5

I have the following setup:

client(eth0) --- (eth2) linux bridge (eth1) --- (eth1) server

When I open a RAW socket on the linux bridge using

fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

I have the socket bound to eth2. When the client sends a packet to the server, wireshark running on the bridge reports the packet with a source mac address of client(eth0) and a destination mac address of server(eth1).

When I do a read(), the first 6 bytes of the data read is the destination mac address, which is correctly read as server(eth1).

However when I change the statement to

fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP));

When I do a read(), the first 6 bytes of the data read shows the destination mac address is linux bridge (eth2).

Why would this be? Is the kernel or ethernet card driver placing its own mac address in the buffer instead of reading off the wire with ETH_P_IP?

A G
  • 997
  • 2
  • 18
  • 36

1 Answers1

4

For the ETH_P_IP case, what you are describing sounds like a normal "routing" scenario. (i.e. The routing mac is destination mac.)

It would make sense if your client and server are on different subnet/vlan, and a router in between.

However, the diagram is indicating a linux "bridge". Does it do bridging only and no routing at all?

EDIT

ETH_P_IP only captures incoming IP packet according to this answer: Packet Sniffing using Raw Sockets in Linux in C

Community
  • 1
  • 1
user1500049
  • 993
  • 7
  • 15
  • that is correct, it is acting as a layer two bridge. Client and server are on the same vlan. In both cases, wireshark shows the destination mac address is server(eth1), yet `read()` on ETH_P_IP shows something different to what wireshark reports. – A G Oct 09 '12 at 10:21
  • 1
    answer updated, referencing a similar question [here](http://stackoverflow.com/questions/1637835/packet-sniffing-using-raw-sockets-in-linux-in-c). – user1500049 Oct 11 '12 at 15:59
  • hhmm, so are you saying any mac address information should be ignored because you'd only be interested in ip layer and above? – A G Oct 29 '12 at 10:47
  • @A G i won't say ignore, but the ETH_P_IP behaves after incoming ip packets according to the included [post](http://stackoverflow.com/questions/1637835/packet-sniffing-using-raw-sockets-in-linux-in-c) above. – user1500049 Oct 30 '12 at 21:37
  • yes, so you're saying ETH_P_IP only captures reliable information down to the IP layer, and if you want reliable information for the whole packet, use ETH_P_ALL – A G Nov 02 '12 at 15:35