PF_PACKET and IP layer concurrent packet access?

From: Amit Kucheria (
Date: Wed Jul 17 2002 - 13:32:02 EST


I have been tracing the way tcpdump works and I figured out how it
registers a PACKET socket with a ETH_P_ALL protocol. Hence the first
loop in net_bh() for ptype_all sends a clone of the packet to
packet_rcv() in /net/packet/af_packet.c. Then the second loop in
net_bh() for ptype_base is entered and it sends another clone of the
packet to ip_rcv().

Hence we have two clones of the packet (actually copies of the pointers
in sk_buff) pointing to the same data (head, data, tail, end pointers).

Is this understanding right?

Now packet_rcv() puts the packet into the PACKET socket's receive queue
where it waits for the userspace application (tcpdump) to read it using
the recvfrom() system call.

Meanwhile the other clone (still pointing to the same data) travels
through ip_rcv(). Does ip_rcv() confirm the "shared" status of the
skbuff before manipulating it? If so, where?


I'm an angel!!! Honest!
The horns are just there to hold the halo up straight.
                  Amit Kucheria
          EECS Grad. Research Assistant
         University of Kansas @ Lawrence
   (R): +1-785-830-8521 ||| (C): +1-785-760-2871

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to More majordomo info at

This archive was generated by hypermail 2b29 : Tue Jul 23 2002 - 22:00:01 EST