1 .\" SPDX-License-Identifier: Linux-man-pages-1-para
3 .\" This man page is Copyright (C) 1999 Andi Kleen <ak@muc.de>.
5 .\" $Id: packet.7,v 1.13 2000/08/14 08:03:45 ak Exp $
7 .TH packet 7 (date) "Linux man-pages (unreleased)"
9 packet \- packet interface on device level
12 .B #include <sys/socket.h>
13 .B #include <linux/if_packet.h>
14 .B #include <net/ethernet.h> /* the L2 protocols */
16 .BI "packet_socket = socket(AF_PACKET, int " socket_type ", int "protocol );
19 Packet sockets are used to receive or send raw packets at the device driver
21 They allow the user to implement protocol modules in user space
22 on top of the physical layer.
28 for raw packets including the link-level header or
30 for cooked packets with the link-level header removed.
31 The link-level header information is available in a common format in a
35 is the IEEE 802.3 protocol number in network byte order.
38 include file for a list of allowed protocols.
41 .BR htons(ETH_P_ALL) ,
42 then all protocols are received.
43 All incoming packets of that protocol type will be passed to the packet
44 socket before they are passed to the protocols implemented in the kernel.
48 no packets are received.
50 can optionally be called with a nonzero
52 to start receiving packets for the protocols specified.
54 In order to create a packet socket, a process must have the
56 capability in the user namespace that governs its network namespace.
59 packets are passed to and from the device driver without any changes in
61 When receiving a packet, the address is still parsed and
65 When transmitting a packet, the user-supplied buffer
66 should contain the physical-layer header.
68 queued unmodified to the network driver of the interface defined by the
70 Some device drivers always add other headers.
72 is similar to but not compatible with the obsolete
73 .B AF_INET/SOCK_PACKET
77 operates on a slightly higher level.
78 The physical header is removed before the packet is passed to the user.
79 Packets sent through a
81 packet socket get a suitable physical-layer header based on the
84 destination address before they are queued.
86 By default, all packets of the specified protocol type
87 are passed to a packet socket.
88 To get packets only from a specific interface use
90 specifying an address in a
92 to bind the packet socket to an interface.
93 Fields used for binding are
103 operation is not supported on packet sockets.
112 the real length of the packet on the wire is always returned,
113 even when it is longer than the buffer.
117 structure is a device-independent physical-layer address.
122 unsigned short sll_family; /* Always AF_PACKET */
123 unsigned short sll_protocol; /* Physical\-layer protocol */
124 int sll_ifindex; /* Interface number */
125 unsigned short sll_hatype; /* ARP hardware type */
126 unsigned char sll_pkttype; /* Packet type */
127 unsigned char sll_halen; /* Length of address */
128 unsigned char sll_addr[8]; /* Physical\-layer address */
133 The fields of this structure are as follows:
136 is the standard ethernet protocol type in network byte order as defined
138 .I <linux/if_ether.h>
140 It defaults to the socket's protocol.
143 is the interface index of the interface
146 0 matches any interface (only permitted for binding).
148 is an ARP type as defined in the
153 contains the packet type.
156 for a packet addressed to the local host,
158 for a physical-layer broadcast packet,
160 for a packet sent to a physical-layer multicast address,
162 for a packet to some other host that has been caught by a device driver
163 in promiscuous mode, and
165 for a packet originating from the local host that is looped back to a packet
167 These types make sense only for receiving.
172 contain the physical-layer (e.g., IEEE 802.3) address and its length.
173 The exact interpretation depends on the device.
175 When you send packets, it is enough to specify
182 The other fields should be 0.
186 are set on received packets for your information.
188 Packet socket options are configured by calling
193 .B PACKET_ADD_MEMBERSHIP
196 .B PACKET_DROP_MEMBERSHIP
198 Packet sockets can be used to configure physical-layer multicasting
199 and promiscuous mode.
200 .B PACKET_ADD_MEMBERSHIP
202 .B PACKET_DROP_MEMBERSHIP
206 structure as argument:
211 int mr_ifindex; /* interface index */
212 unsigned short mr_type; /* action */
213 unsigned short mr_alen; /* address length */
214 unsigned char mr_address[8]; /* physical\-layer address */
220 contains the interface index for the interface whose status
224 field specifies which action to perform.
226 enables receiving all packets on a shared medium (often known as
228 .B PACKET_MR_MULTICAST
229 binds the socket to the physical-layer multicast group specified in
234 .B PACKET_MR_ALLMULTI
235 sets the socket up to receive all multicast packets arriving at
238 In addition, the traditional ioctls
242 can be used for the same purpose.
244 .BR PACKET_AUXDATA " (since Linux 2.6.21)"
245 .\" commit 8dc4194474159660d7f37c495e3fc3f10d0db8cc
246 If this binary option is enabled, the packet socket passes a metadata
247 structure along with each packet in the
250 The structure can be read with
256 struct tpacket_auxdata {
258 __u32 tp_len; /* packet length */
259 __u32 tp_snaplen; /* captured length */
263 __u16 tp_vlan_tpid; /* Since Linux 3.14; earlier, these
264 were unused padding bytes */
265 .\" commit a0cdfcf39362410d5ea983f4daf67b38de129408 added tp_vlan_tpid
270 .BR PACKET_FANOUT " (since Linux 3.1)"
271 .\" commit dc99f600698dcac69b8f56dda9a8a00d645c5ffc
272 To scale processing across threads, packet sockets can form a fanout
274 In this mode, each matching packet is enqueued onto only one
276 A socket joins a fanout group by calling
282 Each network namespace can have up to 65536 independent groups.
283 A socket selects a group by encoding the ID in the first 16 bits of
284 the integer option value.
285 The first packet socket to join a group implicitly creates it.
286 To successfully join an existing group, subsequent packet sockets
287 must have the same protocol, device settings, fanout mode, and
289 Packet sockets can leave a fanout group only by closing the socket.
290 The group is deleted when the last socket is closed.
292 Fanout supports multiple algorithms to spread traffic between sockets,
297 .BR PACKET_FANOUT_HASH ,
298 sends packets from the same flow to the same socket to maintain
300 For each packet, it chooses a socket by taking the packet flow hash
301 modulo the number of sockets in the group, where a flow hash is a hash
302 over network-layer address and optional transport-layer port fields.
304 The load-balance mode
306 implements a round-robin algorithm.
309 selects the socket based on the CPU that the packet arrived on.
311 .B PACKET_FANOUT_ROLLOVER
312 processes all data on a single socket, moving to the next when one
316 selects the socket using a pseudo-random number generator.
319 .\" commit 2d36097d26b5991d71a2cf4a20c1a158f0f1bfcd
320 (available since Linux 3.14)
321 selects the socket using the recorded queue_mapping of the received skb.
324 Fanout modes can take additional options.
325 IP fragmentation causes packets from the same flow to have different
328 .BR PACKET_FANOUT_FLAG_DEFRAG ,
329 if set, causes packets to be defragmented before fanout is applied, to
330 preserve order even in this case.
331 Fanout mode and options are communicated in the second 16 bits of the
332 integer option value.
334 .B PACKET_FANOUT_FLAG_ROLLOVER
335 enables the roll over mechanism as a backup strategy: if the
336 original fanout algorithm selects a backlogged socket, the packet
337 rolls over to the next available one.
339 .BR PACKET_LOSS " (with " PACKET_TX_RING )
340 When a malformed packet is encountered on a transmit ring,
341 the default is to reset its
344 .B TP_STATUS_WRONG_FORMAT
345 and abort the transmission immediately.
346 The malformed packet blocks itself and subsequently enqueued packets from
348 The format error must be fixed, the associated
351 .BR TP_STATUS_SEND_REQUEST ,
352 and the transmission process restarted via
356 is set, any malformed packet will be skipped, its
359 .BR TP_STATUS_AVAILABLE ,
360 and the transmission process continued.
362 .BR PACKET_RESERVE " (with " PACKET_RX_RING )
363 By default, a packet receive ring writes packets immediately following the
364 metadata structure and alignment padding.
365 This integer option reserves additional headroom.
368 Create a memory-mapped ring buffer for asynchronous packet reception.
369 The packet socket reserves a contiguous region of application address
370 space, lays it out into an array of packet slots and copies packets
373 into subsequent slots.
374 Each packet is preceded by a metadata structure similar to
375 .IR tpacket_auxdata .
376 The protocol fields encode the offset to the data
377 from the start of the metadata header.
379 stores the offset to the network layer.
380 If the packet socket is of type
387 then that field stores the offset to the link-layer frame.
388 Packet socket and application communicate the head and tail of the ring
392 The packet socket owns all slots with
395 .BR TP_STATUS_KERNEL .
396 After filling a slot, it changes the status of the slot to transfer
397 ownership to the application.
398 During normal operation, the new
400 value has at least the
402 bit set to signal that a received packet has been stored.
403 When the application has finished processing a packet, it transfers
404 ownership of the slot back to the socket by setting
407 .BR TP_STATUS_KERNEL .
409 Packet sockets implement multiple variants of the packet ring.
410 The implementation details are described in
411 .I Documentation/networking/packet_mmap.rst
412 in the Linux kernel source tree.
415 Retrieve packet socket statistics in the form of a structure
419 struct tpacket_stats {
420 unsigned int tp_packets; /* Total packet count */
421 unsigned int tp_drops; /* Dropped packet count */
426 Receiving statistics resets the internal counters.
427 The statistics structure differs when using a ring of variant
430 .BR PACKET_TIMESTAMP " (with " PACKET_RX_RING "; since Linux 2.6.36)"
431 .\" commit 614f60fa9d73a9e8fdff3df83381907fea7c5649
432 The packet receive ring always stores a timestamp in the metadata header.
433 By default, this is a software generated timestamp generated when the
434 packet is copied into the ring.
435 This integer option selects the type of timestamp.
436 Besides the default, it support the two hardware formats described in
437 .I Documentation/networking/timestamping.rst
438 in the Linux kernel source tree.
440 .BR PACKET_TX_RING " (since Linux 2.6.31)"
441 .\" commit 69e3c75f4d541a6eb151b3ef91f34033cb3ad6e1
442 Create a memory-mapped ring buffer for packet transmission.
443 This option is similar to
445 and takes the same arguments.
446 The application writes packets into slots with
449 .B TP_STATUS_AVAILABLE
450 and schedules them for transmission by changing
453 .BR TP_STATUS_SEND_REQUEST .
454 When packets are ready to be transmitted, the application calls
456 or a variant thereof.
461 fields of this call are ignored.
462 If an address is passed using
466 then that overrides the socket default.
467 On successful transmission, the socket resets
470 .BR TP_STATUS_AVAILABLE .
471 It immediately aborts the transmission on error unless
475 .BR PACKET_VERSION " (with " PACKET_RX_RING "; since Linux 2.6.27)"
476 .\" commit bbd6ef87c544d88c30e4b762b1b61ef267a7d279
479 creates a packet receive ring of variant
481 To create another variant, configure the desired variant by setting this
482 integer option before creating the ring.
484 .BR PACKET_QDISC_BYPASS " (since Linux 3.14)"
485 .\" commit d346a3fae3ff1d99f5d0c819bf86edf9094a26a1
486 By default, packets sent through packet sockets pass through the kernel's
487 qdisc (traffic control) layer, which is fine for the vast majority of use
489 For traffic generator appliances using packet sockets
490 that intend to brute-force flood the network\[em]for example,
491 to test devices under load in a similar
492 fashion to pktgen\[em]this layer can be bypassed by setting
493 this integer option to 1.
494 A side effect is that packet buffering in the qdisc layer is avoided,
495 which will lead to increased drops when network
496 device transmit queues are busy;
497 therefore, use at your own risk.
500 can be used to receive the timestamp of the last received packet.
504 .\" FIXME Document SIOCGSTAMPNS
506 In addition, all standard ioctls defined in
510 are valid on packet sockets.
512 Packet sockets do no error handling other than errors occurred
513 while passing the packet to the device driver.
514 They don't have the concept of a pending error.
518 Unknown multicast group address passed.
521 User passed invalid memory address.
527 Packet is bigger than interface MTU.
533 Not enough memory to allocate the packet.
536 Unknown device name or interface index specified in interface address.
542 No interface address passed.
545 Interface address contained an invalid interface index.
548 User has insufficient privileges to carry out this operation.
550 In addition, other errors may be generated by the low-level driver.
553 is a new feature in Linux 2.2.
554 Earlier Linux versions supported only
557 For portable programs it is suggested to use
561 although this covers only a subset of the
567 packet sockets make no attempt to create or parse the IEEE 802.2 LLC
568 header for a IEEE 802.3 frame.
571 is specified as protocol for sending the kernel creates the
572 802.3 frame and fills out the length field; the user has to supply the LLC
573 header to get a fully conforming packet.
574 Incoming 802.3 packets are not multiplexed on the DSAP/SSAP protocol
575 fields; instead they are supplied to the user as protocol
577 with the LLC header prefixed.
578 It is thus not possible to bind to
582 instead and do the protocol multiplex yourself.
583 The default for sending is the standard Ethernet DIX
584 encapsulation with the protocol filled in.
586 Packet sockets are not subject to the input or output firewall chains.
588 In Linux 2.0, the only way to get a packet socket was with the call:
592 socket(AF_INET, SOCK_PACKET, protocol)
596 This is still supported, but deprecated and strongly discouraged.
597 The main difference between the two methods is that
600 .I struct sockaddr_pkt
601 to specify an interface, which doesn't provide physical-layer
606 struct sockaddr_pkt {
607 unsigned short spkt_family;
608 unsigned char spkt_device[14];
609 unsigned short spkt_protocol;
618 is the IEEE 802.3 protocol type as defined in
622 is the device name as a null-terminated string, for example, eth0.
624 This structure is obsolete and should not be used in new code.
626 .SS LLC header handling
627 The IEEE 802.2/803.3 LLC handling could be considered as a bug.
632 extension is an ugly hack and should be replaced by a control message.
633 There is currently no way to get the original destination address of
636 .SS spkt_device device name truncation
641 has a size of 14 bytes,
642 which is less than the constant
646 which is 16 bytes and describes the system limit for a network interface name.
647 This means the names of network devices longer than 14 bytes
648 will be truncated to fit into
650 All these lengths include the terminating null byte (\[aq]\e0\[aq])).
652 Issues from this with old code typically show up with
653 very long interface names used by the
654 .B Predictable Network Interface Names
655 feature enabled by default in many modern Linux distributions.
657 The preferred solution is to rewrite code to avoid
659 Possible user solutions are to disable
660 .B Predictable Network Interface Names
661 or to rename the interface to a name of at most 13 bytes,
662 for example using the
665 .SS Documentation issues
666 Socket filters are not documented.
668 .\" This man page was written by Andi Kleen with help from Matthew Wilcox.
669 .\" AF_PACKET in Linux 2.2 was implemented
670 .\" by Alexey Kuznetsov, based on code by Alan Cox and others.
674 .BR capabilities (7),
680 RFC\ 894 for the standard IP Ethernet encapsulation.
681 RFC\ 1700 for the IEEE 802.3 IP encapsulation.
684 .I <linux/if_ether.h>
685 include file for physical-layer protocols.
687 The Linux kernel source tree.
688 .I Documentation/networking/filter.rst
689 describes how to apply Berkeley Packet Filters to packet sockets.
690 .I tools/testing/selftests/net/psock_tpacket.c
691 contains example source code for all available versions of