Hi,
I am completely new to this list, and did not find my problem ( and brute
fix ) in the list on my quick scan of the archives.
I see some strange packets in tcpdump, when I use a (linux)kernel compiled with linux
socket filters. What I noticed is that when i start dumping information with
a filter f.e. <tcpdump host xxx> I get all packets in the first seconds and
after that evering is fine. (Propably the kernel installs the packet filter,
after it starts sending packets to the program).
I am not sure if the problem is in the kernel or in libpcap, so I tried to
fix it in pcap-linux.c of libpcap.
I fixed this for myself by modifying pcap-linux.c, by double checking the
kernel filter whith the software filter. This fixes my problem, but ads some
overhead. This is ok when you have only some packets per second, but I am
afraid it gives to much overhead if you need f.e. about 5000 packets per
second.
around line 424 of libpcap-6.2:
// BF 02-nov-2001, sanity check to filter packets not caught by kernel filter.
// on my two test systems, this happens about a second and then stops, it seems
// the kernel starts sending packets before the filter is active...
// if (!handle->md.use_bpf && handle->fcode.bf_insns) {
if (handle->fcode.bf_insns) {
if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
packet_len, caplen) == 0)
{
/* rejected by filter */
// if(handle->md.use_bpf)
// fprintf(stderr,"Rejected packet by sanity check!\n");
return 0;
}
}
regards,
ing. Gert-Jan de Jonge
de Kooi Systeemhuis B.V.
Ruinen
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
