Guy Harris wrote:
madhuresh wrote:
I am just anxious to know that why we do filtering of packets at user
space and not at driver level (kernel space).
Because, on those OSes where filtering is done in user space, the OS
and drivers either don't have a filtering mechanism or don't have one
that uses BPF programs as filters (e.g., Solaris, where it supports a
different filtering language).
I Agree
Note, however, "in kernel space" doesn't necessarily mean "at the
driver level"; on Linux, the in-kernel filtering is done by "socket
filters" above the driver, and, even on BSD, although the driver
directly calls the BPF routine to supply a packet, the BPF code, not
the driver itself, does the filtering.
To my understanding tcpdump converts the filter options (set by the user
in plain text) into BPF code and passes it to libpcap. In the standard
Linux architecture a filter may be attached to a socket by using a
setsockopt call with the SO ATTACH FILTER flag. A pointer to the BPF
filter code is also passed to the kernel with it. This call tries to set
a filter for a socket.
If we are trying to attach a heavy or multiple filters to a single
socket, the Linux kernel rejects all the filters allowing
all packets to cross the kernel-user space boundary and arrive at
libpcap. In such a situation, libpcap then filters the packets in the
user space and passes them to tcpdump or the caller program.
Hence it means that still the filtering has not been completed in kernel
space but in user space !!!
What if libpcap can communicate the filter options to the driver
under consideration which will then transfer, only the filtered
packets to a new interface say ABC0. Then libpcap can read these
filtered packets from ABC0 and can directly transfer to tcpdump for
parsing.
That's exactly what happens on Linux (if you have a kernel with
PF_PACKET sockets and socket filters)
But does it work with heavy filters (multiple filter options) ??? To my
understanding it doesn't. Please correct me if i am wrong.
, on {Free,Net,Open,Dragonfly}BSD and Mac OS X, on AIX if libpcap is
using BPF, on Digital/Tru64 UNIX, and on Windows with WinPcap.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Thanks again
-Madhuresh
--
Madhuresh Agrawal
Senior Undergraduate
Department of Computer Science and Engineering
Indian Institute of Technology
Kanpur - 208016
Phone : (+91) 9935184990
HomePage: http://home.iitk.ac.in/~madhurag
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
