on which you're capturing.
>
>> We want to see it as
>> it's received from the network without any modifications, is it
>> possible?
>
>If your virtual network device gets its input from a real network
>device, try capturing on the real network device.
>-
>This is the TCPDUMP workers list. It is archived at
>http://www.tcpdump.org/lists/workers/index.html
>To unsubscribe use 
mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe


--------------------------------------------

Jorge Lanza Calderón
Departamento Ingeniería Comunicaciones
Grupo de Ingeniería Telemática
Universidad de Cantabria
Avda. de los Castros, s/n
39005 - Santander  (España)
Tel: +34 942 200914
Fax: +34 942 201488
mailto:jlanza () tlmat unican es
Web: http://www.tlmat.unican.es

--------------------------------------------

Attachment: nfexample.c
Description: