Hi, I've recently started using libpcap and I have a few questions:
1) How can I prevent copies of certain packets (for example, those that satisfy
libpcap's capture filter) from being forwarded to and processed by the kernel's
protocol stack? I want to process incoming TCP segments on a given port myself using
libpcap with no interference from the kernel; for example, if a SYN segment is
received, I want to build and send the SYN ACK reply (including headers) myself
without the kernel's TCP generating its own SYN ACK. However, I don't want to process
any other ports and protocols myself so these should be handled normally by the
kernel. Is there a way to do this using libpcap?
The Raw IP Networking FAQ suggests using firewall software to block the desired TCP
port(s), which would prevent the kernel from processing the incoming TCP segments, but
wouldn't this also prevent libpcap from getting the segments? Or, does libpcap work
at a lower level than the firewall? Has anyone successfully done this?
2) What exactly is the difference between pcap_disaptch() and pcap_loop()? The man
page is unclear about this: it states that for pcap_dispatch(), "a cnt of 0 processes
all packets until [...] the read times out (when doing live reads and a non-zero read
timeout is specified)". This implies that if a zero read timeout _is_ specified in
the call to pcap_open_live(), pcap_dispatch() won't stop for timeouts, so does
pcap_dispatch() with timeout=0 work the same as pcap_loop()?
3) When pcap_lookupdev() is called with more than 1 network adapter installed in the
host computer, which one is returned?
Thanks for your help,
Nick
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
