On Thu, Jul 11, 2002 at 10:51:05PM +0200, Honza Pomahac wrote:
> And what about ret #0? It is just one instruction.
...which means that the filter program will have to be done by hand,
rather than by compiling a filter expression.
Even given that, it's the right answer - i.e., the "absolute minimum of
load" requires that you have that one-instruction BPF program, and there
is no filter expression that, when handed to "pcap_compile()", will
generate that program (because any filter expression that rejects all
packets will get an error from "pcap_compile()").
> See set_kernel_filter in pcap-linux.c
...which uses the program.
The variables to look at are
static struct sock_filter total_insn
= BPF_STMT(BPF_RET | BPF_K, 0);
static struct sock_fprog total_fcode
= { 1, &total_insn };
although "struct sock_filter" and "struct sock_fprog" are *not* the
structures to use - those are the Linux kernel structures for BPF
programs, but the structures you'd have to use in a libpcap-based
program would be the BPF equivalent structures:
static struct bpf_insn total_insn
= BPF_STMT(BPF_RET | BPF_K, 0);
static struct bpf_program total_fcode
= { 1, &total_insn };
and you'd use "total_fcode" in a "pcap_setfilter()" call.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
