well, a detailed description of the thing which i wanted to ask you is: 1) when i start sniffing i attach a bpf code to the socket by means of setsockopt system call. (as given in the filter.txt file in the docs of lsf) 2) then i do some reads on the socket and now i want to change the filtering criteria and so the bpfcode which was attached to the socket also needs to be changed. 3) for that i need to again call the setsockopt to attach the new bpfcode. 4) but the necessity is that as soon as i find the need to change the criteria, i need to grab all the packets after that till the time i have not attached the new code (altough this will be few of milliseconds). 5) so i remove the filter expression by means of setsockopt SO_DETACH_FILTER and then regenrate the bpfcode for the nw expression. 6) now i do a attach operation on the socket by means of setsockopt and so attach the new filter. 7) now here comes my real question. All the packets which were buffered by the kernel after the detach operation and then the attach operation (as in point 6), will they be filtered on the basis of the new filter expression and then passed to the user process or will they be passed as it is (i.e. without filtering) and only those packets which were received after the second attach operation will be filtered on the basis of the new expression ? (sorry if i am unclear this time also..i will mail u the program next if i am unclear this time too.) thanks mal ===== Image by FlamingText.com __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
