I've continued with my tests, and I think there's no way in doing what I like with pcap.

I've write a very simple netfilter module (modification of an example find on the web), which I attach. I have print some value of the packet while it is crossing netfilter. I modified this packet in order to see what is displayed in the ethereal window. Then I have set the packet to be drop just to see if pcap captures all the packet or only the ones that passes all the linux network stack.

                Example dropping ICMP packet
                Value not modified data[50] = 2A
                Value modified data[50] = FF

Well the packets are display, even the ones that should be drop. However the value displayed in ethereal is the modified one (FF). So it seems to be that pcap captures the packet someway in between the packet arrival at the network card and the end of the linux network stack.

Can anyone, probably a developer, explain that? In which point is the packet captured? Probably some other has come up with this problem.
I'm trying to get some statistics and I need to get then before the packet has been modified. I would like to avoid writing another kernel module or modifying the already done.

Any help is really welcomed.


P.D.: If you like to test it, just insmod the module and ping with -s 172 (that way the packet is modified and then discard) while ethereal is capturing. Then read the info of ethereal. You'll see a value FF where it should be another.

At 11:12 24/07/2003 -0700, Guy Harris wrote:
>On Thu, Jul 24, 2003 at 07:49:12PM +0200, Jorge Lanza wrote:m
>> We've been developing a virtual network device and now we are exporting it
>> to the netfilter phylosophy. When capturing packets with libpcap (ethereal)
>> we are not sure at which level the packet is got. I say so, cause when
>> using netfilter we modify the packet information, and in ethereal the
>> information displayed is the packet with the modifications (some private
>> headers has been removed)
>> So there's our doubt. Where does libpcap capture the packet? Before or
>> after the driver or after crossing all the ip stack?
>It depends on the way your network stack is set up, including your
>virtual network device, and on the way the packet capture mechanism in
>your OS works, and on the network interface on which you're capturing.
>> We want to see it as
>> it's received from the network without any modifications, is it
>> possible?
>If your virtual network device gets its input from a real network
>device, try capturing on the real network device.
>This is the TCPDUMP workers list. It is archived at
>To unsubscribe use mailto:[EMAIL PROTECTED]


Jorge Lanza Calderón
Departamento Ingeniería Comunicaciones
Grupo de Ingeniería Telemática
Universidad de Cantabria
Avda. de los Castros, s/n
39005 - Santander  (España)
Tel: +34 942 200914
Fax: +34 942 201488
Web: http://www.tlmat.unican.es

/* netfilter hook example
 * Compile with: gcc -O -c -Wall nfexample.c
 * -O is needed
 * Insert the module using 'insmod nfexample'

#define __KERNEL__
#define MODULE

#include <linux/config.h>
#include <linux/module.h>
//#include <linux/kernel.h>
//#include <linux/string.h>
//#include <linux/skbuff.h>

#include <linux/netfilter_ipv4.h>
//#include <linux/netfilter.h>

//#include <linux/socket.h>
#include <linux/ip.h>
//#include <linux/tcp.h>
//#include <linux/icmp.h>

struct nf_hook_ops hook_ex;

unsigned int function_hook( unsigned int hook, struct sk_buff **pskb, const struct 
net_device *in,
                            const struct net_device *out, int (*okfn)(struct sk_buff 
  struct iphdr *ip;
  unsigned char *data;
  int i;

  ip = (*pskb)->nh.iph;
        data = (*pskb)->nh.raw + (ip->ihl) * 4;
  (*pskb)->nfcache |= NFC_UNKNOWN;

  switch ((*pskb)->len) {
    case 200:
      printk("Example dropping ICMP packet\n");
                  printk("Value not modified data[50] = %02X\n", data[50]);
                  data[50] = 0xFF;
                  printk("Value modified data[50] = %02X\n", data[50]);
      (*pskb)->nfcache |= NFC_ALTERED;
      return NF_DROP;
      return NF_ACCEPT;

// static struct nf_hooks_ops hook_ex = { { NULL, NULL }, function_hook, PF_INET, 

static int __init init(void)
  // hook
  hook_ex.list.next = NULL;
  hook_ex.list.prev = NULL;
  hook_ex.hook = function_hook;
  //  hook_ex.list.flush = NULL;
  hook_ex.pf = PF_INET;
  //hook_ex.hooknum = NF_IP_LOCAL_OUT;
  hook_ex.hooknum = NF_IP_PRE_ROUTING;

  return nf_register_hook(&hook_ex);

static void __exit fini(void)


Reply via email to