Sebastien Roy wrote:
> On Mon, 2008-04-28 at 22:32 -0700, Garrett D'Amore wrote:
>
>> General question for the project team (not really an issue for *this* case):
>>
>> Does it make sense to someday convert snoop to use libpcap? (Anyone
>> know if there is packet capture functionality in snoop that libpcap
>> *can't* provide?)
>>
>
> Answering the second question, yes; packet filtering in the kernel on
> Solaris. Snoop uses pfmod, while libpcap uses a user-space bpf, and
> tries to take advantage of kernel bpf on OSs that have such a thing.
> Solaris doesn't.
>
> Regarding the first question, I don't think it makes any sense to put
> engineering effort into snoop, nor into making it portable to other OSs
> (which I think would be the only benefit to having it use libpcap as
> opposed to directly using libdlpi as it does today.) We should be
> focusing on improving Wireshark and getting to a point where we can dump
> snoop.
>
>
>> (ISTR also that snoop was potentially headed for the
>> axe, as ARC seemed to feel that wireshark was a superior option. Did we
>> ever actually contemplate a real EOF for snoop?)
>>
>
> Yes, I believe the Wireshark case established that Wireshark should be
> the long-term solution to replace snoop. For the reason stated above,
> however, I don't think that can happen yet. In order for Wireshark to
> be on par with snoop with regards to performance, we need an in-kernel
> bpf that libpcap can take advantage of on Solaris (among other things).
>
Can Wireshark be changed to make use of the pfmod we have in Solaris?
-- Garrett
> -Seb
>
>
>
