Solaris Packet Capture
By avalon on May 31, 2006
If an application today wishes to capture packets from a network device, it is required to use the time honoured tradition of opening the device, talking to it with DLPI messages and pushing onto it the bufmod/pfmod modules.
In an answer to this, back in 1999, Casper Dik spent some time working on a module called membuf. This actually integrates BPF filtering, enabling libpcap based tools to work easily and efficiently with it. The catch here is that we're still waiting for membuf to find a way into (Open)Solaris.
If you hunt around on the internet, you can possibly find another approach in the guise of bpfmod. Somewhere I found a reference to the source code for it (can't finda a good one now), downloaded it and got it working with Solaris. Yes, I've got the source code for that, but it is the result of me hacking on the code with someone else's license (in addition to the BSD one for BPF) so I'm reluctant to make that available until it has been properly reviewed (not a quick process). For something that is just a quick hack, this seems like overkill so I'm leaving it tucked away in a corner. It wasn't a complete port, however, as one area of BPF I couldn't work out how to do with STREAMS on Solaris - cause a read to return after (say) 100ms if the capture buffer wasn't full and/or earlier if it does fill.
A current project that could have a positive impact in some areas of packet capture is Crossbow. Crossbow will be making it possible to specify low level filters (supported by hardware, where available) for classification of packets. So if you want to capture all port 25 TCP traffic, hardware support pending, there would be no filtering in software, it would be carried out by the NIC's classification. Of course there are details in making that work.
There are some other ideas being kicked about, such as benefits of being able to DMA directly into buffers that are mapped both in kernel and user space, hopefully saving the need to copy the packet n times as it goes between internal code paths, execution modes, etc.
Of course The Holy Grail, as far as packet capture is concerned, is to use a NIC like that sold by Endace.