TCP Packets in Raw socket - Centos 6.6

2
votes

I tried performing TCP traffic and capture that packets using RAW socket in other end .

I set window size to 50000 bytes. while sending the TCP traffic with max rate. I observe in wireshark around every 12 packets(1512 bytes packets) an ACk is send.

while receiving the packet in raw socket. i expected 12 packets as if i got in wireshark(i believe that wireshark also uses raw socket). But i was surprised to see one packet with send data stream.

To my knowledge, the RAW socket should receive in form of packets that is transmitted in wire and not as TCP streams.

I used below for raw socket to receive packet in port

  rawsd = socket(PF_PACKET, SOCK_RAW, ETH_P_ALL);

Is this anyway related to tcp_wrapper and OS tcp configuration.

2
clinuxsocketsnetworkingtcp
What do you mean by whole junk ? Tcp sends and receives data in streams and not in packets what makes you think you would receive 12 packets ? Also i don't think wireshark uses raw sockets - cmidi
Sorry junk means i receive it in whole stream not in packets. I can understand TCP sends and recieves data in streams but RAW socket will capture in packets received on particular ports. Wirkshark uses libpcap which inturn uses RAW socket. - sujai M J
Yes right but then u will get the whole packet which you then would have to parse the headers get the packet length update the header pointers correctly to reach the data using libraries like libpcap i beleive - cmidi
Then how is it possible for wireshark alone to show packets that are actually transmit in wire. Do you mean that RAW socket does get packet as such in lower layer. - sujai M J
On the wire they are bits. The lower layers of networking The driver in software perspective does not care - cmidi

2 Answers

1
votes

I think wireshark uses something named Promiscuous mode on your network interface in this mode it can get packets in lower layers. but if you use raw socket you just read receive buffer data not packets.
The following code from libpcap(wireshark backend) git repository show that it use raw socket with alternative options.

pcap_activate_snoop(pcap_t *p)
{
int fd;
...
fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP);
1
votes

Here is the answer i observed.

Linux Eth port have the configuration to set "tcp-segmentation-offload". 

[root@Kernel317 home]# ethtool -k eth0
Features for eth0:
rx-checksumming: off
tx-checksumming: on
    tx-checksum-ipv4: off [fixed]
    tx-checksum-ip-generic: on
    tx-checksum-ipv6: off [fixed]
    tx-checksum-fcoe-crc: off [fixed]
    tx-checksum-sctp: off [fixed]
scatter-gather: on
    tx-scatter-gather: on
    tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
    tx-tcp-segmentation: on
    tx-tcp-ecn-segmentation: off [fixed]
    tx-tcp6-segmentation: off [fixed]

On Enabling tcp-segmentation-offload, packets are clubbed together in eth port as full Data segment irrespective of MTU configured.

   ethtool -K eth1 rx on tx on

On disable tcp-segmentation-offload, packets are not processed in eth ports and packet of MTU size is received in RAW socket.

   ethtool -K eth1 rx off tx off

Thanks