===============================================================================
TOPIC: capture
ABSTRACT: this file describes how the capture process works within ettercap
NOTE: when in bridged sniffing, two threads are spawned, one for each
network interface.
===============================================================================
Here is represented in Very-High-Level-Language the capture thread behavior:
loop {
receives a single packet from the pcap callback
updates the packet statistics
dump the packet to a file (if the user has requested it)
if (truncated) continue;
creates the packet object
determine the interface where the packet was captured
HOOK POINT: HOOK_RECEIVED
starts the protocol decoding
-> the packet is decoded by decoder and the po is filled
-> the ip and tcp sessions are created
-> the middle layer is called (only if TCP or UDP)
-> if (PO_DONT_DISSECT) return;
-> set the PO_IGNORE according to the visualization filters
-> HOOK POINT: HOOK_HANDLED
-> if (PO_IGNORE) return;
-> execute the dissectors
-> HOOK POINT: HOOK_DECODED
-> execute the filtering engine
-> HOOK POINT: HOOK_FILTER
-> a copy of the packet is added to the top_half queue
if (PO_FORWARDABLE) {
HOOK POINT: HOOK_PRE_FORWARD
forward the packet to the real host (the victim)
}
destroy the packet object
}
Top_half thread behavior:
loop {
extract a packet from the top_half queue
HOOK POINT: HOOK_DISPATCHER
destroy the packet
}
EOF
distrib
>
Mageia
>
7
>
i586
>
media
>
core-release
>
by-pkgid
>
f25440540c5443b4e951026808a97d24
>
files
>
135
