On Tue, Mar 12, 2002 at 02:37:14PM -0800, Joe Amici wrote: > I have been using libpcap 0.4 which comes packed with > RH6.2. I'll be migrating to libpcap 0.6, soon. The > changelog says that Linux implementation of libpcap > now uses PF_PACKET sockets and the filtering itself is > done in the kernel. So am I correct in assuming that > in 0.4, the filtering in linux was actually done in > userland
Yes. > And so with the kernel filtering, will applications > running libpcap 0.6 on Linux, perform perceptibly > better (assuming high packet traffic rate, longer > per-packet processing time and a CPU starved linux > 6.2, which causes the packet drops currently with > libpcap 0.4) ? Potentially, yes; packets that don't match the filter won't be copied up to userland, rather than being copied up to userland only to be discarded. You'd need to make sure your kernel is configured with socket filtering (CONFIG_FILTER), which adds in-kernel filtering capabilities. (If that's not configured in, libpcap 0.6 and later will fall back on doing filtering in user space). > Is there any reason why upgrading to 0.7 may be a > better idea instead ? (The changelog for 0.7 didnt > show anything which my application cares about.) 0.7 has a variety of bug fixes and improvements; if you're just downloading versions of libpcap from tcpdump.org, compiling them, and installing them, there's no reason to to upgrade to 0.7.1 rather than 0.6.2. If you're just upgrading to a later version of Red Hat, which comes with an 0.6.2-based libpcap, it might not be worth downloading 0.7.1 and compiling it, though. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
