概述
目前大多数操作系统都为应用程序提供访问数据链路层的功能,这种功能可提供如下能力
- 能够监视由数据链路层接收的分组,使得诸如tcpdump之类的程序能够在普通计算机系统上运行,而无需使用专门的硬件设备来监视分组。如果使网络接口进入混杂模式(promiscuous mode),甚至可以监听本地电缆上流通的所有分组
- The ability to watch the packets received by the datalink layer, allowing programs such as tcpdump to be run on normal computer systems (as opposed to dedicated hardware devices to watch packets). (promiscuous mode)
- 能够作为普通应用进程而不是内核的一部分运行某些程序,例如:RARP
- The ability to run certain programs as normal applications instead of as part of the kernel. For example, most Unix versions of an RARP server are normal applications that read RARP requests from the datalink (RARP requests are not IP datagrams) and then write the reply back to the datalink
- 实现数据链路层访问的三个常见方法:
- BSD的分组过滤器BPF
- SVR4的数据链路提供者接口DLPI
- Linux的SOCK_PACKET接口
BPF
4.4BSD and many other Berkeley-derived implementations support BPF
DLPI
SVR4 provides datalink access through DLPI(Datalink Provider Interface)
SOCK_PACKET and PF_PACKET
Two methods under Linux:
- SOCK_PACKET: original, widely available but less flexible
- PF_PACKET: newer method
1 | /* newer systems*/ |
相关库
- libpcap: 分组捕获函数和库
- libnet:分组构造与输出库
检查UDP校验和字段的栗子
见课本 图29-3