Re: [PATCH] enable memory mapped access to ethernet

[Andy Howell <AndyHowell () raitechnology com>]

Guy Harris wrote:
> With BPF and Digital UNIX's packetfilter, changing the filter flushes  
> the buffer.  With Linux, changing the filter doesn't flush the buffer  
> - so current versions of libpcap purge the buffer themselves, so that,  
> after you change a filter, you don't get any packets that wouldn't  
> have passed the filter.  (On platforms where filtering is done in  
> userland, that's not an issue.)

Guy,

	I didn't realize that libpcap flushes the buffer when I change the 
filter. I'm my application I set a filter when I start up. As I discover 
other UDP ports of interest, they get added to the filter. That is, my 
filter only get more permissive. Not seeing new packets that my filter 
would accept for the buffered ones is probably ok. Dropping packet isn't 
very friendly though. Ideally the packets could be filtered through 
user-land bpf until the queued bytes are read.

I guess the difficulty is knowing when you've read all the queued bytes. 
Since I'm setting the receive buffer size, a reasonable compromise is to 
install the kernel filter and then also apply the user-land filter until 
we've seen 'receive buffer size' bytes. Kludgy yes, but then I wouldn't 
miss packets as many packets. Actually in my case, I wouldn't even need 
to do that. I'd rather just install the kernel filter right away and get 
all the packets.

That wouldn't help with BPF and Digital packetfilter you mentioned.

I know libpcap tries to keep a uniform interface across all platforms. 
It would be nice however to be able to tweak it on a particular OS. How 
about having a simple interface that allows querying and setting 
platform specific options. That would allow libpcap to have uniform 
behavior across OSs, but at the same time allow developers to take 
advantage of particular features when available.

Regards,

        Andy
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.