Packet Filter note

Source: Internet
Author: User

Most recent tasks are related to the network, so we often need to deal with packet capture tools. Here is a brief introduction for future reference.

There are still many network packet capture tools, such as ethereal, Wireshark in windows and tcpdump in Linux. However, these tools depend on the pcap library. The pcap library encapsulates many network packet capture APIs and provides consistent interfaces for upper-layer applications. For more information about pcap, click here. The pcap library includes Linux libpcap and Windows Winpcap.

These tools are easy to use, easy to use, and have a fixed file storage format (. pcap,. CAP) for captured data packets, which is easy to read from each other.

So how does pcap capture network data packets? Different operating systems have different implementation methods. Linux is used as an example.

1 BPF (reference)

First, you must know what BPF is. BPF, full name: Berkeley Packet Filter, first implemented on the BSD system. It provides packet sending and receiving functions based on the data link layer, so that users can access the second layer of data packets. It also provides a packet filtering mechanism based on BPF code. BPF code is a small compilation language (Click here for an introduction to this language ). This small language can be used and easily understood in terms of filtering. Of course, in actual use, we can use tcpdump-d [expression] to generate the corresponding BPF code.

2 LSF Linux socket Filter

Linux is based on BPF. Supports BPF code parsing. In Linux, the original socket is provided. You can use SD = socket (pf_packet, sock_raw, htons (eth_p_ip) to create the socket. You can use setsockopt (FD, sol_socket, so_attach_filter, & filter, sizeof (fileter) to pass in the defined BPF code. The packages that can be passed will be sent to the application layer for processing.

3 linux package filtering implementation

I have not carefully understood this part, so I will study its implementation method later. Currently, we only know that FreeBSD uses the JIT instant compilation method to process BPF code. in Linux, the Code is interpreted and executed line by line. No matter which mechanism, when the kernel receives the packet, it intervene in the packet processing process as early as possible to improve efficiency as much as possible.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.