- 论坛徽章:
- 0
|
另外我现在谈的是AF_INET协议簇的,PF_PACKET协议簇的我已经看过了
Well, let me start off by saying that AF_* is exactly the same as PF_*... Ie: AF_INET
is the same as PF_INET, AF_PACKET == PF_PACKET, etc... The AF/PF dichotomy
came about due to some misguided attempt early in the formation of the sockets
API to allow for a protocol to host multiple different address types... But, such a
thing never came about, and in practice there's absolutely no difference between
AF_* and PF_*, and people use them interchangably... (Though, technically, as I'm
sure Michael will mention, you're supposed to use PF_* as socket()'s first arg, and
AF_* as the *_family value in sockaddr_* structs... But, I say screw that, and just use
AF_* everywhere... ;-) Here is an old message on Richard Stevens' old home page
(http://www.kohala.com/start/lanciani.96apr10.txt),
which goes into more detail on the original reason for the split, and why AF_* is
the only logical choice to use these days... *ducks Michael's wrath* ;-))
Now, as for AF_INET vs. AF_PACKET, well the former is the normal IP family, in
which you can have TCP, UDP, or raw sockets, while the latter is the Linux-specific
packet family, specifically designed for sniffing link-level packets off the wire... Ie:
with an AF_PACKET socket, you can sniff not only IP traffic, but anything else as
well... And, you can get at the link-level (eg: Ethernet) headers, as well... See
"man 7 packet" and "man 7 raw" for the difference between AF_INET/SOCK_RAW
and AF_PACKET/SOCK_{RAW,DGRAM}...
[ 本帖最后由 duanjigang 于 2008-7-30 22:09 编辑 ] |
|