Is libpcap implemented by socket API?

0

Issue

libpcap is used for package capturing. As I understand, it can capture the network packages from all ports. And it can capture the package data in link layer (such as ethernet frame).

This looks a little confusing to me, because it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system. Moreover, socket API seems unable to get the information in link layer (such as the header of Ethernet frame).

Is it true that libpcap is implemented by socket API? If not, which OS-level API is used to implement it?

Solution

Is it true that libpcap is implemented by socket API?

If you’re on Linux or IRIX, it is true. If you’re on another flavor of UN*X, it is not true.

If not, which OS-level API is used to implement it?

On *BSD, OS X, AIX, and Solaris 11 and later: BPF.

On earlier versions of Solaris, and on HP-UX: STREAMS+DLPI.

it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system

On Linux, if you open a PF_PACKET socket, and don’t bind it to a particular interface, packets from all interfaces are delivered to the socket.

socket API seems unable to get the information in link layer

You have to use the right type of socket, namely a PF_PACKET socket on Linux or a PF_RAW socket with a protocol of RAWPROTO_SNOOP on IRIX. Other UN*Xes don’t have socket types for packet capture, and use other mechanisms.

Answered By – user862787

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More