Very Computer

Hi,

I have installed tcpdump on Linux. I found the following in the README of
the libpcap directory used by the tcpdump -

"Although most packet capture interfaces support in-kernel filtering,
libpcap utilizes in-kernel filtering only for the BPF interface.
On systems that don't have BPF, all packets are read into user-space
and the BPF filters are evaluated in the libpcap library, incurring
added overhead (especially, for selective filters)."

Does BPF interface here means only /dev/bpfXXX?

Does this mean that libpcap in Linux does not perform "in-kernel" filtering?

Can someone tell me how Linux performs the packet filtering.

Thanks in advance,

Vijayant Palaiya

: "Although most packet capture interfaces support in-kernel filtering,
: libpcap utilizes in-kernel filtering only for the BPF interface.
: On systems that don't have BPF, all packets are read into user-space
: and the BPF filters are evaluated in the libpcap library, incurring
: added overhead (especially, for selective filters)."

: Does BPF interface here means only /dev/bpfXXX?

: Does this mean that libpcap in Linux does not perform "in-kernel" filtering?
yes, every packet on all interfaces, both incoming and outgoing is sent to
userspace in libpcap.

: Can someone tell me how Linux performs the packet filtering.
Normally, in the kernel (not libpcap) each network layer checks its
protocol-id / socket-nr / ... mostly based on linked lists of registered
values.
If you do not use promiscous mode, the hardware address is filtered by
the hardware. Dunno about multicast filtering.

: Thanks in advance,

: Vijayant Palaiya

Fons.