This preview shows page 1. Sign up to view the full content.
Unformatted text preview: f tcpdump specifies its own
filter. The filter for tcpdump can be specified by the user on the command line, while
rarpd always uses the same filter to capture only RARP requests. '
In addition to specifying a filter, each user of BPF also specifies a timeout value. Since
the data rate of the network can easily outrun the processing power of the CPU, and since
it's costly for a user process to issue small reads from the kernel, BPF tries to pack
multiple frames into a single read buffer and return only when the buffer is full, or the
user-specified timeout has expired, tcpdump sets the timeout to 1 second since it
normally receives lots of data from BPF, while the RARP daemon receives few frames,
so rarpd sets the timeout to 0 (which returns when a frame is received).
The user-specified filter to tell BPF what frames the process considers interesting is a list
of instructions for a hypothetical machine. These instructions are interpreted by the BPF file:///D|/Documents%20and%20Settings/bigini/Docu...homenet2run/tcpip/tcp-ip-illustrated/append_a.htm (2 of 7) [12/09/2001 14.47.59] Appendix A: The tcpdump Program filter in the kernel. Filtering in the kernel, and not in the user process, reduces the amount
of data that must pass from the kernel to the user process. The RARP daemon always
uses the same filter program, which is built into the program, tcpdump, on the other
hand, lets the user specify a filter expression on the command line each time it's run.
tcpdump converts the user-specified expression into the corresponding sequence of
instructions for BPF. Examples of the tcpdump expressions are:
% tcpdump tcp port 25
% tcpdump 'icmp != 8 and icmp <= 0'
The first prints only TCP segments with a source or destination port of 25. The second
prints only ICMP messages that are not echo requests or echo replies (i.e., not ping
packets). This expression specifies that the first byte of the ICMP message, the type field
from Figure 6.2, not equal 8 or 0, an echo request or echo reply from Figure 6.3. As you
can see, fancy filtering requires knowledge of the underlying p...
View Full Document
- Spring '12