Dear all,
We have used Ethereal and other libpcap based tools to capture traffic for
some time in our researching activities (we are Linux-Red Hat users). So far
we haven't been able to understand completely how does the capture process
works exactly.
Let us explain our doubt with one example:
Using netfilter framework: We send an ICMP packet, and before putting it
into the transmission medium, we change the protocol type within the IP
header (using a unknown type). When we receive this packet, using the
PRE_ROUTING hook, we change the ip protocol type again to 0x01 (ICMP) (we
know this by dumping the whole IP header). The PRE_ROUTING hook is activated
within the IP code, after the netif_rx funtion has been called from the eth
driver to pass the packet to IP. When seeing this packet using Ethereal, the
protocol type is 0x01. It seems, therefore that the packet has been captured
after changing this field, whereas in our opinnion it should have get it
before (when netif_rx is called)
>From the scenario described above, we have imagined that the socket buffer
is not captured just afterwards the netif_rx function is called. Where is
the packet exactly captured by the libpcap? How is it handled by the
capturing tool (ethereal in this case)? Could you please put some light here
for us? We would really appreciate any kind of help
Best Regards and thanks in advance
CC: Please we would like to be personally CC'ed any reply to this message,
as we are not going to subscribe to the list
