On Thu, Nov 28, 2002 at 06:59:26PM +0100, Johnny Choque wrote:
> >From the scenario described above, we have imagined that the socket buffer
> is not captured just afterwards the netif_rx function is called. Where is
> the packet exactly captured by the libpcap?
On Linux, libpcap captures packets using PF_PACKET sockets (or, on 2.0
kernels or with libpcap built on a 2.0-kernel system,
PF_INET/SOCK_PACKET sockets).
I don't have time right now to once again plow through the Linux
networking code to check where those packets are picked up; I'd suggest
reading the Linux networking code yourself, or asking somebody on, say,
the linux-net mailing list.
> How is it handled by the capturing tool
That depends on the capturing tool.
> (ethereal in this case)?
In the case of Ethereal, it does a simple-minded partial dissection to
update the packet counts and then writes it to the capture file; that
file is either read when the capture is stopped or, if you're doing an
"Update list of packets in real time" capture, read by the main Ethereal
process when the subprocess is doing the capturing tells it that new
packets have arrived.
It does not modify the IP protocol number field, if that's why your
asking how Ethereal handles it. Other capture tools probably don't do
so either.