Check out the new USENIX Web site. next up previous
Next: The IXP1200 packet source Up: Implementation Previous: Third-party external functions


FFPF packet sources

Packets enter the FFPF framework via a call to an FFPF function called hook_handle_packet() which takes a packet as argument. As this is the only interface between the code responsible for packet capture and the FFPF packet handling module, it is easy to add new packet sources. Currently, three sources are implemented.

The first source, known as netfilter, captures packets from a netfilter hook. []Netfilter is an efficient abstraction for packet processing in Linux kernels (from version 2.4 onward). The second source, known as raw, also works with older kernels. The third packet source, known as ixp, differs from the other two in that the IXP1200 device is assumed to be dedicated to monitoring in the FFPF framework3. As this packet source is a substantial project in and of itself, we will summarise its main characteristics in a separate section.



Herbert Bos 2004-10-06