Does libpcap get a copy of the package?

Question

Does libpcap get a copy of the package?

Does libpcap get a copy of the package or the actual package?

By copy, I mean: an application using libpcap receives package A, and the kernel also receives package A.

In fact, what I mean is, only an application using libpcap gets package A, but the kernel doesn't.

+2

packet-sniffers packet-capture libpcap

sivabudh May 12 '10 at 12:16

a source to share

2 answers

The kernel will receive the packet, then pass it through a list of filters (for example, usually a filter for IPsec, firewall, etc.), and once it passes through all those filters, it passes the packet to the application. libpcap is another filter, but it just adds the package to the internal database for processing, instead of checking the package, modifying, or whatever other filters will do.

For what you want to do, the simplest solution would be to use a firewall.

+3

Dean harding May 12 '10 at 12:21

a source to share

Yann Ramin · Accepted Answer · 2010-05-12T00:24:30+0000

libpcap

won't let you do what you want. The purpose of pcap is to transparently obtain a copy of every packet on the system.

You should investigate how to interact with the existing firewall on your system, or how to add your own filters to the netfilter system (on Linux).

Does libpcap get a copy of the package?

More articles: