1

I have implemented my own raw socket operating on „raw“ Ethernet frames (socket(AF_PACKET,SOCK_RAW,htons(ETH_P_ALL));) and bound it to one specific network Interface. Sending and receiving raw packets works like a charm, however when I use wireshark I can still see more traffic then I have introduced (for example ARP packets, .. ). This is expected but not wanted.

Is there a way (either in code or by „hardening“ the Ethernet interface through modifying settings) to disable the kernel IP Processing layer (or better to say all layers above the Ethernet layer) to only allow raw sockets traffic?

Referring to that image when talking about layers: https://www.opensourceforu.com/2015/03/a-guide-to-using-raw-sockets/

Ohjurot
  • 47
  • 9
  • 1
    @JamesRisner That is a good idea. The reason is for learning purpose by writing an own mini stateful firewall. However, I did some more research and found that Kernel Networking is the "proper" way to do this. You can use XDP and the XDP_REDIRECT flag to redirect a packet (directly coming from the driver) to go to a user socket instead of the kernel. https://en.wikipedia.org/wiki/Express_Data_Path#/media/File:Netfilter-packet-flow.svg – Ohjurot Sep 08 '22 at 08:46

0 Answers0