Reputation: 47051
Is libpcap implemented by socket API?
libpcap is used for package capturing. As I understand, it can capture the network packages from all ports. And it can capture the package data in link layer (such as ethernet frame).
This looks a little confusing to me, because it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system. Moreover, socket API seems unable to get the information in link layer (such as the header of Ethernet frame).
Is it true that libpcap is implemented by socket API? If not, which OS-level API is used to implement it?
Upvotes: 1
Views: 982
Answers (5)
Reputation: 618
Normally, applications use kernel-level TCP stack. Instead of using default kernel-level implementation, by using your own implementation of TCP/IP stack processing in user-space, you can be bypass the kernel.
more readings "zero copy networking" vs "kernel bypass"?
according to that StackOverflow post pcap is also doing kernel Bypass
Upvotes: 0
Reputation:
Is it true that libpcap is implemented by socket API?
If you're on Linux or IRIX, it is true. If you're on another flavor of UN*X, it is not true.
If not, which OS-level API is used to implement it?
On *BSD, OS X, AIX, and Solaris 11 and later: BPF.
On earlier versions of Solaris, and on HP-UX: STREAMS+DLPI.
it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system
On Linux, if you open a PF_PACKET socket, and don't bind it to a particular interface, packets from all interfaces are delivered to the socket.
socket API seems unable to get the information in link layer
You have to use the right type of socket, namely a PF_PACKET socket on Linux or a PF_RAW socket with a protocol of RAWPROTO_SNOOP on IRIX. Other UN*Xes don't have socket types for packet capture, and use other mechanisms.
Upvotes: 2
Reputation: 4705
libpcap is not part of the sockets API. On Linux PF_PACKET is used, which is an evolution of the BSD mechanism. On other operating systems there are other mechanisms (DLPI, Windows requires a DLL).
The capture on any interface mechanism is a Linux specific mechanism, and the capture mechanism occurs above the layer of the network interface.
The capture mechanism inside the kernel either has an explicit call out to a kernel packet filter, or is inserted by adjusting the plumbing (SVR4).
Upvotes: 3
Reputation: 339786
On Linux, access to the raw packets needed by libpcap is done using a PF_PACKET socket.
See http://man7.org/linux/man-pages/man7/packet.7.html
Upvotes: 1
Reputation: 310860
It's implemented by inserting a driver into the network stack.
Upvotes: -1
Related Questions
- How determine a packet protocol in libpcap?
- Linux. Can packets pass libpcap by?
- Does libpcap use the traffic control layer of linux?
- iptables and libpcap
- Is pcap_stats implemented on Ubuntu 14.04 LTS?
- What exactly is the libpcap format?
- Are there any examples with libpcap and libnet?
- How libpcap receive a packet from the driver?
- Use libpcap with a socket connection
- Does libpcap use raw sockets underneath them?