Home page logo

wireshark logo Wireshark mailing list archives

Re: Where does libpcap capture frames?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 26 Dec 2013 17:48:33 -0800

On Dec 26, 2013, at 7:53 AM, Stuart Kendrick <stuart.kendrick.sea () gmail com> wrote:

I've found this neat diagram of the functions called as a frame wends its way toward hardware (Figure 4 in Section 
2.3 in http://kernelnewbies.org/Networking?action=AttachFile&do=get&target=hacking_the_wholism_of_linux_net.txt) 
ending in rtl8169_start_xmit()

From the text, I'm guessing that various 'hooks' can dink with the frame:  NF_IP_PRE_ROUTING, NF_IP_LOCAL_IN, 
nowhere in there do I see where libpcap gets its copy

That's because they're not showing the guts of dev_hard_start_xmit() - in particularly, they're not showing the call to 

==> What functions can mess with a frame as it approaches hardware?  Obviously, libpcap can register a request for a 
copy ... what functions can discard the frame after libpcap gets its copy?

Functions called from the device's ndo_start_xmit routine.

Or the routine itself.
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]