Re: Dealing with pcap-linux.c

[Guy Harris <guy () alum mit edu>]

On Jul 26, 2009, at 6:52 PM, Darren Reed wrote:

> As well as porting BPF to Solaris, I've been working on developing an
> implementation of PF_PACKET. I went to try this out with libpcap and
> it failed badly. pcap-linux.c is a combination of PF_PACKET bits plus
> all of the code required to deal with Linux's ARP implementation.

Actually, it's a combination of:

	code to use PF_PACKET sockets (including the memory-mapped version of  
same);

        for much older kernels, code to use PF_INET/SOCK_PACKET sockets;

        code to handle turning on monitor mode.

The code to use PF_PACKET and PF_INET/SOCK_PACKET sockets *does* have  
to translate the ARPHRD_ values Linux returns to DLT_ values; that's  
not a lot of code, and is only minimally involved with Linux's ARP  
implementation - many of the ARPHRD_ values are not, in fact, ARP  
hardware types, as not all network types supported by Linux *have* ARP  
hardware types.

> Is there any interest in seeing pcap-linux.c split up into pcap- 
> packet.c and arp-linux.c? Or some other division?

Well, *if* you want to use your PF_PACKET-for-Solaris with libpcap  
(presumably to test it; I'm not sure what advantages PF_PACKET has  
over BPF for packet capture, as opposed to, for example, for  
implementing, in userland code, protocols atop the link layer), the  
appropriate split would probably be into pf_packet_subs.c (along the  
line of dlpisubs.c), for code common to all implementations atop  
PF_PACKET sockets, and pcap-linux.c, pcap-pf-packet-solaris.c (or  
whatever), etc..
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.