On Oct 31, 2012, at 2:50 PM, Ani Sinha <a...@aristanetworks.com> wrote:
> pcap files that already have the tags reinsrted should work with
> current filter code. However for live traffic, one has to get the tags
> from CMSG() and then reinsert it back to the packet for the current
> filter to work.
*Somebody* has to do that, at least to packets that pass the filter, before
they're handed to a libpcap-based application, for programs that expect to see
packets as they arrived from/were transmitted to the wire to work.
I.e., the tags *should* be reinserted by libpcap, and, as I understand it,
that's what the
#if defined(HAVE_PACKET_AUXDATA) &&
defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI)
...
#endif
blocks of code in pcap-linux.c in libpcap are doing.
Now, if filtering is being done in the *kernel*, and the tags aren't being
reinserted by the kernel, then filter code stuffed into the kernel would need
to differ from filter code run in userland. There's already precedent for that
on Linux, with the "cooked mode" headers; those are synthesized by libpcap from
the metadata returned for PF_PACKET sockets, and the code that attempts to hand
the kernel a filter goes through the filter code, which was generated under the
assumption that the packet begins with a "cooked mode" header, and modifies (a
copy of) the code to, instead, use the special Linux-BPF-interpreter offsets to
access the metadata.
The right thing to do here would be to, if possible, do the same, so that the
kernel doesn't have to reinsert VLAN tags for packets that aren't going to be
handed to userland.
And, yes, if that should be done for some interfaces with some kernel versions
but not all interfaces for all kernel versions, there would need to be a way
for libpcap to ask whether it's necessary. Is it necessary on any interfaces
*before* the kernel change in question?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
