Re: why not filtering at driver level ?

[Guy Harris <guy () alum mit edu>]

madhuresh wrote:

> I am just anxious to know that why we do filtering of packets at user 
> space and not at driver level (kernel space).

Because, on those OSes where filtering is done in user space, the OS and 
drivers either don't have a filtering mechanism or don't have one that 
uses BPF programs as filters (e.g., Solaris, where it supports a 
different filtering language).

Note, however, "in kernel space" doesn't necessarily mean "at the driver 
level"; on Linux, the in-kernel filtering is done by "socket filters" 
above the driver, and, even on BSD, although the driver directly calls 
the BPF routine to supply a packet, the BPF code, not the driver itself, 
does the filtering.

> What if libpcap can 
> communicate the filter options to the driver under consideration which 
> will then transfer, only the filtered packets to a new interface say 
> ABC0. Then libpcap can read these filtered packets from ABC0 and can 
> directly transfer to tcpdump for parsing.

That's exactly what happens on Linux (if you have a kernel with 
PF_PACKET sockets and socket filters), on {Free,Net,Open,Dragonfly}BSD 
and Mac OS X, on AIX if libpcap is using BPF, on Digital/Tru64 UNIX, and 
on Windows with WinPcap.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.