Does libpcap use raw sockets underneath them?

Question

I was getting a bit confused on using of raw sockets and libcap. Can, anyone in simple point out advantages of using both. I read few links, but, its making me confused.

Answer 1

libpcap uses different mechanisms on different operating systems. On Linux, it uses PF_PACKET raw or cooked sockets, depending on whether it knows about the Linux link-layer type (ARPHRD_ value) for the interface and whether interfaces of that link-layer type produce a useful link-layer header (PPP interfaces don't, so you can't see the network-layer protocol identifier). On Irix, it uses PF_RAW sockets with the RAWPROTO_SNOOP protocol. On other systems, it doesn't use raw sockets at all.

Raw sockets can be used for a number of purposes, such as sending and receiving raw IPv4 packets without having to worry about the link-layer (i.e., they plug into the IP layer rather than into the network device driver). If you need access to the raw link layer, raw sockets on most OSes don't support that (Linux and Irix being obvious exceptions, as per the previous paragraph), but libpcap does.

Answer 2

"libpcap" and "raw sockets" are different topics.

Libpcap is a packet capture library for linux which is used to capture the traffic/packets that pass through a network interface like eth0.

On windows the Winpcap library does the same thing.

Raw sockets are a feature of the socket api provided by the OS that can be used to send packets with headers defined by the application and not the OS. So using raw sockets we can specify the IP , TCP headers and send the packets.

Raw sockets are available on Linux since all time. On Windows raw sockets were available only in Windows XP and Windows XP(SP1).

On windows the winpcap library has a feature to send packets with arbitrary content , which means raw socket functionality can be achieved with winpcap on Windows.