Ethereal

Re: [Ethereal-dev] a naive question
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-dev: November 2002

 

On Sun, Nov 03, 2002 at 11:40:08PM -0500, Farshad wrote:
> Even a hint like how ethereal is intercepting the packets on their
> way to the upper layers

Ethereal doesn't itself contain any code to intercept packets on their
way to the upper layers - that's done by the libpcap/WinPcap library,
which Ethereal uses to capture packets.  tcpdump, snort, and a number of
other programs use libpcap as well.

The way libpcap does that is:

	on UNIX, it uses some mechanism provided by the OS for doing so;

	on Windows, WinPcap consists of:

		a device driver;

		a library for communicating with that driver;

		a port of libpcap to Windows;

	and it uses the driver for doing so (the driver uses OS
	mechanisms).

(I.e., libpcap doesn't do that, either - it relies on OS kernel code to
do that.  It just sets up that code and reads the packets.)

> and what hooks it uses in the (Linux) kernel

On Linux, libpcap uses PF_PACKET sockets on 2.2 and later kernels, and
SOCK_PACKET sockets on 2.0[.x] kernels.  See the "packet(7)" man page.

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.