Re: Question regarding libpcap filters and sflow,

[Diego Valverde <diego.valverde.g () gmail com>]

Hi Guy, Thanks a lot for your quick reply.
When you say implement the filtering in the kenerl, you mean for example
hooking mad-wifi to some custom made module that passes only the packets
matching the 1:N criteria, ie. not using libpcap, or you mean  modifying
exisitng libpcap kernel space code to do this?

One more thing, I just saw that winpcap has a function called
pcap_setsampling that allows to set a 1:N sampling, however it says it only
works on win32 platforms.
Any ideas if it would be posible (or worth the time) to implement  something
similar for linux?

Again, thanks a lot for your support.
-D

On Mon, Apr 6, 2009 at 5:39 PM, Guy Harris <guy () alum mit edu> wrote:

> On Apr 6, 2009, at 3:53 PM, Guy Harris wrote:
>
>  I'm assuming the embedded device is running an operating system such as
> > Linux, so that packets have to be copied from kernel space to user space
> > (unless libpcap is using the memory-mapped access mechanism on Linux or
> > FreeBSD) to be delivered to libpcap.
> >
> > If you don't care whether packets not being sampled are copied from kernel
> > space to user space (or if you're running on a version of Linux or FreeBSD
> > with a memory-mapped capture interface), you could just do the sampling in
> > the code that reads from libpcap.
> >
> > If you do care, you'll have to implement the filtering in the kernel.
>
> Packets that are to be passed to libpcap might still require more copies
> than packets that don't even with a memory-mapped interface, so even there,
> filtering in the kernel might make a difference.
>
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.