Hi Fabian, thanks for the link to your thesis. That's a well-put together and very informative document.
I specially liked figure 2.2 (conceptual diagram of the Linux Socket Filter for incoming packets). In that figure, I see that any packet arriving at the "packet_input_queue" is sent towards libcap and, of course, towards the real destination application. Is a similar architecture used for the outgoing packets, where (I guess) a "packet_output_queue" receives packets from the local application and then such packets are sent towards libcap and then towards the kernel driver? Thanks! > Subject: Re: [tcpdump-workers] Where does libpcap get the incoming network > data? From the driver? > From: [email protected] > Date: Mon, 7 Mar 2011 10:40:21 +0100 > To: [email protected] > > Hi, > > that depends on the OS. > > > 1. Does libpcap obtain incoming packet data from the nic's driver or from > > somewhere else? > > 2. Does libpcap obtain outgoing packet data from the linux IP layer or from > > somewhere else? > > Actually it is in between. What happens is that libpcap requests a PF_PACKET > socket which registers itself as a consumer of incoming packets on the same > level as e.g. the IP Stack. Basically there is a centralized queue per NIC > that is outside the driver context and keeps track of how many destinations > packets need to be delivered. > > For more info you can check my master's thesis [1] in Section 2 or an Linux > Journal article [2]. Note, that by now instead of copying the packets to the > user space also memory mapped version of libpcap exist. But that does not > change the place where the packets are obtained from. > > best > Fabian > > [1] http://www.net.t-labs.tu-berlin.de/~fabian/papers/da.pdf > [2] http://www.linuxjournal.com/article/4852 > > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
