Re: pcap-bpf and AIX odm related code

[Guy Harris <guy () alum mit edu>]

On Oct 9, 2009, at 3:22 AM, Jean-Louis CHARTON wrote:

> BTW, does someone know why the number of BPF devices is limited to 4  
> (at least
> on AIX)?

Because the people at IBM who maintain AIX's BPF and tcpdump/libpcap  
don't have a clue?  That's certainly the impression I get, from

	1) the fact that their libpcap is not source-compatible with other  
libpcaps (seconds-and-nanoseconds time stamps - yes, at least in  
theory, the higher resolution is nice, although in practice it's not  
clear you can trust those time stamps to actually reflect packet  
arrival time down to the nanosecond, but breaking source compatibility  
is *NOT* nice);

	2) the fact that the files written by and read by their libpcap are  
not standard libpcap files (completely different link-layer type  
values, and, again, seconds-and-nanoseconds time stamps) but don't  
have a different magic number so that you can easily distinguish them  
from standard libpcap files;

	3) the fact that people have run into various annoying BPF bugs, as  
indicated in pcap-bpf.c (randomly returning EFAULT on reads, timeouts  
not working, etc.).

> I've tried to add one more bpf device (/dev/bpf4) on an AIX 5.1 box.  
> The device
> configuration seems ok (i.e. the sysconfig() calls are successfull).  
> I can
> launch up to 4 tcpdump in parallel (that use /dev/bpf0 up to /dev/ 
> bpf3) but then
> as soon as I launch a fifth tcpdump, the kernel generate a panic

Perhaps somebody at IBM declared a static array of per-device  
structures in the BPF driver, with 4 elements, and didn't bother to  
add a check so that the BPF driver fails when you try to open more  
than 4 devices?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.