how pcap handles multiple protocols simultaneously

1
votes

The documentation for the int socket(int domain, int type, int protocol); API says that the protocol specifies a particular protocol if more than one protocol exists for the given domain. This seems to imply that only one protocol can be specified for a given domain for a given socket.

I was experimenting with raw sockets in Linux, but then I stumbled on this protocol thing. I know pcap library can be used to capture packets for any protocol. I wrote a Q&D program using pcap and I've noticed most the common protocols defined in if_ether.h file were captured.

So currently in my program I can only specify one type of packets to be captured. Are there ways to replicate pcap behavior with standard Linux headers and libraries? How does pcap achieve that? I tried to google the question, but I think my query was ill-formed cause the results I got back weren't much useful.

I am not trying to solve anything here, just learning the concept.

1
linuxsocketspcappacket-sniffers

1 Answers

2
votes

On Linux, with the 2.0 or later kernel, libpcap captures on a socket where domain is PF_PACKET, type is either SOCK_RAW or SOCK_DGRAM, and protocol is htons(ETH_P_ALL).

SOCK_RAW will, for most network interfaces, give you packets with a link-layer header; for some other interfaces, such as PPP interfaces, it will give you packets without the link-layer header, which makes it difficult to determine what protocol is running on top of the link-layer protocol.

SOCK_DGRAM will give you packets without the link-layer header, but with some additional information; libpcap uses that information to generate a fake link-layer header. You would have to write your own code to process that additional information.

See the Linux packet(7) man page for more information.