tcpdump mailing list archives
Re: why not filtering at driver level ?
From: madhuresh <madhurag () iitk ac in>
Date: Tue, 24 Oct 2006 01:26:33 +0530
Guy Harris wrote:
madhuresh wrote:I am just anxious to know that why we do filtering of packets at user space and not at driver level (kernel space).Because, on those OSes where filtering is done in user space, the OS and drivers either don't have a filtering mechanism or don't have one that uses BPF programs as filters (e.g., Solaris, where it supports a different filtering language).
I Agree
To my understanding tcpdump converts the filter options (set by the user in plain text) into BPF code and passes it to libpcap. In the standard Linux architecture a filter may be attached to a socket by using a setsockopt call with the SO ATTACH FILTER flag. A pointer to the BPF filter code is also passed to the kernel with it. This call tries to setNote, however, "in kernel space" doesn't necessarily mean "at the driver level"; on Linux, the in-kernel filtering is done by "socket filters" above the driver, and, even on BSD, although the driver directly calls the BPF routine to supply a packet, the BPF code, not the driver itself, does the filtering.
a filter for a socket.If we are trying to attach a heavy or multiple filters to a single socket, the Linux kernel rejects all the filters allowing all packets to cross the kernel-user space boundary and arrive at libpcap. In such a situation, libpcap then filters the packets in the user space and passes them to tcpdump or the caller program.
Hence it means that still the filtering has not been completed in kernel space but in user space !!!
But does it work with heavy filters (multiple filter options) ??? To my understanding it doesn't. Please correct me if i am wrong.What if libpcap can communicate the filter options to the driver under consideration which will then transfer, only the filtered packets to a new interface say ABC0. Then libpcap can read these filtered packets from ABC0 and can directly transfer to tcpdump for parsing.That's exactly what happens on Linux (if you have a kernel with PF_PACKET sockets and socket filters)
, on {Free,Net,Open,Dragonfly}BSD and Mac OS X, on AIX if libpcap is using BPF, on Digital/Tru64 UNIX, and on Windows with WinPcap.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks again -Madhuresh -- Madhuresh Agrawal Senior Undergraduate Department of Computer Science and Engineering Indian Institute of Technology Kanpur - 208016 Phone : (+91) 9935184990 HomePage: http://home.iitk.ac.in/~madhurag - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Sniffing inbound ethernet frames only Jost-DVSB (Oct 21)
- Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 21)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 23)
- why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? Jefferson Ogata (Oct 23)
- Re: why not filtering at driver level ? Jefferson Ogata (Oct 23)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 21)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Hannes Gredler (Oct 24)