Packet Filter note

Most recent tasks are related to the network, so we often need to deal with packet capture tools. Here is a brief introduction for future reference.

There are still many network packet capture tools, such as ethereal, Wireshark in windows and tcpdump in Linux. However, these tools depend on the pcap library. The pcap library encapsulates many network packet capture APIs and provides consistent interfaces for upper-layer applications. For more information about pcap, click here. The pcap library includes Linux libpcap and Windows Winpcap.

These tools are easy to use, easy to use, and have a fixed file storage format (. pcap,. CAP) for captured data packets, which is easy to read from each other.

So how does pcap capture network data packets? Different operating systems have different implementation methods. Linux is used as an example.

1 BPF (reference)

First, you must know what BPF is. BPF, full name: Berkeley Packet Filter, first implemented on the BSD system. It provides packet sending and receiving functions based on the data link layer, so that users can access the second layer of data packets. It also provides a packet filtering mechanism based on BPF code. BPF code is a small compilation language (Click here for an introduction to this language ). This small language can be used and easily understood in terms of filtering. Of course, in actual use, we can use tcpdump-d [expression] to generate the corresponding BPF code.

2 LSF Linux socket Filter

Linux is based on BPF. Supports BPF code parsing. In Linux, the original socket is provided. You can use SD = socket (pf_packet, sock_raw, htons (eth_p_ip) to create the socket. You can use setsockopt (FD, sol_socket, so_attach_filter, & filter, sizeof (fileter) to pass in the defined BPF code. The packages that can be passed will be sent to the application layer for processing.

3 linux package filtering implementation

I have not carefully understood this part, so I will study its implementation method later. Currently, we only know that FreeBSD uses the JIT instant compilation method to process BPF code. in Linux, the Code is interpreted and executed line by line. No matter which mechanism, when the kernel receives the packet, it intervene in the packet processing process as early as possible to improve efficiency as much as possible.