I'm trying to program something (on Linux, of course) that will need to
capture arbitrary packets coming to the machine (TCP segments, for example).
One obvious solution is to use libpcap [1]. However, it apears that libpcap
(even the latest version) uses a very inefficient method to capture packets
that match some criterion (defined using a BPF program [2, 4]) - it moves
all packets to user space, and does the matching there.
However, it appears that Linux provides an in-kernel BFP-like feature called
"Linux Socket Filter" [3], that is included in modern kernels (e.g., it
is included in Redhat 7, but probably in earlier distributions too), which
seems perfect for my needs. But searching around, it seems that nobody is
actually using it... Does anybody know why? Also why didn't the libpcap people
use LSF on Linux, instead of their inefficient user-space solution? Is there
something wrong with LSF? I'd love to hear from anybody with any experience
in LSF.
[1] http://www.tcpdump.org
[2] http://www.tcpdump.org/papers/bpf-usenix93.pdf
[3] http://www.linuxhq.com/kernel/v2.2/doc/networking/filter.txt.html
[4] http://www.neosoft.com/neosoft/man/bpf.4.html
Thanks,
Nadav.
--
Nadav Har'El | Wednesday, Dec 20 2000, 23 Kislev 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Don't be irreplaceable. If you can't be
http://nadav.harel.org.il |replaced, you can't be promoted.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
