site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com -josh On Mar 15, 2005, at 2:16 PM, Carl Smith wrote: If the later is the case then I need to be lower then a dlil interface filter. If there is a problem with where I have my packet capture/filtering setup I would really appreciate any comments to eliminate some 'throw' away work. Thanks Carl _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com You may want to consider re-injecting the packet after making your modifications instead of making the modifications and returning. I can't remember the details, but there is a chance that the demux code that determines which protocol the packet belongs to may have already run. Changing the protocol in the header after that point will do no good. In addition, you can attach a protocol to the interface and specify demux descriptors that describe the ethertype you are interested in. In doing so, you will get all of those packets. You can then modify them to your hearts content and inject the modified packets using dlil_input. Do you really want to futz with the frame header on the input path? Actually Yes. It can be the header retained in the mbuf, but what I am doing is looking for a particular frame type, our registered type, extracting confidential information encrypted in the packet, setting the new/replaced frame type, i.e. 0x800 and so on, then passing it up the stack. Now if someone or something is doing some kind of header filtering or type checking and throwing away unknown packets types, I'm screwed. smime.p7s