Linux Journal: Kernel Korner: Inside the Linux Packet Filter

“Another data structure that will recur quite often is
the sk_buff (short for socket buffer), which represents a packet
inside the kernel. The structure is arranged in such a way that
addition and removal of header and trailer information to the
packet data can be done in a relatively inexpensive way: no data
actually needs to be copied since everything is done by just
shifting pointers.

Before going on, it may be useful to clear up possible
ambiguities. Despite having a similar name, the Linux socket filter
has a completely different purpose with respect to the Netfilter
framework introduced into the kernel in early 2.3 versions. Even if
Netfilter allows you to bring packets up to user space and feed
them to your programs, the focus there is to handle network address
translation (NAT), packet mangling, connection tracking, packet
filtering for security purposes and so on. If you just need to
sniff packets and filter them according to certain rules, the most
straightforward tool is LSF.

Now we are going to follow the trip of a packet from its very
ingress into the computer to its delivery to user land at the
socket level. We first consider the general case of a plain (i.e.,
not PF_PACKET) socket. Our analysis at link layer level is based on
Ethernet, since this is the most widespread and representative LAN
technology. Cases of other link layer technologies do not present
significant differences.”

Complete
Story