A few more experiment results and some possible explanations:
(rawsock:socket :inet :packet #x300)
- rcvfrom reports packets sent as well as received
- includes ether header
- but man IP(7) does not mention packet as one of the supported types.
It does mention raw (SOCK_RAW) which refers to RAW(7)
(rawsock:socket :inet :raw <ip protocol>)
- does not include the ether header
(which is also what it says in man RAW(7))
- rcvfrom does not report packets sent out, only those received
This makes some sense since :raw is meant for implementing
new ip protocols. When you send a packet you generally don't
want to also receive that same packet.
The man page also says
The IPv4 layer generates an IP header when sending a packet unless the
IP_HDRINCL socket option is enabled on the socket. When it is enabled,
the packet must contain an IP header. For receiving the IP header is
always included in the packet.
As I expected, you don't have to worry about things like checksums.
Only processes with an effective user ID of 0 or the CAP_NET_RAW capa-
bility are allowed to open raw sockets.
An IPPROTO_RAW socket is send only. If you really want to receive all
I guess that's one of the third arguments - (255 :IPPROTO-RAW)
IP packets, use a packet(7) socket with the ETH_P_IP protocol. Note
that packet sockets don't reassemble IP fragments, unlike raw sockets.
interesting - another difference which indicates that inet is really
at a different level than packet.
But I suspect this does not apply to (rawsock:socket :inet :packet #x300)
I still get the impression that (rawsock:socket :packet :raw #x300) is
the right way to capture all packets in linux, though it requires
some fancier code for identifying the device.