Hello everyone, My question concerns libpcap and the way it captures packets sent from the machine where the sniffer is running to the network (assuming kernel 2.4). I can understand how libpcap uses PF_PACKET to capture network frames passing through the Ethernet cable: the NIC captures all of them because it operates in promiscuous mode; the frames go up the network receiving subsystem and, at some point, they reach the PF_PACKET code, that duplicates them and forwards the copies to the tcpdump/sniffer, running in userspace (please, correct me if I'm wrong). However, I can't see how libpcap captures packets sent by localhost to the cable. To what hook of the kernel's networking subsystem does it attach? I'd aprecciate if someone could shed light on this matter. Thanks a lot, -- Martim - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
