From owner-freebsd-hackers Tue Aug 13 22: 0:38 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E063737B400 for ; Tue, 13 Aug 2002 22:00:36 -0700 (PDT) Received: from rootlabs.com (root.org [67.118.192.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 9416F43E6E for ; Tue, 13 Aug 2002 22:00:36 -0700 (PDT) (envelope-from nate@rootlabs.com) Received: (qmail 36644 invoked by uid 1000); 14 Aug 2002 05:00:38 -0000 Date: Tue, 13 Aug 2002 22:00:38 -0700 (PDT) From: Nate Lawson To: Sean Hamilton Cc: hackers@freebsd.org Subject: Re: IP monitoring In-Reply-To: <000a01c2433c$b0e96620$f019e8d8@slugabed.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 13 Aug 2002, Sean Hamilton wrote: > Also, forgot to mention, I will need to look inside TCP streams, and know > which user owns them, and which packets pertain to which TCP stream, which > is why I was thinking a module would be more suitable. If I did this in user > space, I'd have to reconstruct the streams myself (but as I understand, that > isn't amazingly difficult.) > > sh pcap(3) does fast usermode packet capture via BPF ports/net/libnids does TCP stream reassembly Running things in the kernel does not automatically make them fast unless your CPU usage is maxed by boundary crossings. -Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message