The main goal of the netrafd is to capture packets from the interfaces installed on the machine, process them and create statistics, dependent on the user defined packet filters.

    As you can see on the picture above, the whole idea of the netrafd is quite simple. It uses the MY[p]cap library to open many packet capturing threads associated with packet handling functions. The mycap loop waits until a packet arrives and after basic preprocessing passes it to the associated function.

    Packet handling functions compare the data from packet headers with applied filter and if the packet match the desired criteria it is further processed. Function extracts needed data from the raw packet and creates or updates an appropriate structure in the shared memory.

    And now, a short info about netrafd internals. In fact, netrafd is a bunch of packet logging threads managed by one 'mother' process. It is the mother process that receives and process signals, read the configuration file and create new (or stop) the logging threads. Every logging thread, during the initialization process, is given it's own shared memory block, filtering rule, and is assigned to one of the packet handling functions. There are few types of packet handling functions, that process the received packets in their own specific way.

    User defined filters may consist of source and destination mac addressed, source and destination IP and ports, interface that the logging thread should listen at, and the regular expression that the data transferred by packet should be matched to.
After meting the filter criteria, the data from packet headers is extracted.
Every packet is built of layers encapsulated one by another, from the top layers, which create easy to use interface for the user applications, through the network layer to the datalink layer. Every ethernet packet contains an ethernet header, almost the lowest layer protocol, in it's header are defined the hardware (MAC) addresses of the receiver and sender and a field telling what kind of next layer protocol was used. In most cases the next layer protocol will be IP protocol which among many more or less interesting flags will tell us the source and destination IP addresses, also the protocol version, 'time to live' and of course the kind of the fourth layer protocol encapsulated.
The fourth layer is the session layer, and its two main protocols are UDP (connectionless) and TCP. In their headers are defined the source and destination ports, in the TCP header there are many interesting flags used to maintain the connection, by reading those flags we can, for example figure out the current state of the connection.
And finally after the fourth layer protocol header, in most cases, till the end of the captured packet would be the data carried by the packet.
Having all this data, the packet handling functions can easily group packets by machines in the network, their IP addresses or the interfaces that the packets came through. When placed on main node in the local network, netrafd could easily count the number of computers in the network, or manage any task that has something to do with analyzing network traffic. All it requires is a packet handling function, which will define the way packets are analyzed.

M.K.