[plug] how sk_buff works?

Brad Campbell brad at wasp.net.au
Mon Apr 5 16:19:14 WST 2004

Parag Nemade wrote:
> Where is the data that is to be transmitted from one
> machine to another machine is built as a packet in
>  kernel source?
>  i want which function in the kernel source does this?
>  what is the cloned skbuff? 

Ok, I'm going to be overly harsh here. RTFS!
Find out where the packet leaves the kernel, trace it back using whatever method you prefer (I use 
prtink) to locate it's source. Grep the source for function names to figure out what calls what.

If you can't figure out even the basics and how to locate them (Google for one) then I shudder to 
think about you writing code in there.

Seriously. Listen to the people. Use fake network interfaces, tun/tap style, iptables, anything 
rather than mangling packets in the kernel. I did the kernel thing. It's fun, but the opportunities 
for oopsing the kernel are vast..

Now.. having sufficiently beaten you.. I hope the following helps.

Register a packet handler with dev_add_pack().
Any packets flowing through that interface will be sent to your packet handler if they match your 
You create a new skb with dev_alloc_skb(), take the data you want from the passed in skb and modify 
it the way you want it and copy it into the new skb. You could then free the old skb and poke the 
new one out the interface with dev_queue_xmit().

Study the skb struct carefully to look at how dev's are assigned and the pointers required to keep 
everything in the right place.
Make sure you know which routines are going to free skb's for you and which ones you need to free.

Good luck, sounds like you'll need it.
Have a look at drivers/net/loopback.c for a simple example of a network driver..

Oh.. and create a virtual interface rather than trying to intercept data from the outbound 
interface. That way your userspace program (whatever that might be) sends data to the virtual 
interface, you can modify it mid flight and poke it out the real interface. Data flowing in the real 
interface can be mangled (or de-mangled as the case may be) and then you can squirt it out the 
virtual interface to your program.


More information about the plug mailing list