All geek questions in one place

Why are there differences between ETH_P_IP and ETH_P_ALL during read () operation

I have the following setup:

client(eth0) --- (eth2) linux bridge (eth1) --- (eth1) server

When I open a RAW socket on linux bridge using

 fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

I have a socket associated with eth2. When a client sends a packet to the server, wirehark running on the bridge reports the packet with the source MAC address of the client (eth0) and the destination MAC address of the server (eth1).

When I do read() , the first 6 bytes of the data being read are the destination address, which is correctly read as the server (eth1).

However, when I change the instruction to

 fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP));

When I do read() , the first 6 bytes of the data read indicates that the destination address is linux bridge (eth2).

Why was that? Is the kernel driver or network card putting its own address in the buffer instead of reading using ETH_P_IP?

+4
source share
1 answer

In the case of ETH_P_IP, what you describe sounds like a normal routing scenario. (i.e. the routing MAC address is the target mac.)

It would be wise if your client and server are on different / vlan subnets and between routers between them.

However, the diagram points to the linux bridge. Is it just bridges and no routing at all?

EDIT

ETH_P_IP only captures the incoming IP packet according to this answer: Discover packets using Raw Sockets on Linux in C

+2
source

Source: https://habr.com/ru/post/1438423/

More articles:


All Articles