I am trying to write an ethernet level driver,
something that I can capture all the frames/packets
at the driver level and/or below. I simply am going
to filter for a particular frame type, if my frame,
do some magic and put back in the stack (network),
if not my frame type, drop.
why do u want to capture packets at driver/kernel
level ?
You can use the raw socket interface at the
application layer and
capture packets in user space.
u can use like socket(.... , SOCK_RAW, ...).
I don't think that TCP and UDP packets are handed to raw sockets.
raw sockets are processed before it is delivered to
any other sockets, so there is nonting like remove
from stack, and put back.
There are two alternatives to writing a driver to do this:
- use BPF (the choice of many seasoned veterans and discriminating
packet sniffers)
- use divert sockets
- write a DLIL 'filter'
OK, three alternatives.
The first two let you work in user-mode, which is preferable. The
second is a kernel-mode solution, but lives just above the device
level, and gets handed all frames, inbound and outbound.
The real advantage to any of the above three is that you don't co-opt a
useable device for sniffing purposes (a driver will have to control the
device, and drivers don't play well in the same sandbox).
Regards,
Justin
--
Justin C. Walker, Curmudgeon-At-Large *
Institute for General Semantics | When LuteFisk is outlawed
| Only outlaws will have
| LuteFisk
*--------------------------------------*-------------------------------*
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-drivers mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
