THE INTERNALS OF LIBPCAP: A CASE STUDY
BY: VIVEK GUPTA,
STUDENT, MS(IT), DA-IICT, GANDHINAGAR.
BSD: Berkeley Software Design.
TCP: Transmission Control Protocol
IP: Internet Protocol.
BPF: BSD Packet Filter.
Data Link Provider Interface.
libpcap: Packet Capture Library.
JNI: Java Native Interface.
NIT: Network Interface Tap.
CSPF: CMU/Stanford Packet filter.
Packet capture is a fundamental mechanism in network management. It is used to support a wide range of network operational tasks, such as fault detection, protocol analysis, and security assessment. Libpcap is one of the most common and basic libraries available for the purpose of packet capture. Inspite of the fact that the library has existed for a considerably long time there is no document which explains the underlying concept about the working of this library. In this paper, I would be presenting the system level working of libpcap, i.e., concept as well as coding. The paper is intended to providing the reader with concepts, which will enhance his or her understanding about the packet capture library. The reader should be able to design and code library of the similar kind. This working is explained with reference to a network-monitoring tool. I have tried to explain the core concept as well as its application within the library in the paper.
Packet Capture in simple words means "to grab packets". In order to grab packets we need to access the primary facility provided by the operating system so that there is access to packets in their raw form. To make a network monitoring application we need to capture all the packets over the network. The packet capture library allows us to intercept any packet that is seen by the network interface. We need to put the interface on that network into a "promiscuous" mode, so that we can capture all packets on the network segment on which it is running. Once the packet is captured it is handed off to the operating system, which must determine what type of packet it is. The operating system then strips off the Ethernet header of the packet and looks at the upper layers. By using the libpcap library, it is possible to write our own network monitoring tools. Libpcap provides us with a portable framework for low-level network monitoring. The general layout of a Packet Capture Library based monitoring tool is as follows:  1.
Setting the device: We begin by determining which interface we want to sniff on. In Linux this may be something like eth0, in BSD it may be xl1, etc. We can either define this device in a string, or we can ask pcap to provide us with the name of an interface that will do the job. 2.
Initialization of pcap: At this step we tell pcap what device we are sniffing on. This part consists of initialization of the capture interface, which includes setting the interface in promiscuous mode. 3.
Filtering traffic: In the event, when a user wants to sniff for specific traffic (e.g.: only TCP/IP packets or only packets going to port 23) we must create a rule set, "compile" it, and apply it. This is an optional step. 4.
Actual Sniffing: Finally, pcap is made to enter its primary execution loop. In this state, pcap waits until it has received the desired packets. Every time it gets a new packet in, it calls another function that is already defined. The function that it calls can be customized. 5.
Wrapping up: After the sniffing needs are satisfied, the session is closed. In this paper, I will be presenting the internal working of libpcap library with respect to these steps. The next section titled "Background" gives us a brief idea about the history of the libpcap library. In the following section titled "Internals of libpcap" I will be covering the concept and associated coding for the library. This has been explained with respect to the steps stated above. Lastly...
Please join StudyMode to read the full document