On Sun, Mar 09, 2003 at 09:56:25AM -0800, Thong Hoang wrote:
> I am using Ethereal to capture a raw data packet that
> I sent out using PF_PACKET option in Linux. In the
> capture screen, I can see my packet (which I just sent
> out to eth0) being captured. But I am quite sure
> whether it is sent out to the network as when I check
> cat /proc/net/dev, there was error report in the
> transmit column on that packet.
> My question is: if Ethereal can capture packet that I
> sent out from the eth0 interface, was it really sent
> out to the network???
Not necessarily.
Ethernet interfaces do not receive the packets that they send out.
The networking code and packet-capture code in most OSes will,
therefore, directly supply outgoing packets to the packet-capture
mechanism used by libpcap (and thus by programs such as tcpdump or
Ethereal that use libpcap) and, at the same time, attempt to send them
out on the network.
I think that, at least on some OSes, they do this at the time the packet
is supplied to the low-level networking code, rather than waiting until
they are sure that it will, in fact, be possible to transmit the packet.
One could perhaps argue that the responsibility for supplying packets to
the packet capture mechanism should belong to the networking device
driver, and that it should do so when it receives an indication from the
networking interface that the packet was successfully transmitted, as
1) that means that you don't see the packet if it wasn't
successfully transmitted
and
2) if, for example, the packet has to be retransmitted due to
Ethernet collisions, the time stamp will reflect the time at
which it was successfully transmitted rather than the time at
which it started trying to transmit the packet
but, unfortunately, I don't think that's the case on some OSes (it might
not be the case on any OSes).