From owner-freebsd-hackers Tue Mar 9 14: 8: 8 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from oracle.dsuper.net (oracle.dsuper.net [205.205.255.1]) by hub.freebsd.org (Postfix) with ESMTP id AE17A14F45 for ; Tue, 9 Mar 1999 14:07:46 -0800 (PST) (envelope-from bmilekic@dsuper.net) Received: from jehovah (jehovah.technokratis.com [207.139.115.248]) by oracle.dsuper.net (Delphi 1.3/8.6.9) with SMTP id RAA08352; Tue, 9 Mar 1999 17:07:22 -0500 (EST) Message-ID: <001d01be6a79$cfbefd20$0100000a@jehovah.technokratis.com> Reply-To: "Bosko Milekic" From: "Bosko Milekic" To: "CyberPsychotic" Cc: Subject: Re: SOCK_RAW on BSD Date: Tue, 9 Mar 1999 17:11:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Read below... -----Original Message----- From: CyberPsychotic To: Alfred Perlstein ; Mike Smith Cc: freebsd-hackers@FreeBSD.ORG Date: Tuesday, March 09, 1999 3:52 AM Subject: Re: SOCK_RAW on BSD >~ >~ If you are trying to capture packets you should look at 'bpf', if you >~ are trying to capture packets in a portable fashion, look at the library >~ 'pcap' >~ > > Yep. Yesterday night I got back to my R.Steven's Unix Network Programming >biblebook which says in section 25.4: > >"Received UDP/TCP packets are never passed to a raw socket. if process wants > to read IP datagrams containing UDP/TCP packets, they must be read at > datalink layer." > >This should explain everything. This morning I had a chance to test this >thing on several Solaris systems (2.5-2.7), and got the same result as on >BSD. Looks like Linux is the only platform which acts different. Not the >reason to laugh at it but... ;-) Actually, under Linux, one _also_ has to read from the datalink layer in order to be able to get TCP and/or UDP datagrams. The difference is that under Linux, one would create a socket of type SOCK_PACKET to be able to consequently read from it. There are several disadvantages to SOCK_PACKET (in comparison to libpcap and bpf, for instance) -- such as no kernel buffering and/or filtering. Therefore, to end this thread, as Mike Smith mentionned in an earlier reply to this: ideally, for portability issues, using libpcap is the best idea (support for BPF, DLPI, NIT, SOCK_PACKET, etc.) > >Thanks again to everyone who responded, I will probably switch to pcap for >the sake of compatibility. > > >regards > >~ Fyodor > > Cheers, <- - - - - - - - - - - --- --- -- - - Bosko Milekic http://www.supernet.ca/~bmilekic/ Delphi SuperNet - 1-888-SUPER-MTL -- - -- - - - - - --- --- - - - - - - - - - - > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message