On Fri, Jan 15, 2021 at 2:16 PM Eric Dumazet <eduma...@google.com> wrote: [snip] > > My wild guess is that as soon as socket got created: > > socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); > > the packets were already queued to it. > > So later setsockopt() is too late to filter. > > > > Eric, thoughts? > > Exactly, this is what happens.
I understand. Thanks for the explanation. > I do not know how tcpdump and other programs deal with this. > > Maybe by setting a small buffer size, or draining the queue. libpcap has its own cBPF implementation which it applies after it receives the packets from the queue. Thanks again, Tom Cook
