Wireshark · Ethereal-dev: [ethereal-dev] Re: Packet Sniffer Package

[Richard Sharpe <sharpe@xxxxxxxxxx>]

Hi,

Does anyone know if libpcap under Linux uses the new, improved capture
routines automagically, or simply uses the 'lame' interface ...?

>Date: Fri, 03 Mar 2000 17:47:47 -0800
>From: "Dylan A. Loomis" <dylan@xxxxxxxx>
>Subject: Re: Packet Sniffer Package
>To: Richard Sharpe <sharpe@xxxxxxxxxx>
>Cc: nfr-users@xxxxxxxxxxxxx
>Reply-to: "Dylan A. Loomis" <dylan@xxxxxxxx>
>Mail-followup-to: Richard Sharpe <sharpe@xxxxxxxxxx>, nfr-users@xxxxxxxxxxxxx
>X-Mailer: Mutt 1.0i
>Original-recipient: rfc822;sharpe@xxxxxxxxxx
>
>Richard,
>
>Re-read what I posted, "the pcap implementation under linux is
>*extremely* lame".  I made no commentary about the the new, as in newer
>than the addition of support for Linux to pcap, packet capture interface.
>You can't expect the developers to code to an interface that didn't exist
>at the time, right? ;)  Nowhere in my post did I say that 'Linux sucks
>for packet capture!', just pointed out the pcap/Linux interaction.
>
>I realize that Linux has a better packet capture interface, but this was
>not the point of my response.  Merely to make sure that people weren't
>under the misimpression that there was something wrong with pcap's drop
>packets code overall.  It works fine under *BSD, it doesn't under Linux.
>Supposedly it 'kinda' works under Solaris.  It would be nice if mods were
>made to pcap (as in at the source repository so it makes it into releases)
>to support the new interface, but that wasn't the point of my post. 
>
>Hope that clears things up for ya.
>
>						regards -DAL-
>
>On Fri, Mar 03, 2000 at 05:37:54PM -0800, Richard Sharpe wrote:
>> At 01:53 PM 3/3/00 -0800, Dylan A. Loomis wrote:
>> >Be careful what you say about pcap! ;) This isn't so much a pcap issue,
>> >as a pcap under linux issue (yes still a pcap issue but not for _all_
>> >platforms).  Take a look at:
>> 
>> Hmmm, the last I heard, Linux has a 1-copy packet filtering mechanism that
>> is real fast ... 
>> 
>> In addition, Ethereal has some patches to fix other problems with pcap
>> under Linux ...
>> 
>> >http://www.nfr.net/nfr/mail-archive/nfr-users/1999/May/0008.html
>> >
>> >An excerpt:
>> >
>> >    "Under linux you will always see ps_drop of 0 because the pcap
>> >     implementation under linux is *extremely* lame.  Among other
problems,
>> >     it doesn't and can't know when it drops packets in the kernel.
See the
>> >     list archives for several messages from me and others on this
subject. 
>> >     pcap under Solaris doesn't have the same problem, though I do
think that
>> >     there isn't a 1:1 correspondence between packets and streams messages
>> >     (which IIRC, is what is actually counted in ps_drop by pcap under
>> >     Solaris)."
>> >				-Andrew Lambeth (andrew@xxxxxxx)
>> >
>> >Pcap under *BSD works just fine.
>> >
>> >						regards -DAL-
>> >
>> >On Fri, Mar 03, 2000 at 12:55:34PM -0800, Lawrence E. Sinsioco wrote:
>> >> Be careful with libpcap! I recall a mail thread that it drops packets
>> without
>> >> logging that it actually dropped the packet. If you do ftp the latest
>> version
>> >> of the source or package, make sure the version notes addresses this
issue.
>> >> Otherwise your data will be inaccurate.
>> >> 
>> >> 
>> >> On Wed, 01 Mar 2000, Stefan Laudat wrote:
>> >> > hello
>> >> > libpcap will be enough for your needs
>> >> > anyway, a better alternative is using the rtnetlink device from the
>> >> > linux kernel so you can bring packets into user-space.
>> >> > Yes, it is kind of similar to BSD's bpf but this is Linux-flavoured.
>> >> 
>> >> -- 
>> >> Lawrence E. Sinsioco
>> >> IBM Technical Team Lead: Network Team
>> >> IBM Firewall Engineer
>> >> Voice: 847.581.7303
>> >> Monsanto Email: lesins@xxxxxxxxxxxxxxxxxxxxx
>> >> IBM Email: sinsioco@xxxxxxxxxx
>> >> 
>> >> ****************************************************************
>> >> TO POST A MESSAGE on this list, send it to nfr-users@xxxxxxxxxxxxx.
>> >> TO UNSUBSCRIBE from this list, send the following text in the
>> >> message body (not subject line) to majordomo@xxxxxxxxxxxxx
>> >> 
>> >> unsubscribe nfr-users Your-Email-Address
>> >> ****************************************************************
>> >
>> >-- 
>> >Dylan A. Loomis
>> >Computer Systems Research Department     The Aerospace Corporation
>> >e-mail: dylan@xxxxxxxx                   phone: (310) 336-2449
>> >
>> >PGP Key fingerprint =  55 DE BB DD 34 10 CD 20  72 79 88 FE 02 0E 21 3A
>> >PGP 2.6.2 key available upon request
>> >
>> >****************************************************************
>> >TO POST A MESSAGE on this list, send it to nfr-users@xxxxxxxxxxxxx.
>> >TO UNSUBSCRIBE from this list, send the following text in the
>> >message body (not subject line) to majordomo@xxxxxxxxxxxxx
>> >
>> >unsubscribe nfr-users Your-Email-Address
>> >****************************************************************
>> >
>> >
>> 
>> Regards
>> -------
>> Richard Sharpe, sharpe@xxxxxxxxxx, Master Linux Administrator :-),
>> Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
>> Co-author, SAMS Teach Yourself Samba in 24 Hours
>> Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
>> Author: First Australian 2-day, intensive, hands-on Samba course
>
>-- 
>Dylan A. Loomis
>Computer Systems Research Department     The Aerospace Corporation
>e-mail: dylan@xxxxxxxx                   phone: (310) 336-2449
>
>PGP Key fingerprint =  55 DE BB DD 34 10 CD 20  72 79 88 FE 02 0E 21 3A
>PGP 2.6.2 key available upon request
>

Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
Author: First Australian 2-day, intensive, hands-on Samba course