On Thu, Aug 29, 2002 at 10:42:28AM -0700, Sandeep Parikh wrote:
> this question is directed towards libpcap specifically......
>
> in a nutshell...what does bpf_tap()/bpf_mtap() do?
Neither of those routines are in libpcap.
They are routines in BSD kernels that are called by network interface
drivers (and pseudo-drivers) to deliver incoming and outgoing packets to
the BPF mechanism.
Many OSes have mechanisms to allow applications to capture raw
networking traffic; those mechanisms are what libpcap uses.
The mechanism that various BSD systems provide is the Berkeley Packet
Filter mechanism; it's documented in the "bpf" man page on those
systems.
"bpf_tap()" takes, as arguments:
a reference to an interface (I use a vague description because
the actual type of the argument differs between the BSDs);
a pointer to a chunk of contiguous data;
the number of bytes in that chunk;
and treats that chunk of data as pointing to the data for a packet and
delivers it to all BPF devices listening on that interface (if any).
"bpf_mtap()" is similar, but it takes a pointer to an mbuf chain for a
packet rather than a pointer to a chunk of contiguous packet data and
the number of bytes in that chunk.
They are declared in libpcap's "bpf/net/bpf.h" file *IF* BSD is defined
and either KERNEL or _KERNEL_ are defined; that's because <net/bpf.h> is
a kernel header on BSD systems, declaring information about the kernel's
BPF mechanism. That's because "bpf/net/bpf.h" is based on a version of
<net/bpf.h> from some BSD kernel, and is supplied for the benefit of
non-BSD systems that lack their own <net/bpf.h> header, so as to declare
that subset of BPF stuff that libpcap uses (packet filter engine and
DLT_ declarations); it doesn't mean that "bpf_tap()" and "bpf_mtap()"
are part of libpcap (as noted, they are not).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
