Ramsurrun Visham wrote:
The fact is that I don't know what happens to he packets after libpcap finishes it work with them - does it release them in the normal flow of traffic (as if it weren't there) or is it passed to
its destination process through some other mechanism..
libpcap itself only passes the packet on to whoever is calling libpcap - it doesn't do anything to release the packets; the PF_PACKET socket mechanism gets packets passed to it, but so does the rest of the networking stack, which is the normal flow of traffic. libpcap doesn't have to release packets to the normal flow of traffic; the normal flow of traffic is a separate path from the libpcap flow, and packets get supplied to both of them.
For example, if you run tcpdump, it doesn't shut off the TCP/IP implementation on your machine; a *copy* of packets (in effect) is passed to tcpdump to print or save, another copy is processed by the TCP/IP stack.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
