Question concerning libpcap and PF_PACKET

From: Martim Carbone
Date: Thu Mar 25 2004 - 21:20:06 EST

Hello everyone,

My question concerns libpcap and the way it captures packets sent
from the machine where the sniffer is running to the network
(assuming kernel 2.4).

I can understand how libpcap uses PF_PACKET to capture network
frames passing through the Ethernet cable: the NIC captures all
of them because it operates in promiscuous mode; the frames go up
the network receiving subsystem and, at some point, they reach
the PF_PACKET code, that duplicates them and forwards the copies to the
tcpdump/sniffer, running in userspace (please, correct me if I'm wrong).

However, I can't see how libpcap captures packets sent by localhost to
the cable. To what hook of the kernel's networking subsystem does it

I'd aprecciate if someone could shed light on this matter.

Thanks a lot,

-- Martim

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at