Re: Packet sniffing in Linux

Donald Becker (
Sat, 17 Apr 1999 18:41:52 -0400 (EDT)

On Sat, 17 Apr 1999 wrote:
> > There seems to be an administrative tendency at our Organisation, to
> > move over to *BSD, cos it handles packet sniffing better than
> > Linux and other things.
> The rumours are wrong. To be more exact they were true for 2.0 kernels.
> Stock 2.2 packet capture is comparable to bsd.
> With turbopacket extension it is much better.
> (ftp:/

Not putting BPF into the kernel was a deliberate design decision.
Unfortunately it's easy to add "features", but difficult to keep them out.

[[ BPF is the "Berkley Packet Filter", a way downloading bytecode that the
kernel executes to select packets. Sure, putting anything in the kernel is
faster than putting it in user space. But that's not an excuse to
put everything into the kernel. Specific reasons not to use BPF is that it
is rarely used, and it doesn't make good use of hardware multicast filters. ]]

Donald Becker
USRA-CESDIS, Center of Excellence in Space Data and Information Sciences.
Code 930.5, Goddard Space Flight Center, Greenbelt, MD. 20771

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to