tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: important query on tcpdump header files and source codes

From: Guy Harris <guy () alum mit edu>
Date: Wed, 16 Jul 2008 00:33:41 -0700
On Jul 16, 2008, at 12:09 AM, Ignacio, Domingo Jr Ostria - igndo001 wrote: 


Or 2. When the tcpdump do the packet capture, is it looking/utilizing
the kernel variables within the protocol stacks or it is operating
independently from the kernel?
It is *not* utilizing kernel variables in the TCP/IP protocol stack of the OS on which it's running; it is, instead, using whatever mechanism the OS (or, in the case of Windows, the WinPcap driver) provides for capturing raw network traffic.
In Linux, for example, tcpdump calls libpcap, which opens a PF_PACKET socket. The Linux networking stack delivers packets to that socket as well as to the IP input routine (which then hands TCP packets to the TCP input routine); the packets that libpcap sees have not been processed by the IP or TCP input code, and don't have any information from the IP or TCP input code, including the SRTT.
The *ONLY* way tcpdump (or Wireshark, or any *other* program that uses libpcap, such as Snort) will see the SRTT would be if the TCP implementation puts the SRTT into the packets it transmits, which it doesn't do (and which would involve adding a new TCP option). That won't help for packets your machine receives. 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: