IPSec for example keeps its security policies in the kernel while a userland daemon keeps track of tunnel connections. MACSec at some point will be implemented in the kernel. Great resource for an in-depth look at the network stack. I would also suggest picking up Linux Kernel Networking: Implementation and Theory by Rami Rosen. My answer here gives several good links for learning about Linux kernel networking. This would probably be your best bet, as you don't want to start mucking about with the kernel, and rebuilding it just for your own project. Wireshark can run on all major operating systems. Wireshark lets you dissect your network packets at a microscopic level, giving you in-depth information on individual packets. The virtual NIC would see all of the data just as the real NIC does. Best Packet Capture Tool Download A File Manish Shivanandhan Follow Aug 15 6 min read Wireshark is a network analyzer that lets you see whats happening on your network. That way you could process the data as you see fit.
Or you could write a driver to be a virtual NIC.
If you want to manipulate the MAC header and do your own thing you'll have to insert yourself right after the MAC header is received, and before the IP processing. Since the MAC header doesn't require very much processing the IP layer handler is the first one that starts to performing a lot of the processing. Anything that is registered to receive the next layer will have its handler called. When the interface receives data the processing begins immediately. Filter by these if you want a narrower list of alternatives or looking for a. Packet Capture alternatives are mainly Network Analyzers but may also be Network Monitors or HTTP (S) Debuggers. Other great apps like Packet Capture are mitmproxy, tcpdump, Nethogs and netcat. If you want to analyze the packet as the Linux kernel receives it you will have to write a kernel driver, possibly going as far as modifying the kernel itself. The best alternative is Wireshark, which is both free and Open Source.