Guy Harris wrote:
With BPF and Digital UNIX's packetfilter, changing the filter flushes
the buffer. With Linux, changing the filter doesn't flush the buffer
- so current versions of libpcap purge the buffer themselves, so that,
after you change a filter, you don't get any packets that wouldn't
have passed the filter. (On platforms where filtering is done in
userland, that's not an issue.)
Guy,
I didn't realize that libpcap flushes the buffer when I change the
filter. I'm my application I set a filter when I start up. As I discover
other UDP ports of interest, they get added to the filter. That is, my
filter only get more permissive. Not seeing new packets that my filter
would accept for the buffered ones is probably ok. Dropping packet isn't
very friendly though. Ideally the packets could be filtered through
user-land bpf until the queued bytes are read.
I guess the difficulty is knowing when you've read all the queued bytes.
Since I'm setting the receive buffer size, a reasonable compromise is to
install the kernel filter and then also apply the user-land filter until
we've seen 'receive buffer size' bytes. Kludgy yes, but then I wouldn't
miss packets as many packets. Actually in my case, I wouldn't even need
to do that. I'd rather just install the kernel filter right away and get
all the packets.
That wouldn't help with BPF and Digital packetfilter you mentioned.
I know libpcap tries to keep a uniform interface across all platforms.
It would be nice however to be able to tweak it on a particular OS. How
about having a simple interface that allows querying and setting
platform specific options. That would allow libpcap to have uniform
behavior across OSs, but at the same time allow developers to take
advantage of particular features when available.
Regards,
Andy
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
