Can someone please point me to a good starting place to learn how libpcap gets its packets from a network driver? My intend is to replace the receive function with a fast implementation.

The "receive function" is:

• the standard driver receive function, no different from what's used to receive packets and hand them to the regular networking stack;
• the "packet socket" part of the regular networking stack.

Some Intel slides on DPDK seem to indicate that DPDK lets user-space code talk more directly to the network adapter. This means that the right way to use that with libpcap would be to write a libpcap "module" that uses the DPDK.

Libpcap has, for a while, supported the ability to have multiple "modules" to capture traffic. These are not plugin modules that can be loaded at run time (that may happen someday, but, as libpcap might require additional privileges in order to capture traffic, support for third-party plugin modules would have to be done VERY carefully, to prevent untrusted code from running with those privileges!); they're compiled into libpcap.

Some examples of modules in the libpcap source, other than the "default" modules for various OSes, are pcap-snf.c for Myricom NICs and pcap-dag.c for Endace DAG cards.

If you want to pursue this further, it would probably be best if you subscribed to the tcpdump-workers mailing list and continued the discussion there. (It's not a very high-traffic list and, despite its name, it's for both users and developers of both libpcap and tcpdump; you'd fall into the "developers of libpcap" category, as somebody writing a capture module.)