tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] enable memory mapped access to ethernet device for linux

From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Date: Fri, 7 Dec 2007 13:48:18 -0800
----- Original Message ----- From: "Guy Harris" <guy () alum mit edu> 
To: <tcpdump-workers () lists tcpdump org>
Sent: Thursday, December 06, 2007 4:09 PM
Subject: Re: [tcpdump-workers] [PATCH] enable memory mapped access to ethernet device for linux
There's also an issue that with the ringbuffer, the initial contents can be quite substantial in the fraction of a second between the pcap_open and application call to pcap_setfilter; for some reason this is not so much an issue for the socket read() interface, although buffering takes place there as well, perhaps the kernel (re-)filters the socket buffer when the filter is changed?
With BPF and Digital UNIX's packetfilter, changing the filter flushes the buffer. With Linux, changing the filter doesn't flush the buffer - so current versions of libpcap purge the buffer themselves, so that, after you change a filter, you don't get any packets that wouldn't have passed the filter. (On platforms where filtering is done in userland, that's not an issue.)
The same thing happens on Windows (WinPcap): the buffer is flushed when you set a new filter. 

Have a nice day
GV

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: