On Wed, Aug 28, 2002 at 03:21:41PM -0700, Gillick, John B wrote:
> I have spent many hours trying to get my Linux RH 7.3 box to use the bpf. I
> installed the libpcap library and I installed tcpdump. Both seem to be
> working fine, but nothing is using the bpf.
What do you mean by "using the bpf"?
For that matter, what do you mean by "the bpf"?
The original BPF was a mechanism for BSD and SunOS 4.x that
1) provided a mechanism to allow programs to read and send raw
link-layer packets
and
2) provided a filtering engine that ran programs in a machine
language for a pseudo-machine - an application using the raw
packet mechanism could specify a program that would be run on
all raw packets delivered by the network drivers to that
mechanisms, and only programs that returned a "this matched"
indication would be supplied to that application.
Tcpdump originally used that mechanism; I don't know the order in which
this happened, but
1) the tcpdump code to use that mechanism was put into a
library, libpcap
and
2) the code to use that mechanism was extended to support the
mechanisms in other OSes for raw packet access.
In some OSes, the mechanism does not include any packet filtering
support; in other OSes, it does, but that mechanism doesn't use the BPF
pseudo-machine.
In both those cases, libpcap does not use the kernel filtering mechanism
(it obviously doesn't use it if it doesn't exist); instead, it reads all
packets from the kernel, and runs a copy of the filtering engine in user
mode, and discards packets that don't pass.
In Linux:
the raw packet mechanism is *NOT* the BPF mechanism, it's a
different mechanism, using sockets;
in the 2.0 kernel, there was no kernel filtering mechanism;
in the 2.2 kernel, a mechanism was added, that can be used by,
I think, any socket - including 2.2 and later's raw packet
mechanism sockets - and that uses the same pseudo-machine
language that the BPF mechanism uses.
The raw packet mechanism in the kernel is enabled with the CONFIG_PACKET
configuration option; that's enabled on your system, as tcpdump wouldn't
even work without it.
The packet filtering mechanism in the 2.2 and later kernel is enabled
with the CONFIG_FILTER option. If that is not enabled (or if you're
running on a 2.0[.x]-kernel system, which lacks that mechanism, or if
your libpcap was built on a system lacking enough header files to
compile in support for that mechanism - but neither of those should be
the case for Red Hat 7.3), libpcap does filtering in user mode rather
than in the kernel.
However, tcpdump should work the same, except for performance issues,
and perhaps for "reporting the number of packets captured" issues,
regardless of whether the packet filtering mechanism is enabled or not.
> I need to be using the bpf, is
> there a way to "turn it on" or "activate it."
If by "the bpf" you mean the packet filtering mechanism in the kernel,
you need to configure your kernel with the CONFIG_FILTER option, install
the new kernel, and reboot (see the Red Hat documentation, or ask Red
Hat, about this; I can't help you on that).
> Are there any documents that
> I should be reading to know how to use the bpf for filtering packets. (I
> have read many many things on this website, but 15 hours later I am no
> closer to knowing why the bpf is never being called even though tcpdump
> shows many packets being processed by the machine...?
What do you mean by "the bpf is never being called"?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
