In a *BSD machine, BPF is used to capture packets of the wire to user space with just one copy, right ?
The packets are stored in the 2 buffers (STORE and HOLD Buffers) of BPF till it is read using a read() call in pcap_read. So this is an extra copy of all those packets, right ? Does linux2.4.x kernel have better mechanism than the BSDs..? thanks for your time Ashley Thomas On Mon, 25 Mar 2002, Guy Harris wrote: > On Mon, Mar 25, 2002 at 08:22:38PM -0500, Ashley Thomas wrote: > > I wanted some kind of indication about how full the buffer is. > > This is regarding the work i am doing with IDSs. > > What would you use that information for? > > I.e., why do you need that information *before* processing the packets > in the buffer (rather than computing it in the code that processes the > packets)? > > > I am using openbsd .. so in the pcap_read() in pcap-bpf.c > > there is no explicit setting of time. Is the time set by bpf ? > > i mean is it already in the bpf header ? > > Yes, it is. A BPF "bpf_hdr" header looks surprisingly like a > "pcap_pkthdr"; I'm sure this has nothing whatsoever to do with the fact > that the BPF code and libpcap were originally done by the same people. > :-) Therefore, libpcap just passes a pointer to that header to the > callback routine. > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe > - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
