the-tcpdump-group
drop
How to intercept the original communication packets (rather than copy or bypass)
The existing is to add a bypass to the data link layer; In order to achieve the original communication can be directly affected, directly intercept the original communication packets;
The existing is to add a bypass to the data link layer;
Presuambly by "the existing" you're referring to the way libpcap captures packets on whatever OS you're capturing.
If it's Linux:
- for incoming packets, the packet receive path in the networking stack copies to a PF_PACKET socket's memory-mapped buffer the contents of the packet data, and adds metadata such as a time stamp;
- for outgoing packets, the packet send path in the networking stack copies to a PF_PACKET socket's memory-mapped buffer the contents of the packet data, and adds metadata such as a time stamp.
If it's *BSD/macOS/AIX/Solaris 11:
- for incoming packets, the network adapter driver calls a routine to copy the data of a received packet to a buffer and add metadata such as a time stamp;
- for outgoing packets, the network adapter driver calls a routine to copy the data of a sent packet to a buffer and add metadata such as a time stamp.
If it's Windows with Npcap:
- for incoming packets, the Npcap driver is handed a received packet by NDIS and copies to an Npcap driver device's buffer the packet data and adds metadata such as a time stamp;
- for outgoing packets, the Npcap driver is handed a sent packet by NDIS and copies to an Npcap driver device's buffer the packet data and adds metadata such as a time stamp.
The copy is required, because 1) the purpose of those mechanisms is to passively capture incoming and outgoing traffic without affecting that traffic in any fashion and 2) the data has to remain around even if the Linux skbuff/{*BSD,macOS,AIX,Solaris 11} network packet buffer (mbuf for most of them)/NDIS packet buffer gets freed.
In order to achieve the original communication can be directly affected, directly intercept the original communication packets;
If you want to modify or drop incoming or outgoing packets before they're transmitted or after they're received, he mechanisms that libpcap/Npcap uses do not support that, as they were not designed to do that. Different operating systems may offer mechanism for doing that, but 1) it's not the same mechanism on all operating systems and 2) ou'll have to research that yourself.
ask PacketInitPacket, PacketReceivePacket which library is the source code of these packet interfaces.
PacketInitPacket, PacketReceivePacket which library is the source code of these packet interfaces.
Those are part of the packet.dll library in Npcap (and WinPcap before that). See the Npcap repository.
What about for Cywgin or MingGW/MSYS? Do we still need to use npcap?
If you want to capture traffic with a library with a libpcap API, you'll have to use Npcap or some other such library-plus-driver combination, regardless of whether you use Cygwin or MinGW/MSYS - neither of those, as far as I know, have Npcap or WinPcap or... bundled with them.
This is #1377; discuss that question there, not here.
Is there anything linux can do that combines libpcap with the NDIS functionality in windows
Is there anything linux can do that combines libpcap with the NDIS functionality in windows
No; the Linux network stack doesn't have NDIS.
On Linux, libpcap uses PF_PACKET socket to do capturing.
