Ethereal-dev: Re: [ethereal-dev] Re: Packet Sniffer Package

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 3 Mar 2000 19:51:27 -0800 (PST)
> Does anyone know if libpcap under Linux uses the new, improved capture
> routines automagically, or simply uses the 'lame' interface ...?

The standard libpcap under Linux uses the oldest, lamest interface -
SOCK_PACKET sockets with an address/protocol family of AF_INET/PF_INET.

A new one being done will use, on the Linux 2.2 and later kernels, the
better mechanism that the 2.2 kernel added, namely SOCK_RAW sockets
with an address/protocol family of AF_PACKET/PF_PACKET).  I forget
whether the guy working on that checked it into the tcpdump.org CVS tree
yet or not.

I don't know whether that's the 1-copy mechanism to which you're
referring, though.  Alexey Kuznetzov has a patch to add a mechanism
that, as I understand it, lets the kernel and the application share a
memory-mapped region, so that incoming packets don't have to get copied
up to userland; he also has patches to the old libpcap that use that
mechanism if present, and otherwise use the 2.2-and-later mechanism if
present, otherwise, I think, fall back on the old 2.0 mechanism.  In
addition, he says that some such mechanism was checked into the 2.3
kernel at some point.