On Sun, Nov 03, 2002 at 11:40:08PM -0500, Farshad wrote:
> Even a hint like how ethereal is intercepting the packets on their
> way to the upper layers
Ethereal doesn't itself contain any code to intercept packets on their
way to the upper layers - that's done by the libpcap/WinPcap library,
which Ethereal uses to capture packets. tcpdump, snort, and a number of
other programs use libpcap as well.
The way libpcap does that is:
on UNIX, it uses some mechanism provided by the OS for doing so;
on Windows, WinPcap consists of:
a device driver;
a library for communicating with that driver;
a port of libpcap to Windows;
and it uses the driver for doing so (the driver uses OS
mechanisms).
(I.e., libpcap doesn't do that, either - it relies on OS kernel code to
do that. It just sets up that code and reads the packets.)
> and what hooks it uses in the (Linux) kernel
On Linux, libpcap uses PF_PACKET sockets on 2.2 and later kernels, and
SOCK_PACKET sockets on 2.0[.x] kernels. See the "packet(7)" man page.