=============================================================================== TOPIC: capture ABSTRACT: this file describes how the capture process works within ettercap NOTE: when in bridged sniffing, two threads are spawned, one for each network interface. =============================================================================== Here is represented in Very-High-Level-Language the capture thread behavior: loop { receives a single packet from the pcap callback updates the packet statistics dump the packet to a file (if the user has requested it) if (truncated) continue; creates the packet object determine the interface where the packet was captured HOOK POINT: HOOK_RECEIVED starts the protocol decoding -> the packet is decoded by decoder and the po is filled -> the ip and tcp sessions are created -> the middle layer is called (only if TCP or UDP) -> if (PO_DONT_DISSECT) return; -> set the PO_IGNORE according to the visualization filters -> HOOK POINT: HOOK_HANDLED -> if (PO_IGNORE) return; -> execute the dissectors -> HOOK POINT: HOOK_DECODED -> execute the filtering engine -> HOOK POINT: HOOK_FILTER -> a copy of the packet is added to the top_half queue if (PO_FORWARDABLE) { HOOK POINT: HOOK_PRE_FORWARD forward the packet to the real host (the victim) } destroy the packet object } Top_half thread behavior: loop { extract a packet from the top_half queue HOOK POINT: HOOK_DISPATCHER destroy the packet } EOF