tcpdump mailing list archives

Re: important query on tcpdump header files and source codes

From: "Ignacio, Domingo Jr Ostria - igndo001" <DomingoJr.Ignacio () postgrads unisa edu au>
Date: Wed, 16 Jul 2008 17:38:22 +0930

Hello,

Thank you very very much. . I understand my predicament now;)

I inspected and studied  the linux kernel source codes, tcp_input.c,
tcp_ouput.c, tcp_ipv4.c and tcp.c and it is only on the tcp_input source
code where there is a provision on TCP options to be added. There are no
provisions on TCP options from the other codes mentioned above. Am I
right on this one guys or do I missed out something( probably it could
be on the other codes I haven't mentioned above)? Thanks again for the
help!

Cheers,
dom 


-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris
Sent: Wednesday, 16 July 2008 5:04 PM
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] important query on tcpdump header files
and source codes


On Jul 16, 2008, at 12:09 AM, Ignacio, Domingo Jr Ostria - igndo001  
wrote:

Or 2. When the tcpdump do the packet capture, is it looking/utilizing
the kernel variables within the protocol stacks or it is operating
independently from the kernel?


It is *not* utilizing kernel variables in the TCP/IP protocol stack of  
the OS on which it's running; it is, instead, using whatever mechanism  
the OS (or, in the case of Windows, the WinPcap driver) provides for  
capturing raw network traffic.

In Linux, for example, tcpdump calls libpcap, which opens a PF_PACKET  
socket.  The Linux networking stack delivers packets to that socket as  
well as to the IP input routine (which then hands TCP packets to the  
TCP input routine); the packets that libpcap sees have not been  
processed by the IP or TCP input code, and don't have any information  
from the IP or TCP input code, including the SRTT.

The *ONLY* way tcpdump (or Wireshark, or any *other* program that uses  
libpcap, such as Snort) will see the SRTT would be if the TCP  
implementation puts the SRTT into the packets it transmits, which it  
doesn't do (and which would involve adding a new TCP option).  That  
won't help for packets your machine receives.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Double incoming packets [libpcap] Jacek Jablonski (Jul 08)
- Re: Double incoming packets [libpcap] Guy Harris (Jul 09)
  - important query on tcpdump header files and source codes Ignacio, Domingo Jr Ostria - igndo001 (Jul 15)
    - Re: important query on tcpdump header files and source codes Guy Harris (Jul 15)
    - Re: important query on tcpdump header files and source codes Ignacio, Domingo Jr Ostria - igndo001 (Jul 16)
    - Re: important query on tcpdump header files and source codes Guy Harris (Jul 16)
    - Re: important query on tcpdump header files and source codes Ignacio, Domingo Jr Ostria - igndo001 (Jul 16)
    - Re: important query on tcpdump header files and source codes Guy Harris (Jul 16)
    - Re: important query on tcpdump header files and source codes Ignacio, Domingo Jr Ostria - igndo001 (Jul 16)
    - Bulk data transfer Ignacio, Domingo Jr Ostria - igndo001 (Aug 11)
    - Re: important query on tcpdump header files and source codes Max Laier (Jul 16)
- question on sequence number filter Ignacio, Domingo Jr Ostria - igndo001 (Jul 13)
  - Re: question on sequence number filter Guy Harris (Jul 15)