This preview shows page 1. Sign up to view the full content.
Unformatted text preview: module nit_pf. Notice in Figure A.2
that this module is used by the RARP daemon, but not by tcpdump. Instead, under
SunOS tcpdump performs its own filtering in the user process. The reason is that the
hypothetical machine instructions used by nit_pf are different (and not as powerful) as
those supported by BPF. This means that when the user specifies a filter expression to
tcpdump more data crosses the kernel-to-user boundary with NIT than with BPF. A.3 SVR4 Data Link Provider Interface
SVR4 supports the Data Link Provider Interface (DLPI) which is a streams
implementation of the OSI Data Link Service Definition. Most versions of SVR4 still
support version 1 of the DLPI, SVR4.2 supports both versions 1 and 2, and Sun's Solaris
2.x supports version 2, with additional enhancements.
Network monitoring programs such as tcpdump must use the DLPI for raw access to
the data-link device drivers. In Solaris 2.x the packet filter streams module has been
renamed pfmod and the buffer module has been renamed bufmod.
Although Solaris 2.x is still new, an implementation of tcpdump should appear file:///D|/Documents%20and%20Settings/bigini/Docu...homenet2run/tcpip/tcp-ip-illustrated/append_a.htm (4 of 7) [12/09/2001 14.47.59] Appendix A: The tcpdump Program someday. Sun also supplies a program named snoop that performs functions similar to
tcpdump. (snoop replaces the SunOS 4.x program named etherfind.) The author is
not aware of any port of tcpdump to vanilla SVR4. A.4 tcpdump Output
The output produced by tcpdump is "raw." We'll modify it for inclusion in the text to
make it easier to read.
First, it always outputs the name of the network interface on which it is listening. We'll
delete this line.
Next, the timestamp output by tcpdump is of the form 09:11:22.642008 on a
system with microsecond resolution, or 09:11:22.64 on a system with only 10-ms
clock resolution. (In Appendix B we talk more about computer clock resolution.) In
either case the HH:MM:SS format is not what we want. Instead we are interested in both...
View Full Document
- Spring '12