the-tcpdump-group / libpcap

the LIBpcap interface to various kernel packet capture mechanism
https://www.tcpdump.org/
Other
2.72k stars 855 forks source link

drop #1372

Closed wudong20200702 closed 2 weeks ago

wudong20200702 commented 1 month ago

How to intercept the original communication packets (rather than copy or bypass)

guyharris commented 1 month ago

To which "rather than copy or bypass" are you referring here?

wudong20200702 commented 1 month ago

The existing is to add a bypass to the data link layer; In order to achieve the original communication can be directly affected, directly intercept the original communication packets;

guyharris commented 1 month ago

The existing is to add a bypass to the data link layer;

Presuambly by "the existing" you're referring to the way libpcap captures packets on whatever OS you're capturing.

If it's Linux:

If it's *BSD/macOS/AIX/Solaris 11:

If it's Windows with Npcap:

The copy is required, because 1) the purpose of those mechanisms is to passively capture incoming and outgoing traffic without affecting that traffic in any fashion and 2) the data has to remain around even if the Linux skbuff/{*BSD,macOS,AIX,Solaris 11} network packet buffer (mbuf for most of them)/NDIS packet buffer gets freed.

In order to achieve the original communication can be directly affected, directly intercept the original communication packets;

If you want to modify or drop incoming or outgoing packets before they're transmitted or after they're received, he mechanisms that libpcap/Npcap uses do not support that, as they were not designed to do that. Different operating systems may offer mechanism for doing that, but 1) it's not the same mechanism on all operating systems and 2) ou'll have to research that yourself.

wudong20200702 commented 1 month ago

ask PacketInitPacket, PacketReceivePacket which library is the source code of these packet interfaces.

guyharris commented 1 month ago

PacketInitPacket, PacketReceivePacket which library is the source code of these packet interfaces.

Those are part of the packet.dll library in Npcap (and WinPcap before that). See the Npcap repository.

eabase commented 1 month ago

What about for Cywgin or MingGW/MSYS? Do we still need to use npcap?

guyharris commented 1 month ago

What about for Cywgin or MingGW/MSYS? Do we still need to use npcap?

If you want to capture traffic with a library with a libpcap API, you'll have to use Npcap or some other such library-plus-driver combination, regardless of whether you use Cygwin or MinGW/MSYS - neither of those, as far as I know, have Npcap or WinPcap or... bundled with them.

This is #1377; discuss that question there, not here.

wudong20200702 commented 1 month ago

Is there anything linux can do that combines libpcap with the NDIS functionality in windows

guyharris commented 1 month ago

Is there anything linux can do that combines libpcap with the NDIS functionality in windows

No; the Linux network stack doesn't have NDIS.

On Linux, libpcap uses PF_PACKET socket to do capturing.

infrastation commented 2 weeks ago

Closing as resolved.