Topic : Raw IP Networking FAQ
Author : Thamer Al-Harbash
Page : << Previous 2  Next >>
Go to page :

           adjustable details (includes diagnostics).        

                     tcpflow is a program that captures data          
                     transmitted as part of TCP connections (flows),  
                     and stores the data in a way that is convenient  
                     for protocol analysis or debugging.              

        snoop:       Solaris, IRIX.                                    

        etherfind:   SunOS.                                            

        Packetman:   SunOS, DEC-MIPS, SGI, DEC-Alpha, and Solaris.    
                     Available at                                      

        nettl/ntfmt: HP/UX                                            

        1.2) What packet capturing facilities are available?

        Depending on your operating system (different versions may

        BPF:                Berkeley Packet Filter. Commonly found on BSD    

        DLPI:               Data Link Provider Interface. Solaris, HP-UX, SCO

        NIT:                Network Interface Tap. SunOS 3.                  

        SNOOP:              (???). IRIX.                                      

        SNIT:               STREAMS Network Interface Tap. SunOS 4.          

        SOCK_PACKET:        Linux.                                            

        LSF:                Linux Socket Filter. Is available on Linux 2.1.75

        drain:              Used to snoop packets dropped by the OS. IRIX.    

        1.3) Is there a portable API I can use to capture packets?

        Yes. libpcap from attempts
        to provide a single API that interfaces with different
        OS-dependent packet capturing APIs. It's always best, of
        course, to learn the underlying APIs in case this library
        might hide some interesting features. It's important to warn
        the reader that I have seen different versions of libpcap
        break backward compatibility.

        1.4) How does a packet capturing facility work?

        The exact details are dependent on the operating system.
        However, the following will attempt to illustrate the usual
        technique used in various implementations:

        The user process opens a device or issues a system call which
        gives it a descriptor with which it can read packets off the
        wire. The kernel then passes the packets straight to the

        However, this wouldn't work too well on a busy network or a
        slow machine. The user process has to read the packets as
        fast as they appear on the network. That's where buffering
        and packet filtering come in.

        The kernel will buffer up to X bytes of packet data, and pass
        the packets one by one at the user's request. If the amount

Page : << Previous 2  Next >>