Packets enter the FFPF framework via a call to an FFPF function called
hook_handle_packet()
which takes a packet as argument. As this
is the only interface between the code responsible for packet capture
and the FFPF packet handling module, it is easy to add new packet
sources. Currently, three sources are implemented.
The first source, known as netfilter
, captures packets from a
netfilter hook. []Netfilter is an
efficient abstraction for packet processing in Linux kernels (from
version 2.4 onward). The second source, known as raw
, also
works with older kernels.
The third packet source, known as ixp
, differs from the other
two in that the IXP1200 device is assumed to be dedicated to
monitoring in the FFPF framework3. As this packet
source is a substantial project in and of itself, we will summarise
its main characteristics in a separate section.