tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Where does libpcap get the incoming network

From: Jorge Canas <jcanas2000 () hotmail com>
Date: Tue, 8 Mar 2011 10:44:35 -0500

Hi Fabian, thanks for the link to your thesis.  That's a well-put together and very informative document.

I specially liked figure 2.2 (conceptual diagram of the Linux Socket Filter for incoming packets).

In that figure, I see that any packet arriving at the "packet_input_queue" is sent towards libcap and, of course, 
towards the real destination application.

Is a similar architecture used for the outgoing packets, where (I guess) a "packet_output_queue" receives packets from 
the local application and then such packets are sent towards libcap and then towards the kernel driver?

Thanks!


Subject: Re: [tcpdump-workers] Where does libpcap get the incoming network data? From the driver?
From: schneifa () net in tum de
Date: Mon, 7 Mar 2011 10:40:21 +0100
To: tcpdump-workers () lists tcpdump org

Hi, 

that depends on the OS.


1. Does libpcap obtain incoming packet data from the nic's driver or from somewhere else?
2. Does libpcap obtain outgoing packet data from the linux IP layer or from somewhere else?


Actually it is in between. What happens is that libpcap requests a PF_PACKET socket which registers itself as a 
consumer of incoming packets on the same level as e.g. the IP Stack. Basically there is a centralized queue per NIC 
that is outside the driver context and keeps track of how many destinations packets need to be delivered. 







For more info you can check my master's thesis [1] in Section 2 or an Linux Journal article [2]. Note, that by now 
instead of copying the packets to the user space also memory mapped version of libpcap exist. But that does not 
change the place where the packets are obtained from.

best
Fabian

[1] http://www.net.t-labs.tu-berlin.de/~fabian/papers/da.pdf
[2] http://www.linuxjournal.com/article/4852

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

                                          -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: