On Mon, Jun 03, 2002 at 03:41:11PM +0200, Manfred Geyer wrote:
> we are using libpcap to read/write ethernet packets (own defined
> ethernet packet types 0x7F4, 0x7F8 and 0x7FC). The default for
> libpcap to open a socket is in "promiscuous mode".
>
> Because of high load we try to reduce the number of packet to be
> handled by libpcap. Out intention is to create the socket in
> "non-promiscuous mode".
What do you mean by "non-promiscuous mode"?
"pcap_open_live()" has a "promisc" argument that controls whether the
capture (which is not necessarily on a socket; it's only on a socket on
those OSes where the native packet capture mechanism uses a socket) is
done in "physically promiscuous" mode, i.e. whether, on broadcast
networks, the driver is asked to put the network adapter into
promiscuous mode to receive all packets, not just packets it's intended
to see.
If, however, you mean "packet type promiscuity", e.g., on Linux, opening
a socket with ETH_P_ALL, note that
1) it makes no difference to the driver whether ETH_P_ALL is
used or not - all those packets will be processed by the
driver;
2) on systems with a 2.2 or later kernel and the "socket filter"
mechanism built into the kernel, the filter specified by
"pcap_setfilter()" is executed in the kernel, so, although
the code path length is greater than it would be if you
created the socket with an explicit packet type, it may still
be short enough that the extra overhead will be acceptable
(in particular, libpcap will not have to process any of the
packets that don't pass the filter - they won't be supplied
as input on the socket).
But if you want to use your own code to capture packets (possibly basing
that code on libpcap), rather than using the standard libpcap:
> - Is there a simple way to create a socket this way?
If this is Linux, see the "PACKET(7)" man page for details on how the
underlying Linux PF_PACKET mechanism works. In particular, see the
synopsis, and the description paragraph:
SYNOPSIS
...
packet_socket = socket(PF_PACKET, int socket_type, int protocol);
DESCRIPTION
...
The socket_type is either SOCK_RAW for raw packets includ�
ing the link level header or SOCK_DGRAM for cooked packets
with the link level header removed. The link level header
information is available in a common format in a sock�
addr_ll. protocol is the IEEE 802.3 protocol number in
network order. See the <linux/if_ether.h> include file for
a list of allowed protocols. When protocol is set to
htons(ETH_P_ALL) then all protocols are received. All
incoming packets of that protocol type will be passed to
the packet socket before they are passed to the protocols
implemented in the kernel.
I.e., you would specify the protocol you want to capture as the third
argument to "socket()" when creating the socket.
> - Is there a way to create a socket which processes our own
> ethernet type packets only? Or do we have to define three
> independant sockets, one for each different ethernet type?
You would have to have three separate sockets - a PF_PACKET socket can
either capture a particular protocol or can capture all protocols.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
