Re: Question regarding libpcap filters and sflow,

[Guy Harris <guy () alum mit edu>]

On Apr 6, 2009, at 5:02 PM, Diego Valverde wrote:

> When you say implement the filtering in the kenerl, you mean for  
> example
> hooking mad-wifi to some custom made module that passes only the  
> packets
> matching the 1:N criteria, ie. not using libpcap, or you mean   
> modifying
> exisitng libpcap kernel space code to do this?

There isn't any code that's literally "libpcap kernel space code", in  
the sense of code that comes with libpcap.  Libpcap uses existing  
kernel code that might have been designed for use by (among other  
things) libpcap.  In Linux, that'd be the PF_PACKET socket code plus  
the "socket filter" code.

I'm suggesting adding in a 1:N sampling capability to the PF_PACKET  
socket code, which libpcap could use.

> One more thing, I just saw that winpcap has a function called
> pcap_setsampling that allows to set a 1:N sampling, however it says  
> it only
> works on win32 platforms.

From a quick look at the 4.1b5 code, it appears to only work when  
doing remote capturing; presumably the rpcap daemon does the sampling  
on packets it receives from libpcap/WinPcap.

> Any ideas if it would be posible (or worth the time) to implement   
> something
> similar for linux?

It would probably not be too hard to do - see packet_rcv() in net/ 
packet/af_packet.c; the filtering would be done similarly to what  
run_filter() does (you'd need to add some state to a packet socket to  
keep track of the value of N and to keep a packet count).
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.