On Mon, 2008-04-28 at 22:32 -0700, Garrett D'Amore wrote: > General question for the project team (not really an issue for *this* case): > > Does it make sense to someday convert snoop to use libpcap? (Anyone > know if there is packet capture functionality in snoop that libpcap > *can't* provide?)
Answering the second question, yes; packet filtering in the kernel on Solaris. Snoop uses pfmod, while libpcap uses a user-space bpf, and tries to take advantage of kernel bpf on OSs that have such a thing. Solaris doesn't. Regarding the first question, I don't think it makes any sense to put engineering effort into snoop, nor into making it portable to other OSs (which I think would be the only benefit to having it use libpcap as opposed to directly using libdlpi as it does today.) We should be focusing on improving Wireshark and getting to a point where we can dump snoop. > (ISTR also that snoop was potentially headed for the > axe, as ARC seemed to feel that wireshark was a superior option. Did we > ever actually contemplate a real EOF for snoop?) Yes, I believe the Wireshark case established that Wireshark should be the long-term solution to replace snoop. For the reason stated above, however, I don't think that can happen yet. In order for Wireshark to be on par with snoop with regards to performance, we need an in-kernel bpf that libpcap can take advantage of on Solaris (among other things). -Seb
