According to this, wireshark is able to get the packet before it is dropped (therefore I cannot get such packets by myself). And I'm still wondering the exact location in linux kernel for wireshark to fetch the packets.
The answer goes as "On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets." Does anyone have more concrete example to use "AF_PACKET sockets"? If I understand wireshark correctly, the network interface card (NIC) will make a copy of all incoming packets and send it to a filter (berkeley packet filter) defined by the user. But where does this happen? Or am I wrong with that understanding and do I miss anything here?
Thanks in advance!
But where does this happen?
If I understood you correctly - you want to know, where is initialized such socket.
There is pcap_create
function, that tries to determine type of source interface, creates duplicate of it and activates it.
For network see pcap_create_interface
function => pcap_create_common
function => pcap_activate_linux
function.
All initialization happens in pcap_activate_linux
=> activate_new
function => iface_bind
function
( copy descriptor of device with handlep->device = strdup(device);
,
create socket with socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL))
,
bind socket to device with bind(fd, (struct sockaddr *) &sll, sizeof(sll))
).
For more detailed information read comments in source files of mentioned functions - they are very detailed.
After initialization all work happens in a group of functions such as pcap_read_linux
, etc.
On Linux, you should be able to simply use tcpdump (which leverages the libpcap library) to do this. This can be done with a file or to STDOUT and you specify the filter at the end of the tcpdump command..