On Tue, Jun 05, 2001 at 08:44:02PM +0000, ashley thomas wrote:
> Now at time T1,
> after pcap_setfilter is executed, the next pcap_loop or pcap_read will
> give me a packet which was there already in the queue (got with the old
> filter) or a packet collected using this filter ?
>
> I mean what will happen to all those packets which were taken from the
> network using the original filter ? Will all those be just dumped or
> retained ?
Well, in FreeBSD 3.4, and probably in most if not all BSDs,, the ioctl
that sets a packet filter also flushes the packet buffer, so when
"pcap_setfilter()" is done, all packets not yet read will be discarded.
However, in the Linux 2.2.18 kernel, and probably in other 2.2[.x] and
2.4[.x] Linux kernels, the "setsockopt()" call that sets a packet filter
doesn't appear to flush the packet buffer, so when "pcap_setfilter()" is
done, packets not yet read will be retained.
On {Digital,Tru64} UNIX, the "packetfilter(7)" man page (at least for
Tru64 UNIX 5.1) says:
EIOCFLUSH
After changing the packet filter program, the input queue may contain
packets that were accepted under the old filter. To flush the queue of
incoming packets, use the following:
ioctl(fildes, EIOCFLUSH, 0)
and libpcap doesn't do an EIOCFLUSH, so when "pcap_setfilter()" is done,
packets not yet read will be retained.
On other platforms (including Linux systems with a 2.0[.x] kernel),
packet filtering isn't done in the kernel, it's done in userland, and
libpcap doesn't make any call to flush the packet buffer, so, when
"pcap_setfilter()" is done, packets not yet read will be retained.
So the general answer to your question is "it depends on what OS you're
using", and in your particular case, where the OS is one with a Linux
2.4[.x] kernel, the answer is "they will be retained" (assuming that
you're using tcpdump.org's libpcap, rather than one modified by its
supplier to explicitly flush the socket; I don't know what
"enhancements" various Linux distributors might have made to libpcap).
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
