libpcap Capture Point Detail

A diagram showing showing libpcap hooks into the protocol stack

In this configuration, the capture flow is:

  • The packet arrives at the Ethernet adapter
  • Because the card is set in promiscuous mode, it ignores the destination address and generates an interrupt
  • The NIC driver (or DMA) copies the packet into the Kernel buffer
  • The NIC driver notifies the RAW socket driver
  • Because the a raw socket is set in promiscuous mode, the packet is copied into the user buffer
  • Later the user process running tcpdump starts running and the packet is processed

Important points to note are:

  • The captured packet is a copy of the packet before it enters the TCP/IP stack
  • The timestamp is generated in the user process, and so is affected by any scheduling delay

Last modified: Wednesday, 29 March 2017, 7:55 AM