On Feb 23, 2009, at 3:14 PM, Oliver Zheng wrote:
How does Libpcap do it then if it's not with raw sockets?
To what does "it" refer in "how does libpcap do it"?
If by "it" you mean "capture and send raw link-layer packets", then,
on Linux, it uses a PF_PACKET socket (raw or cooked) rather than a raw
PF_INET socket. The latter might let you inject packets that look as
if they come from another machine, and have them seen by the Linux TCP/
IP stack; for better or worse, the former doesn't. PF_INET sockets
don't let you capture and send raw link-layer packets, so libpcap
can't use them, as its purpose is to capture and send raw link-layer
packets, not inject packets and have them seen by the local machine's
TCP/IP stack.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
