dodo76

[Log in to get rid of this advertisement]

Hello!

If you add a PF_PACKET socket then you will be sniffing all packets that is received on your interface. But your sniffing packets are only copies of the packet which will also be heading up the normal IP stack and maybe processed in other packet handlers too.

Is there a way to "steal" the original packet? I.e. to stop it from being processed by other packet handlers?

Thanks
BR
Robert

nimnull22

To put another comp between and process the traffic.

dodo76

Thanks for answering but this was not what I meant.

I want to process the packet, but I want to do it at kernel level and NOT involve the usual network processing that exist in the kernel.

To be more frank:
I want to optimize the packet handling in the kernel, by writing the code myself. But I do not want to touch the kernel. Preferably I just want to write a module which I later can export to "any" linux distro (i.e. a portable solution).

Thanks
BR
Robert

nimnull22

This is not the packets processing, this is stealing.

What is wrong with it now. Kernel has a lot of different modules to process traffic.

dodo76

I used the word "steal" since I wanted to know if there was a way to stop the kernel from making a copy to each of the packet handlers. I have seen that there is this mechanism called NETPOLL. It can "consume" the packet and essentially "steal" it from the packet handlers. But NETPOLL seems to have been developed for faulty situations (more like a network debug tool).

I do suspect that the kernel does more than I want to do. I was hoping that I were going to be able to reduce the processing time of each packet by writing the processing code myself. It seems you can easily do this by just adding a PF_PACKET handler (like sniff tools do). But since the packet will still be copied to the ordinary IP stack I assume that there will be at least some overhead (even if I have no socket connected for that packets port).

BR
Robert