We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-dev: Re: [Wireshark-dev] How to push packets into libpcap (Linux) ?

From: Ori Finkelman <orifinkelman@xxxxxxxxx>
Date: Thu, 25 Feb 2010 18:25:44 +0200
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 19 Feb 2010 20:54:59 +0100

>> On Thu, 18 Feb 2010 17:12:31 +0200, Ori Finkelman <orifinkelman@xxxxxxxxx>
>> Hi,
>> My Linux kernel module can sometimes drop packets on their way out (at
>> the IP layer).
>> However, I would like to be able to catch these packets in wireshark
>> even though I am dropping them.
>> Is there any way I can push an sk_buff directly into libpcap so I will
>> get it into wireshark ?
>> Thanks,
>> Ori

> Hi,

> Maybe ulogd from netfilter can help you here.
> See: http://netfilter.org/projects/ulogd/index.html

> Thanks,
>> Jaap

Thanks, but that's actually not what I need.
I am developing a netfilter module. I am catching packets at the IP layer and in some cases my decision is to drop outgoing packets.
Naturally, when I am dropping packets at the IP post routing, they never reach libpcap and are not recorded by wireshark.
This makes the lives of the testing people (and mine) difficult as we can't see the full flow and we don't know for sure the reason for problems etc.
What I am looking for is a way to take the packet I am going to drop and hand it over to libpcapc (as an sk_buff) so that it will be captured by wireshark.