On Apr 6, 2009, at 5:02 PM, Diego Valverde wrote:
When you say implement the filtering in the kenerl, you mean for
example
hooking mad-wifi to some custom made module that passes only the
packets
matching the 1:N criteria, ie. not using libpcap, or you mean
modifying
exisitng libpcap kernel space code to do this?
There isn't any code that's literally "libpcap kernel space code", in
the sense of code that comes with libpcap. Libpcap uses existing
kernel code that might have been designed for use by (among other
things) libpcap. In Linux, that'd be the PF_PACKET socket code plus
the "socket filter" code.
I'm suggesting adding in a 1:N sampling capability to the PF_PACKET
socket code, which libpcap could use.
One more thing, I just saw that winpcap has a function called
pcap_setsampling that allows to set a 1:N sampling, however it says
it only
works on win32 platforms.
From a quick look at the 4.1b5 code, it appears to only work when
doing remote capturing; presumably the rpcap daemon does the sampling
on packets it receives from libpcap/WinPcap.
Any ideas if it would be posible (or worth the time) to implement
something
similar for linux?
It would probably not be too hard to do - see packet_rcv() in net/
packet/af_packet.c; the filtering would be done similarly to what
run_filter() does (you'd need to add some state to a packet socket to
keep track of the value of N and to keep a packet count).
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
