[SOLVED] How does the AF_PACKET socket work in Linux?

Issue

I am trying to write a C sniffer for Linux, and understand the actions happening in the kernel while sniffing.

I am having troubles finding an answer for the following question: If I initialize my socket in the following way:

sock_raw = socket(AF_PACKET , SOCK_RAW , htons(ETH_P_ALL));

What happens in the kernel? How am I seeing all the incoming and outgoing packets, but not "hijacking" them? Because what I have understood do far is that when the kernel receives a packet, it sends it to the relevant protocol handler function. Therefore I can't understand - does the kernel clone the packet and sends it in addition to the socket I opened?

Solution

What happens in the kernel?

The kernel simply duplicates the packets as soon as it receives them from the physical layer (for incoming packets) or just before sending them out to the physical layer (for outgoing packets). One copy of each packet is sent to your socket (if you use ETH_PH_ALL then you are listening on all interfaces, but you could also bind(2) to a particular one). After a copy is sent to your socket, the other copy then continues being processed like it normally would (e.g. identifying and decoding the protocol, checking firewall rules, etc).

How am I seeing all the incoming and outgoing packets, but not "hijacking" them?

In order for hijacking to happen, you would need to write data to the socket injecting new packets (accurately crafted depending on the protocol you want to hijack). If you only read incoming packets, you are merely sniffing, without hijacking anything.

does the kernel clone the packet and sends it in addition to the socket I opened?

Yes, that's basically what happens. This image could help you visualize it (click to enlarge):

man 7 packet also describes this:

Packet sockets are used to receive or send raw packets at the device driver (OSI Layer 2) level. They allow the user to implement protocol modules in user space on top of the physical layer.

The socket_type is either SOCK_RAW for raw packets including the link-level header or SOCK_DGRAM for cooked packets with the link-level header removed. The link-level header information is available in a common format in a sockaddr_ll structure. protocol is the IEEE 802.3 protocol number in network byte order. See the <linux/if_ether.h> include file for a list of allowed protocols. When protocol is set to htons(ETH_P_ALL), then all protocols are received. All incoming packets of that protocol type will be passed to the packet socket before they are passed to the protocols implemented in the kernel.

Answered By - Marco Bonelli

Answer Checked By - Clifford M. (WPSolving Volunteer)