Actually, you'll get less out of reading libpcap than reading the drivers
:-(((
Anyway, I'll save you the trouble. 0.8.3
pcap.c:
int
pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
return p->read_op(p, cnt, callback, user);
}
Where read_op is defined in the pcap_t definition - think C++ish operator
overloading. The actual implementation of read_op is in pcap_linux.c or
other pcap_xxxx.c's depending upon your environment...
06:13:22 tigger [Linux] user=ntop pwd=~/projects/libpcap/libpcap-0.8.3 $
codegrep read_op | grep 'read_op ='
pcap-bpf.c:834: p->read_op = pcap_read_bpf;
pcap-dag.c:484: handle->read_op = dag_read;
pcap-dlpi.c:713: p->read_op = pcap_read_dlpi;
pcap-linux.c:406: handle->read_op = pcap_read_linux;
pcap-nit.c:288: p->read_op = pcap_read_nit;
pcap-pf.c:442: p->read_op = pcap_read_pf;
pcap-snit.c:347: p->read_op = pcap_read_snit;
pcap-snoop.c:331: p->read_op = pcap_read_snoop;
pcap-win32.c:302: p->read_op = pcap_read_win32;
savefile.c:742: p->read_op = pcap_offline_read;
So look in pcap-linux.c:
/*
* Read at most max_packets from the capture stream and call the callback
* for each of them. Returns the number of packets handled or -1 if an
* error occured.
*/
static int
pcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback,
u_char *user)
{
/*
* Currently, on Linux only one packet is delivered per read,
* so we don't loop.
*/
return pcap_read_packet(handle, callback, user);
}
and...
/*
* Read a packet from the socket calling the handler provided by
* the user. Returns the number of packets received or -1 if an
* error occured.
*/
static int
pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
{
<snip />
/* Receive a single packet from the kernel */
bp = handle->buffer + handle->offset;
do {
/*
* Has "pcap_breakloop()" been called?
*/
if (handle->break_loop) {
/*
* Yes - clear the flag that indicates that it
* has, and return -2 as an indication that we
* were told to break out of the loop.
*/
handle->break_loop = 0;
return -2;
}
fromlen = sizeof(from);
packet_len = recvfrom(
handle->fd, bp + offset,
handle->bufsize - offset, MSG_TRUNC,
(struct sockaddr *) &from, &fromlen);
} while (packet_len == -1 && errno == EINTR);
<snip />
/* Run the packet filter if not using kernel filter */
if (!handle->md.use_bpf && handle->fcode.bf_insns) {
if (bpf_filter(handle->fcode.bf_insns, bp,
packet_len, caplen) == 0)
{
/* rejected by filter */
return 0;
}
}
<snip />
return 1;
}
Now if you chase down readfrom() you'll eventually end up in the driver...
:-(((
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kenneth Porter
Sent: Tuesday, June 07, 2005 6:58 PM
To: [email protected]
Subject: RE: [Ntop] Traffic not addressed to me
--On Tuesday, June 07, 2005 6:24 PM -0500 Burton Strauss
<[EMAIL PROTECTED]> wrote:
> Well of course - ntop puts the interface into promiscuous mode... it
> has to. But it doesn't do anything beyond that - if a switch is
> sending you bogus traffic, that's a problem with the switch (probably
> overflowed it's MAC address tables - either that or it's seen the same
> address on multiple ports - stuff like that causes a switch to operate
> as a hub so it doesn't lose traffic - it's your problem on the device
> end to throw away junk).
Ok, thanks, just wanted to confirm that. I'm not up on the latest switch
protocols and just wanted to make sure ntop wasn't exercising a feature I
didn't know about. ;)
That tells me that either the switch is misconfigured or somebody slipped me
a hub. (This is in an office halfway across the continent, so I have no idea
what's truly outside my box except what the hoster tells me and what I can
infer from the traffic.) I've opened a trouble ticket.
> Go read the driver code... :-;
Hehe, yep. That was probably going to be my next stop, downloading libpcap
and looking at its interaction with the Linux stack. Unless it turns out
that the hoster just fat-fingered something.
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
