Ethereal-dev: Re: [Ethereal-dev] a naive question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 4 Nov 2002 12:12:23 -0800
On Sun, Nov 03, 2002 at 11:40:08PM -0500, Farshad wrote:
> Even a hint like how ethereal is intercepting the packets on their
> way to the upper layers

Ethereal doesn't itself contain any code to intercept packets on their
way to the upper layers - that's done by the libpcap/WinPcap library,
which Ethereal uses to capture packets.  tcpdump, snort, and a number of
other programs use libpcap as well.

The way libpcap does that is:

	on UNIX, it uses some mechanism provided by the OS for doing so;

	on Windows, WinPcap consists of:

		a device driver;

		a library for communicating with that driver;

		a port of libpcap to Windows;

	and it uses the driver for doing so (the driver uses OS
	mechanisms).

(I.e., libpcap doesn't do that, either - it relies on OS kernel code to
do that.  It just sets up that code and reads the packets.)

> and what hooks it uses in the (Linux) kernel

On Linux, libpcap uses PF_PACKET sockets on 2.2 and later kernels, and
SOCK_PACKET sockets on 2.0[.x] kernels.  See the "packet(7)" man page.