With BPF and Digital UNIX's packetfilter, changing the filter flushes
the buffer. With Linux, changing the filter doesn't flush the buffer
- so current versions of libpcap purge the buffer themselves, so
that, after you change a filter, you don't get any packets that
wouldn't have passed the filter. (On platforms where filtering is
done in userland, that's not an issue.)
The same thing happens on Windows (WinPcap): the buffer is flushed when
you set a new filter.
There's a patch for freebsd that does not discard the BPF hold buffer.
http://lists.freebsd.org/pipermail/freebsd-net/2007-November/015964.html
http://lists.freebsd.org/pipermail/freebsd-net/2007-November/015965.html
http://www.freebsd.org/cgi/query-pr.cgi?pr=118486
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
