Linux tcpdump command packet capture principle analysis
Source: Internet
Author: User
PF_PACKET registers a Protocol for Packet capture at the system network layer. Then, all outgoing and incoming packets will be transferred to the forward () function. the outgoing direction (outgoing packet) will be used to capture packets in dev_queue_xmit PF_PACKET, register a protocol at the system network layer. Then, all outgoing and incoming packages will be transferred to the packet_rcv () function in the file http://lxr.linux.no/linux++v3.4/net/packet/af_packet.c,
The outgoing direction (outgoing packet) calls packet_rcv when traversing the ptype_all linked list in dev_queue_xmit_nit for all network protocol processing.
Incoming direction (packets from other external machines will be called to packet_rcv when they traverse ptype_all for processing in the netif_receive_skb function.
I have analyzed it in a previous article, but I forgot how the package was sent to PF_PACKET after too long. Alas! Let's take a look at the following. I hope I will not forget it again in the future.
Int dev_queue_xmit (struct sk_buff * skb)
2213 if (! Netif_tx_queue_stopped (txq )){
2214 rc = dev_hard_start_xmit (skb, dev, txq );
--------------------------------------
1938int dev_hard_start_xmit (struct sk_buff * skb, structnet_device * dev,
1939 struct netdev_queue * txq)
1940 {
1941 const struct net_device_ops * ops = dev-> netdev_ops;
1942 int rc = NETDEV_TX_ OK;
1943
1944 if (likely (! Skb-> next )){
1945 if (! List_empty (& ptype_all ))
1946 dev_queue_xmit_nit (skb, dev );
-----------------------------------------------------
1500 /*
1501 * Support routine. Sends outgoingframes to any network
1
502* Taps currently in use.
1503 */
1504
1505 static void dev_queue_xmit_nit (struct sk_buff * skb, structnet_device * dev)
1506 {
1507 struct packet_type * ptype;
1508
1509 # ifdef CONFIG_NET_CLS_ACT
1510 if (! (Skb-> tstamp. tv64 & (G_TC_FROM (skb-> tc_verd) & AT_INGRESS )))
1511 net_timestamp_set (skb );
1512 # else
1513 net_timestamp_set (skb );
1514 # endif
1515
1516 rcu_read_lock ();
1517 list_for_each_entry_rcu (ptype, & ptype_all, list ){
1518/* Never send packets back to the socket
1519 * they originated from-MvS (miquels@drinkel.ow.org)
1520 */
1521 if (ptype-> dev = dev |! Ptype-> dev )&&
1522 (ptype-> af_packet_priv = NULL |
1523 (struct sock *) ptype-> af_packet_priv! = Skb-> sk )){
1524 struct sk_buff * skb2 = skb_clone (skb, GFP_ATOMIC );
1525 if (! Skb2)
1526 break;
1527
1528/* skb-> nh shoshould be correctly
1529 set by sender, so that thesecond statement is
1530 just protection against buggyprotocols.
1531 */
1532 skb_reset_mac_header (skb2 );
1533
1534 if (skb_network_header (skb2) Data |
1535 skb2-> network_header> skb2-> tail ){
1536 if (net_ratelimit ())
1537 printk (KERN_CRIT "protocol % 04x is"
1538 "buggy, dev % s \ n ",
1539 ntohs (skb2-> protocol ),
1540 dev-> name );
1541 skb_reset_network_header (skb2 );
1542}
1543
1544 skb2-> transport_header = skb2-> network_header;
1545 skb2-> pkt_type = PACKET_OUTGOING;
1546 ptype-> func (skb2, skb-> dev, ptype, skb-> dev); // call the function packet_rcv () registered by the PF_PACKET protocol ())
1547}
1548}
1549 rcu_read_unlock ();
1550}
--------------------------------
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
