Wireshark/tcpdump/libpcap在Linux内核中的哪里拦截数据包? [英] Where did Wireshark/tcpdump/libpcap intercept packet inside Linux kernel?

问题描述

根据此，wireshark能够获取数据包在丢弃之前(因此我自己无法获得此类数据包).而且我仍然想知道wireshhark在Linux内核中的确切位置以获取数据包.

According to this, wireshark is able to get the packet before it is dropped (therefore I cannot get such packets by myself). And I'm still wondering the exact location in linux kernel for wireshark to fetch the packets.

答案是:在UN * Xes上，它使用libpcap，而在Linux上，它使用AF_PACKET套接字."有谁有使用"AF_PACKET套接字"的更具体示例?如果我正确理解Wireshark，则网络接口卡(NIC)将复制所有传入数据包，并将其发送到用户定义的过滤器(伯克利数据包过滤器).但是，这发生在哪里呢?还是我对这种理解有误，在这里我会错过任何事情吗?

The answer goes as "On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets." Does anyone have more concrete example to use "AF_PACKET sockets"? If I understand wireshark correctly, the network interface card (NIC) will make a copy of all incoming packets and send it to a filter (berkeley packet filter) defined by the user. But where does this happen? Or am I wrong with that understanding and do I miss anything here?

提前谢谢！

推荐答案

但是这在哪里发生?

But where does this happen?

如果我正确理解了您-您想知道，此类套接字在哪里初始化.
尝试使用pcap_create 功能确定源接口的类型，创建它的副本并激活它.
对于网络，请参见pcap_create_interface 功能 => pcap_create_common 功能 => pcap_activate_linux 功能.
所有初始化都在pcap_activate_linux => activate_new 功能 => iface_bind 功能
(具有handlep->device = strdup(device);，
的设备的复制描述符 用socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL))，
创建套接字 使用bind(fd, (struct sockaddr *) &sll, sizeof(sll))将套接字绑定到设备).
有关更多详细信息，请阅读提及功能的源文件中的注释-它们非常详细.
初始化后，所有工作都在一组功能，例如pcap_read_linux等.

If I understood you correctly - you want to know, where is initialized such socket.
There is pcap_create function, that tries to determine type of source interface, creates duplicate of it and activates it.
For network see pcap_create_interface function => pcap_create_common function => pcap_activate_linux function.
All initialization happens in pcap_activate_linux => activate_new function => iface_bind function
( copy descriptor of device with handlep->device = strdup(device);,
create socket with socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)),
bind socket to device with bind(fd, (struct sockaddr *) &sll, sizeof(sll)) ).
For more detailed information read comments in source files of mentioned functions - they are very detailed.
After initialization all work happens in a group of functions such as pcap_read_linux, etc.

这篇关于Wireshark/tcpdump/libpcap在Linux内核中的哪里拦截数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！