("[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" are now being forwarded
to "[EMAIL PROTECTED]"; there's no reason to send to either of
the LBL addresses.)
On Tue, Jul 03, 2001 at 09:26:44PM +0000, ashley thomas wrote:
> I think the BSD is showing some wrong info. It is infact showing the total
> number of packets on the network rather than the ones caught using the filter.
For what it's worth, the BPF implementations on, I suspect, all the BSDs
returns, from a BIOCGSTATS ioctl, the count of packets handed to the BPF
mechanism in the "bs_recv" field, *not* the count of packets that then
passed the filter.
That is the statistic that libpcap supplies in the "ps_recv" field
filled in by in a "pcap_stats()" call.
The libpcap code on systems using DLPI doesn't do kernel filtering
(either because the systems don't come with any kernel filtering or
because the kernel filtering doesn't support the BPF machine language);
they maintain their own statistics, and "ps_recv" is incremented for all
packets that it reads, regardless of whether they're later discarded by
the packet filter.
The same happens in the libpcap code for pre-4.0 SunOS's NIT mechanism
and for SunOS 4.x's STREAMS NIT mechanism.
However, in the libpcap code for Linux, Ultrix and
Digital^H^H^H^H^H^H^HTru64 UNIX, and Irix, "ps_recv" is incremented only
when packets pass the filter.
Whether the statistic supplied on *BSD and SunOS is wrong, or the
statistic supplied on other platforms is wrong, depends on whether one
interprets "received by filter" as meaning "that passed the filter" or
"that were handed to the filter to be checked". I could see the latter
as being a legitimate interpretation. (For what it's worth, the
meanings of the statistics are not documented in the libpcap man page,
nor are the meanings of the values printed by tcpdump when it exits
documented, so the documentation cannot be used to resolve which is
correct.)
> Is it a known problem.
It is now.
> Is there a fix for it ?
That depends on what the fix should be.
Implementing *BSD/SunOS/HPUX-style statistics is tricky on some
platforms - if the kernel does the filtering, and can't supply a count
of packets that were handed to the filtering code, you can't get that
statistic.
Implementing Linux/Digital UNIX/Irix-style statistics can be done on all
platforms, simply by doing the counting in libpcap.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
