Capture packets before kernel process
Kevin Oberman
rkoberman at gmail.com
Wed May 1 00:02:08 UTC 2013
On Tue, Apr 30, 2013 at 8:24 AM, <wind at sourcearmory.com> wrote:
> Hi!
>
> I need some help, currently I'm working in a project where I want to
> capture and process some network packets before the kernel. I have searched
> but I have found nothing.
>
> Is there some way to capture the packets before the kernel ?
>
> This is a rather odd question. The device drivers which are the codes that
do all direct communication with the interfaces are part of the kernel in
most all operating systems. This is technically not required, but I have
not run into an OS that did not work this way in many years. (Digital's
IAS used user mode handlers to talk to interfaces, but it has been
obsolete for a quarter century.) Even there, the kernel contained the basic
interrupt routine (very simple) as a part of the kernel to hand the data to
the handler.
If you want to see the raw data, the PCAP code will capture the data very
early after it is received by the kernel, but the kernel still must do this
as it and only actually can "talk" to the interface and receive data.
--
R. Kevin Oberman, Network Engineer
E-mail: rkoberman at gmail.com
More information about the freebsd-net
mailing list