From owner-freebsd-net@FreeBSD.ORG Wed May 1 00:02:08 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A16A0B9F for ; Wed, 1 May 2013 00:02:08 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-oa0-f49.google.com (mail-oa0-f49.google.com [209.85.219.49]) by mx1.freebsd.org (Postfix) with ESMTP id 705FC1FC5 for ; Wed, 1 May 2013 00:02:08 +0000 (UTC) Received: by mail-oa0-f49.google.com with SMTP id j1so1059965oag.36 for ; Tue, 30 Apr 2013 17:02:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=lJeAsrYlM9zespFU7FF3Ot0SmBR7kyrPs/RscwA9k4U=; b=BLti+4tsmcT2mYozGpjaZkYIoj1U9vr4WRnJkM4td4OkN+uEfrf7CaD8YNwDp6IMxx XGtzuzrwfhQ/bvbQvkHJFZQz7/XRhCmJ+PXI8fu3cQeFW0oZEkj75z4R5iATNj0A66py QL+cdiHKVwtEYEnX23zkpTzWjw3ny1r93W0mAjdr8VbSr/3B2Kfi08p+J5JQM3ZBBOcU 6pp/jLStDTQVQdX8R4ih4MPFcP7AtcuhLEY+WoC2co8GGiMjGZkKsjTME54DiP/bB/A0 eGNaiL72KJRpY0jRmoTSOQ5FEoCVInZI9hRtBH3jrDE/7LnQjCmpwnLtkf3UuCNBSVdi +IlA== MIME-Version: 1.0 X-Received: by 10.182.84.135 with SMTP id z7mr144074oby.35.1367366527529; Tue, 30 Apr 2013 17:02:07 -0700 (PDT) Sender: kob6558@gmail.com Received: by 10.76.12.167 with HTTP; Tue, 30 Apr 2013 17:02:07 -0700 (PDT) In-Reply-To: <517FE225.6080703@sourcearmory.com> References: <517FE225.6080703@sourcearmory.com> Date: Tue, 30 Apr 2013 17:02:07 -0700 X-Google-Sender-Auth: q516WpsLutqykUgTuaIirs1Sg-Y Message-ID: Subject: Re: Capture packets before kernel process From: Kevin Oberman To: wind@sourcearmory.com Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 00:02:08 -0000 On Tue, Apr 30, 2013 at 8:24 AM, wrote: > Hi! > > I need some help, currently I'm working in a project where I want to > capture and process some network packets before the kernel. I have searched > but I have found nothing. > > Is there some way to capture the packets before the kernel ? > > This is a rather odd question. The device drivers which are the codes that do all direct communication with the interfaces are part of the kernel in most all operating systems. This is technically not required, but I have not run into an OS that did not work this way in many years. (Digital's IAS used user mode handlers to talk to interfaces, but it has been obsolete for a quarter century.) Even there, the kernel contained the basic interrupt routine (very simple) as a part of the kernel to hand the data to the handler. If you want to see the raw data, the PCAP code will capture the data very early after it is received by the kernel, but the kernel still must do this as it and only actually can "talk" to the interface and receive data. -- R. Kevin Oberman, Network Engineer E-mail: rkoberman@gmail.com