Question about sniffers and linux

Question about sniffers and linux

[salinarl]

Hello to everyone,
I am new to kernel internals, and I would like to know how can a sniffer
read whole packets, I mean including the link layer header. In the receive
path, this happens, I think,  in the net_rx_action(), but in the transmit
path?
I know that there is a function called dev_queue_xmit_nit() for this, but
how can a driver add a link layer header to a packet before this function
gets called? The hard_start_xmit() of the driver is, in fact, called after
the dev_queue_xmit_nit(), (in the function dev_queue_xmit() ).
I think I'm missing something important about the subject, but I hope someone 
will answer me, anyway.
Thank you in advance,

Lanfranco

Re: Question about sniffers and linux

[Abraham vd Merwe]

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi salinarl!

You don't need to write a kernel module to do this.

Use RAW sockets. (See man 2 socket). If you're not interested in the link
layer, you can also use DGRAM sockets to get everything from layer 3 and up
(ip, arp, etc.)

> I am new to kernel internals, and I would like to know how can a sniffer
> read whole packets, I mean including the link layer header. In the receive
> path, this happens, I think,  in the net_rx_action(), but in the transmit
> path?
> I know that there is a function called dev_queue_xmit_nit() for this, but
> how can a driver add a link layer header to a packet before this function
> gets called? The hard_start_xmit() of the driver is, in fact, called after
> the dev_queue_xmit_nit(), (in the function dev_queue_xmit() ).
> I think I'm missing something important about the subject, but I hope someone 
> will answer me, anyway.
> Thank you in advance,
> 
> Lanfranco
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 

Regards
 Abraham

What we wish, that we readily believe.
		-- Demosthenes

__________________________________________________________
 Abraham vd Merwe - 2d3D, Inc.

 Device Driver Development, Outsourcing, Embedded Systems

  Cell: +27 82 565 4451         Snailmail:
   Tel: +27 21 761 7549            Block C, Antree Park
   Fax: +27 21 761 7648            Doncaster Road
 Email: abraham@2d3d.co.za         Kenilworth, 7700
  Http: http://www.2d3d.com        South Africa


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Question about sniffers and linux

[Lanfranco Salinari]

----- Original Message -----
From: Abraham vd Merwe <abraham@2d3d.co.za>
To: salinarl <Lanfranco.Salinari@icn.siemens.it>
Cc: Linux Kernel Development <linux-kernel@vger.kernel.org>
Sent: Monday, December 10, 2001 9:09 AM
Subject: Re: Question about sniffers and linux

>Hi salinarl!
>
>You don't need to write a kernel module to do this.
>
>Use RAW sockets. (See man 2 socket). If you're not interested in the link
>layer, you can also use DGRAM sockets to get everything from layer 3 and up
>(ip, arp, etc.)
>

Thank you for your answer, Abraham!
Perhaps I did not explain myself very well: I know about RAW sockets, but
the problem is that, for example, PPP headers are not passed to packet
sockets (for outgoing packets), because they are added inside the PPP driver
after the call to dev_queue_xmit_nit().
I don't know if this problem is typical of PPP, but it seems quite general,
to me. I think Ethernet headers are a special case, because they are taken
from a
cache and added in the IP layer, so they are visible to packet sockets.
Can someone please tell me if I'm wrong?
Best regards,

Lanfranco