Johannes Berg wrote:
On Mon, 2007-03-05 at 13:00 +0000, Andy Green wrote:
I used the libpcap filter stuff to limit what I saw to just the packets
of interest. This is the filtering that tcpdump uses to do the
conditional filters like "port 22" or "host 192.168.0.1". The filter
uses something called BPF (Berkeley Packet Filter) which is done
kernelside (at least libpcap is doing the filter install with ioctls in
pcap-bpf.c). So the cost of drinking from a Monitor firehose is much
less than it sounds.
Actually, I think the cost can be significant, especially for embedded
systems. You traverse into userspace for each packet at least once, and
a management entity in userspace will not be concerned with data packets
at all. Also, a monitor interface currently always disables power save
mode for many drivers.
Not sure I explained well enough: looking at libpcap sources, it
compiles the filter you request into a bytecode and then gives it to the
kernelside using an ioctl. When you recv() or select() on the monitor
interface after that, you block until something matching your filter
definition turns up. Userspace doesn't hear about the rest of it.
Filter definitions include stuff like testing specific offsets of the
header or payload and boolean operators.
pcap-bpf.c:
static int
pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
{
...
/*
* Try to install the kernel filter.
*/
if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
pcap_strerror(errno));
return (-1);
}
p->md.use_bpf = 1; /* filtering in the kernel */
...
}
From the README.linux on libpcap:
''In addition, there is an option that, in 2.2 and later kernels, will
allow packet capture filters specified to programs such as tcpdump to be
executed in the kernel, so that packets that don't pass the filter won't
be copied from the kernel to the program, rather than having all packets
copied to the program and libpcap doing the filtering in user mode.
Copying packets from the kernel to the program consumes a significant
amount of CPU, so filtering in the kernel can reduce the overhead of
capturing packets if a filter has been specified that discards a
significant number of packets. (If no filter is specified, it makes no
difference whether the filtering isn't performed in the kernel or isn't
performed in user mode. :-))
The option for this is the CONFIG_FILTER option''
-Andy
-
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
