Thiago Lacerda wrote:

Thanks for your replay Tobias.

But, doing it as a netfilter module I'm going to interfere in all the
traffic of my PC.
I don't want to do it that way. I want to capture the packets at
kernel and then decide if they will be analyzed by my DPI tool at user
land. My module would act like a filter for my classifier, cause I
want to don't spend time with unncessary copies of packets to user
space memory (like libpcap does, it copies every packets).

netfilter modules don't just accept or deny packets.  For example there is
a LOG module which logs some brief information about any packets it
receives.

I'm doing like this:

* registered a protocol handler with dev_add_pack
* in the function in packet_type struct I'm doing some operations with
the packet, but I'm not passing it to user land yet

Is that a good way of doing such task?
Does occur any copy of packets during this operation (the copy I know
is that one from the NIC to kernel memory, does any other occur?)?

Depends on the driver.

BTW, anyone knows the right way of get a tcp port number in human readable form?
I'm doing like this:

struct tcphdr* tcp = tcp_hdr(my_sk_buff)

unsigned short src_port = ntohs(tcp->source)

And it isn't working, the numbers that I get are not right.

Until the packet has gone through the network protocol handler (IP), the
transport header pointer will not be set correctly and tcp_hdr() will return
a pointer to the start of the packet.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.