On Aug 23, 2010, at 4:28 PM, Gianluca Varenni wrote:
> The problem is not the swap time. The problem is that immediately before the
> swap, the kernel ring buffer holding the packets in the driver is emptied.
FreeBSD has, as of FreeBSD 7.1:
http://www.freebsd.org/cgi/man.cgi?query=bpf&apropos=0&sektion=0&manpath=FreeBSD+7.1-RELEASE&format=html
two ioctls to set the filter - one of which flushes the old packets in the
buffer when switching filters (so that no packets that passed the old filter
but would not have passed the new filter are left in the buffer to read after
switching the filter), and one of which doesn't (for use in cases where you
don't expect that, after setting the filter, *no* packets that would not pass
the new filter will be read, which might be the case here).
WinPcap could probably do the same thing - but it currently doesn't, so that
suggestion is currently of use only to somebody willing to dive in and tweak
the WinPcap driver and run the modified driver. For programs using
libpcap/WinPcap, it'd also require a pcap_setfilter_noflush() call in
libpcap/WinPcap. (Now that FreeBSD has it, and given that I think Linux
doesn't flush the buffer when you change the filter, it might be worth adding
that API, although it'd fail on platforms where that can't be done.)
(Of course, if there's some mechanism by which a program can find out the names
or IP addresses of *all* the HTTP proxy servers Greg's machine could be using,
an ordinary filter giving "host XXX or host YYY or host ZZZ" would suffice here
- you wouldn't have to try to capture the DNS reply giving the proxy IP address
and switch the filter to look for that host.)
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
