Is libpcap implemented by socket API?

Question

libpcap is used for package capturing. As I understand, it can capture the network packages from all ports. And it can capture the package data in link layer (such as ethernet frame).

This looks a little confusing to me, because it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system. Moreover, socket API seems unable to get the information in link layer (such as the header of Ethernet frame).

Is it true that libpcap is implemented by socket API? If not, which OS-level API is used to implement it?

score 3 · Answer 1 · answered Dec 04 '15 at 12:20

libpcap is not part of the sockets API. On Linux PF_PACKET is used, which is an evolution of the BSD mechanism. On other operating systems there are other mechanisms (DLPI, Windows requires a DLL).
The capture on any interface mechanism is a Linux specific mechanism, and the capture mechanism occurs above the layer of the network interface. The capture mechanism inside the kernel either has an explicit call out to a kernel packet filter, or is inserted by adjusting the plumbing (SVR4).

score 2 · Accepted Answer · answered Dec 04 '15 at 19:43

Is it true that libpcap is implemented by socket API?

If you're on Linux or IRIX, it is true. If you're on another flavor of UN*X, it is not true.

If not, which OS-level API is used to implement it?

On *BSD, OS X, AIX, and Solaris 11 and later: BPF.

On earlier versions of Solaris, and on HP-UX: STREAMS+DLPI.

it seems impossible to intercept all network traffic (from all ports) by just using the socket API in Unix-like system

On Linux, if you open a PF_PACKET socket, and don't bind it to a particular interface, packets from all interfaces are delivered to the socket.

socket API seems unable to get the information in link layer

You have to use the right type of socket, namely a PF_PACKET socket on Linux or a PF_RAW socket with a protocol of RAWPROTO_SNOOP on IRIX. Other UN*Xes don't have socket types for packet capture, and use other mechanisms.

score 1 · Answer 3 · answered Dec 04 '15 at 10:19

1

On Linux, access to the raw packets needed by libpcap is done using a PF_PACKET socket.

See http://man7.org/linux/man-pages/man7/packet.7.html

answered Dec 04 '15 at 10:19

Alnitak

334,560
70
407
495

score 0 · Answer 4 · answered Dec 04 '15 at 10:15

0

It's implemented by inserting a driver into the network stack.

answered Dec 04 '15 at 10:15

user207421

305,947
44
307
483

Thanks! But how is the driver inserted? Does Linux provide such an API? – Hanfei Sun Dec 04 '15 at 10:17
1

@Alnitak It is like that on some systems, e.g. windows, though not on linux or most unixes. – nos Dec 04 '15 at 10:23
The question is tagged "linux", and the OP talked about "Unix-like" systems in the question, too. – Alnitak Dec 04 '15 at 10:24

score 0 · Answer 5 · answered Nov 06 '21 at 12:02

0

Normally, applications use kernel-level TCP stack. Instead of using default kernel-level implementation, by using your own implementation of TCP/IP stack processing in user-space, you can be bypass the kernel.

more readings "zero copy networking" vs "kernel bypass"?

according to that StackOverflow post pcap is also doing kernel Bypass

answered Nov 06 '21 at 12:02

Asanka

552
6
15

"according to that StackOverflow post pcap is also doing kernel Bypass" Only in the sense that libpcap uses memory-mapped `PF_PACKET` sockets, so that the kernel copies received packets to that buffer and libpcap fetches the packets from that buffer, "bypassing" copies from kernel buffers to userland buffers. (I've added a comment to that post to clarify this.) – user16139739 Nov 06 '21 at 20:36

Is libpcap implemented by socket API?

5 Answers5