Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!decvax!ucbvax!DECWRL.DEC.COM!mogul From: mogul@DECWRL.DEC.COM.UUCP Newsgroups: mod.protocols.tcp-ip Subject: Re: Packet filter (was Re: Gateway Monitoring) Message-ID: <8701211852.AA01256@acetes.dec.com> Date: Wed, 21-Jan-87 13:52:00 EST Article-I.D.: acetes.8701211852.AA01256 Posted: Wed Jan 21 13:52:00 1987 Date-Received: Wed, 21-Jan-87 21:35:38 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 36 Approved: tcp-ip@sri-nic.arpa Charles Hedrick writes: Mike Brescia asks for a facility under Unix that will allow you to receive any packet type that the kernel doesn't need. The Ethernet packet filter (/dev/enet) will do this. There is supposedly a copy of this software included with 4.3. We use it on a Pyramid to implement PUP. (We can't give it to you, as our copy is covered by a license with Xerox.) Unfortunately, the packet filter (wonderful as it is) in its current state won't solve Mike's problem; he wanted access to IP packets not otherwise consumed by the kernel. The packet filter plugs in to the network device drivers, and so only gets to look at data-link layer packet types not wanted by the rest of the kernel. For example, an ethernet driver takes a received packet, looks at its packet type, and if it's not IP or ARP or XNS, it drops it into the packet filter instead of on the floor. I've toyed with the idea of creating a sort of pseudo-interface driver that would do the same thing for IP packets that are about to be dropped on the floor; the packet filter itself should handle this without modifications, although I'm not sure if packet transmission is as easily done this way. This is just a "small matter of programming"; i.e., don't hold your breath. The sources shipped with 4.3BSD are almost usable; apparently, the kind folks at Berkeley (1) failed to include any documentation or test programs, and (2) modified the modifications to the network interface drivers. This modified modifications might work, but I don't know if anyone has ever proved this. I really should do something about this; if anyone out there wants to use the packet filter but can't get the 4.3 distribution to work, I'd like to here from you. By the way, I doubt if the Xerox license agreement had any control over the packet filter sources, since I'm pretty sure Xerox knew they were public-domain when they got them.