Re: AIX BPF Problems

[Guy Harris <guy () netapp com>]

On Thu, Feb 13, 2003 at 09:08:35PM +1100, Shaun wrote:
> > Does it also set immediate mode with BIOCIMMEDIATE?
>
> Yes, in fact it does so before EVERY read.

I.e., it does a BIOCIMMEDIATE ioctl call before every read call?

That's grotesque.  If it's unnecessary, it's a bogosity in their
libpcap; if it *is* necessary, it's a bogosity in their BPF
implementation.

> > If not, that might
> > make some difference (it doesn't wake up the application on every
> > packet), but, as per earlier messages, the timeout doesn't appear to
> > work, so if they don't set immediate mode they somehow manage to get the
> > timeout to work.
>
> > From what I can tell the timeout basically doesn't work at all (though
> admitedly I haven't really tried since I don't need that functionality)

...which suggests that their BPF implementation might, indeed, be bogus.

> > What's the snapshot length you're using in the "pcap_open_live()" calls
> > you're doing explicitly?  68?
>
> Yeah, 68, though from my cursory search I didn't see that value getting
> passed to the kernel?

It's somewhat obscure how it happens.

There's no ioctl in BPF to set the snapshot length.  However, a BPF
program terminates by returning with a numerical value; if the value is
0, the packet is discarded (i.e., it didn't pass the filter), but if
it's non-zero, the non-zero value is the snapshot length.

The BPF code generator in libpcap generates code that returns either 0
or the snapshot length.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe