some questions about libpcap , especially with fork() called

[wen lui <esolvepolito () gmail com>]

 I want to use libpcap to capture some packets in my tcp server program
some of the snippets in my program are like:


        handle = pcap_open_live(dev, BUFSIZ, 0, 0, errbuf);
        pcap_compile(handle, &fp, filter_exp, 0, mask) == -1
        pcap_setfilter(handle, &fp);
        struct pcap_pkthdr pcap_header;      // The header that pcap gives
us
        const u_char *pcap_packet;           // The actual packet

        // proxy server listen, waiting for receiver's tcp request
        listen(listenfd, 1024);
        connfd = accept(listenfd, (struct sockaddr *)&sender_addr,
&sock_len);
        pcap_packet = pcap_next(handle, &pcap_header);

        pid=fork();
        if(pid=0)  // child process
         {
          pcap_packet = pcap_next(handle, &pcap_header);
         }
         blabla.....


listenfd is binding port 3000
my questions are:

1 I don't know how pcap handler works, my understanding is: when
pcap_open_live() function is called and the filter is set, it will capture
all matching packets and put them in a FIFO queue somewhere. Then, each
time I call pcap_next(), the packet in the head of the FIFO queue is
fetched. Is it correct or not?

2 how is the granularity of the packet?if there are IP fragmentation, are
they IP packets or TCP/UDP packets?  how to get only 4-th layer packets?


3 when there are incoming TCP connections, for each connection  I want to
capture the final ACK packet and the following data packets and FIN/ACK
packets, which are all with ACK flag set to 1 , so the filter_exp is
something like "port 54000 and tcp[tcpflags] & (tcp-ack) != 0"

the problems is, when in the child process, will the pcap handler still
work? how is the mechanism when there are fork() called?

thanks!
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers