This preview shows page 1. Sign up to view the full content.
Unformatted text preview: distribution for the details on
what operating system and which versions are supported.
There are alternatives to tcpdump. In Figure 10.8 we use the Solaris 2.2 program snoop
to look at some packets. AIX 3.2.2 provides the program iptrace, which provides
similar features. A.1 BSD Packet Filter
Current BSD-derived kernels provide the BSD Packet Filter (BPF), which is one method
used by tcpdump to capture and filter packets from a network interface that has been
placed into promiscuous mode. BPF also works with point-to-point links, such as SLIP
(Section 2.4), which require nothing special to capture all packets going through the
interface, and with the loopback interface (Section 2.7).
BPF has a long history. The Enet packet filter was created in 1980 by Mike Accetta and Rick Rashid at
Carnegie Mellon University. Jeffrey Mogul at Stanford ported the code to BSD and continued its
development from 1983 on. Since then, it has evolved into the Ultrix Packet Filter at DEC, a STREAMS
NIT module under SunOS 4.1, and BPF. Steven McCanne, of Lawrence Berkeley Laboratory,
implemented BPF in Summer 1990. Much of the design is from Van Jacobson. Details of the latest
version, and a comparison with Sun's NIT, are given in [McCanne and Jacobson 1993]. Figure A.1 shows the features of BPF when used with an Ethernet. file:///D|/Documents%20and%20Settings/bigini/Docu...homenet2run/tcpip/tcp-ip-illustrated/append_a.htm (1 of 7) [12/09/2001 14.47.59] Appendix A: The tcpdump Program Figure A.1 BSD Packet Filter.
BPF places the Ethernet device driver into promiscuous mode and then receives a copy
from the driver of each received packet and each transmitted packet. These packets are
run through a user-specified filter, so that only packets that the user process considers
interesting are passed to the process.
Multiple processes can be monitoring a given interface, and each process specifies its
own filter. Figure A.1 shows two instances of tcpdump and an RARP daemon (Section
5.4) both monitoring the same Ethernet. Each instance o...
View Full Document
This test prep was uploaded on 04/04/2014 for the course ECE EL5373 taught by Professor Guoyang during the Spring '12 term at NYU Poly.
- Spring '12